Re: SELinux doesn't work on t4240qds

[Mark Hatle <mark.hatle@windriver.com>]

On 7/22/14, 9:28 PM, zhenhua.luo@freescale.com wrote:
> Hi Mark,
>
> Thanks for your comments.
>
>> -----Original Message-----
>> From: yocto-bounces@yoctoproject.org [mailto:yocto-
>> bounces@yoctoproject.org] On Behalf Of Mark Hatle
>>
>> On 7/22/14, 10:11 AM, zhenhua.luo@freescale.com wrote:
>>> Hi all,
>>
>> Which release are you using.
> [Luo Zhenhua-B19537] I tried poky daisy + meta-fsl-ppc master + meta-selinux master

This makes me suspect a kernel issues.  The last time I looked at meta-fsl-ppc, 
it had a custom kernel (didn't use the linux-yocto kernel).  It appears (based 
on your original message) that all of the needed values were enabled:

http://git.yoctoproject.org/cgit/cgit.cgi/meta-selinux/tree/recipes-kernel/linux/linux-yocto/selinux.cfg

So I'm at a loss to explain the issue.  The only other suggestion would be to 
pass 'selinux=1' or is it 'enforce=1' on the command line and see if that starts 
the system up in enforcing mode.

>> The last version I used w/ meta-selinux was the 1.5 release.
>>
>> We're planning on updating it to master in the 'near' future [patches
>> welcome!], and I've been told by a few others of success w/ 1.7.

(I meant 1.6 above BTW, since there is no 1.7 yet.)

> [Luo Zhenhua-B19537] I will try master and dora.

Try dora, it's possible there is something minor that isn't right.

>> Did you enable the 'selinux' distribution flag?
>> If so, it should have enabled all of the components necessary for this stuff to be enabled.
> [Luo Zhenhua-B19537] Yes, selinux is in DISTRO_FEATURES.

That should be was was needed.  The first boot should provision the system and 
reboot.  After that things should be enabled and functional.

--Mark

>
> Best Regards,
>
> Zhenhua
>
>> --Mark
>>
>>> I use the meta-selinux layer to build a core-image-selinux rootfs
>>> image, and build kernel with following options enabled.
>>>
>>> CONFIG_AUDIT=y
>>>
>>> CONFIG_NETWORK_SECMARK=y
>>>
>>> CONFIG_EXT2_FS_SECURITY=y
>>>
>>> CONFIG_EXT3_FS_SECURITY=y
>>>
>>> CONFIG_EXT4_FS_SECURITY=y
>>>
>>> CONFIG_JFS_SECURITY=y
>>>
>>> CONFIG_REISERFS_FS_SECURITY=y
>>>
>>> CONFIG_JFFS2_FS_SECURITY=y
>>>
>>> CONFIG_SECURITY_NETWORK=y
>>>
>>> CONFIG_SECURITY_SELINUX=y
>>>
>>> CONFIG_SECURITY_SELINUX_BOOTPARAM=y
>>>
>>> CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE=1
>>>
>>> CONFIG_SECURITY_SELINUX_DISABLE=y
>>>
>>> CONFIG_SECURITY_SELINUX_DEVELOP=y
>>>
>>> CONFIG_SECURITY_SELINUX_AVC_STATS=y
>>>
>>> CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=1
>>>
>>> I use the generated images to boot up FSL PPC t4240qds board(tried
>>> both NFS boot and RAM boot with ext2.gz.u-boot rootfs), the SELinux is
>>> not turned on after kernel boot up.
>>>
>>> following is some information in rootfs.
>>>
>>> root@t4240qds:~# sestatus
>>>
>>> SELinux status:                 disabled
>>>
>>> root@t4240qds:~#
>>>
>>> root@t4240qds:~# cat /etc/selinux/config
>>>
>>> # This file controls the state of SELinux on the system.
>>>
>>> # SELINUX= can take one of these three values:
>>>
>>> #     enforcing - SELinux security policy is enforced.
>>>
>>> #     permissive - SELinux prints warnings instead of enforcing.
>>>
>>> #     disabled - No SELinux policy is loaded.
>>>
>>> SELINUX=enforcing
>>>
>>> # SELINUXTYPE= can take one of these two values:
>>>
>>> #     standard - Standard Security protection.
>>>
>>> #     mls - Multi Level Security protection.
>>>
>>> SELINUXTYPE=mls
>>>
>>> root@t4240qds:~# cat /proc/cmdline
>>>
>>> root=/dev/ram rw console=ttyS0,115200 selinux=1
>>>
>>> root@t4240qds:~# setenforce 1
>>>
>>> setenforce: SELinux is disabled
>>>
>>> root@t4240qds:~# getenforce
>>>
>>> Disabled
>>>
>>> root@t4240qds:~#
>>>
>>> Can somebody shed some light on the issue?
>>>
>>> Best Regards,
>>>
>>> Zhenhua
>>>
>>>
>>>
>>
>> --
>> _______________________________________________
>> yocto mailing list
>> yocto@yoctoproject.org
>> https://lists.yoctoproject.org/listinfo/yocto