Re: SELinux doesn't work on t4240qds

[Mark Hatle <mark.hatle@windriver.com>]

On 7/23/14, 7:15 AM, zhenhua.luo@freescale.com wrote:
> I tried dora(poky + meta-selinux + meta-fsl-ppc), following error message appears during kernel boot up, please help.
>
> RAMDISK: gzip image found at block 0
> VFS: Mounted root (ext2 filesystem) on device 1:0.
> devtmpfs: mounted
> Freeing unused kernel memory: 340k freed
> Mount failed for selinuxfs on /sys/fs/selinux:  No such file or directory

Sounds like the selinuxfs was not enabled -- or the /sys/fs/selinux mount mount 
was not created by default.  I'd start with suspecting the kernel configuration, 
and then look to see if the early init scripts for selinux are incorrect and 
need to add that mount mount.

--Mark

> Unable to load SELinux Policy. Machine is in enforcing mode. Halting now.
> Kernel panic - not syncing: Attempted to kill init! exitcode=0x00000100
>
> Call Trace:
> [c0000002f9143ae0] [c000000000008b2c] .show_stack+0x7c/0x1f0 (unreliable)
> [c0000002f9143bb0] [c000000000816e48] .panic+0xec/0x24c
> [c0000002f9143c40] [c00000000003d094] .do_exit+0x964/0xa40
> [c0000002f9143d30] [c00000000003e354] .do_group_exit+0x54/0xf0
> [c0000002f9143dc0] [c00000000003e404] .SyS_exit_group+0x14/0x20
> [c0000002f9143e30] [c000000000000598] syscall_exit+0x0/0x88
> Rebooting in 180 seconds..
>
>
> Best Regards,
>
> Zhenhua
>
>
>> -----Original Message-----
>> From: yocto-bounces@yoctoproject.org [mailto:yocto-
>> bounces@yoctoproject.org] On Behalf Of zhenhua.luo@freescale.com
>> Sent: Wednesday, July 23, 2014 10:29 AM
>> To: Mark Hatle; yocto@yoctoproject.org
>> Subject: Re: [yocto] SELinux doesn't work on t4240qds
>>
>> Hi Mark,
>>
>> Thanks for your comments.
>>
>>> -----Original Message-----
>>> From: yocto-bounces@yoctoproject.org [mailto:yocto-
>>> bounces@yoctoproject.org] On Behalf Of Mark Hatle
>>>
>>> On 7/22/14, 10:11 AM, zhenhua.luo@freescale.com wrote:
>>>> Hi all,
>>>
>>> Which release are you using.
>> [Luo Zhenhua-B19537] I tried poky daisy + meta-fsl-ppc master + meta-
>> selinux master
>>
>>> The last version I used w/ meta-selinux was the 1.5 release.
>>>
>>> We're planning on updating it to master in the 'near' future [patches
>>> welcome!], and I've been told by a few others of success w/ 1.7.
>> [Luo Zhenhua-B19537] I will try master and dora.
>>
>>> Did you enable the 'selinux' distribution flag?
>>> If so, it should have enabled all of the components necessary for this
>> stuff to be enabled.
>> [Luo Zhenhua-B19537] Yes, selinux is in DISTRO_FEATURES.
>>
>>
>> Best Regards,
>>
>> Zhenhua
>>
>>> --Mark
>>>
>>>> I use the meta-selinux layer to build a core-image-selinux rootfs
>>>> image, and build kernel with following options enabled.
>>>>
>>>> CONFIG_AUDIT=y
>>>>
>>>> CONFIG_NETWORK_SECMARK=y
>>>>
>>>> CONFIG_EXT2_FS_SECURITY=y
>>>>
>>>> CONFIG_EXT3_FS_SECURITY=y
>>>>
>>>> CONFIG_EXT4_FS_SECURITY=y
>>>>
>>>> CONFIG_JFS_SECURITY=y
>>>>
>>>> CONFIG_REISERFS_FS_SECURITY=y
>>>>
>>>> CONFIG_JFFS2_FS_SECURITY=y
>>>>
>>>> CONFIG_SECURITY_NETWORK=y
>>>>
>>>> CONFIG_SECURITY_SELINUX=y
>>>>
>>>> CONFIG_SECURITY_SELINUX_BOOTPARAM=y
>>>>
>>>> CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE=1
>>>>
>>>> CONFIG_SECURITY_SELINUX_DISABLE=y
>>>>
>>>> CONFIG_SECURITY_SELINUX_DEVELOP=y
>>>>
>>>> CONFIG_SECURITY_SELINUX_AVC_STATS=y
>>>>
>>>> CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=1
>>>>
>>>> I use the generated images to boot up FSL PPC t4240qds board(tried
>>>> both NFS boot and RAM boot with ext2.gz.u-boot rootfs), the SELinux
>>>> is not turned on after kernel boot up.
>>>>
>>>> following is some information in rootfs.
>>>>
>>>> root@t4240qds:~# sestatus
>>>>
>>>> SELinux status:                 disabled
>>>>
>>>> root@t4240qds:~#
>>>>
>>>> root@t4240qds:~# cat /etc/selinux/config
>>>>
>>>> # This file controls the state of SELinux on the system.
>>>>
>>>> # SELINUX= can take one of these three values:
>>>>
>>>> #     enforcing - SELinux security policy is enforced.
>>>>
>>>> #     permissive - SELinux prints warnings instead of enforcing.
>>>>
>>>> #     disabled - No SELinux policy is loaded.
>>>>
>>>> SELINUX=enforcing
>>>>
>>>> # SELINUXTYPE= can take one of these two values:
>>>>
>>>> #     standard - Standard Security protection.
>>>>
>>>> #     mls - Multi Level Security protection.
>>>>
>>>> SELINUXTYPE=mls
>>>>
>>>> root@t4240qds:~# cat /proc/cmdline
>>>>
>>>> root=/dev/ram rw console=ttyS0,115200 selinux=1
>>>>
>>>> root@t4240qds:~# setenforce 1
>>>>
>>>> setenforce: SELinux is disabled
>>>>
>>>> root@t4240qds:~# getenforce
>>>>
>>>> Disabled
>>>>
>>>> root@t4240qds:~#
>>>>
>>>> Can somebody shed some light on the issue?
>>>>
>>>> Best Regards,
>>>>
>>>> Zhenhua
>>>>
>>>>
>>>>
>>>
>>> --
>>> _______________________________________________
>>> yocto mailing list
>>> yocto@yoctoproject.org
>>> https://lists.yoctoproject.org/listinfo/yocto
>> --
>> _______________________________________________
>> yocto mailing list
>> yocto@yoctoproject.org
>> https://lists.yoctoproject.org/listinfo/yocto