How to start SELinux on embedded device

How to start SELinux on embedded device

[rajkumar]

Hi I am Rajkumar new to SELinux.


My Requirement is to start SELinux porting on Embedded device consists 
of ARM processor.
Using linux kernel version is 3.0.35.
I started reading The SELinux notebook 4th edition.
Made some changes in .config like enabling SELinux in kernel.
And what are the changes need to be done rootfs apart from DAC  and in 
kernel.


Please provide guidelines.

-- 
Regards
Rajkumar.m
+91 8501021114

Re: How to start SELinux on embedded device

[Emre Can Kucukoglu]

[-- Attachment #1: Type: text/plain, Size: 1939 bytes --]

Hi Rajkumar,

Basically, you need 3 major steps.

1. Enable security framework and SELinux configurations from linux kernel.
like: CONFIG_SECURITY_SELINUX, DEFAULT_SECURITY_SELINUX,
SECURITY_SELINUX_AVC_STATS, CONFIG_SECURITY_SELINUX_BOOTPARAM,
SECURITY_SELINUX_DEVELOP, CONFIG_SECURITY_SELINUX_DISABLE
2. Then download and compile SELinux:
https://github.com/SELinuxProject/selinux. Add cross-compiled files to your
rootfs.
3. Download and configure SELinux reference policy project, however keep in
mind, you have lots of redundant policy modules in reference policy, you
should keep them out. Load policies, enable your SELinux. (see setenforce,
/etc/selinux/config, boot args, kernel configuration).
4. Later, you 'can' download and compile setools3 (vs3 is stable one i
guess) to ease your policy management.

I think SELinux notebook is a good resource to learn how to use SELinux,
not how to port it.
You can look my presentation about SELinux overview, however keep in mind
that it is not reviewed yet.
https://docs.google.com/presentation/d/1Qtl_vaxvcAPse47d2sCWH6IAhn9XYFKkHEsOddobHpw/edit?usp=sharing

In which step do you think you are?

2015-05-14 9:40 GMT+03:00 rajkumar <rajkumarmadhani@gmail.com>:

> Hi I am Rajkumar new to SELinux.
>
>
> My Requirement is to start SELinux porting on Embedded device consists of
> ARM processor.
> Using linux kernel version is 3.0.35.
> I started reading The SELinux notebook 4th edition.
> Made some changes in .config like enabling SELinux in kernel.
> And what are the changes need to be done rootfs apart from DAC  and in
> kernel.
>
>
> Please provide guidelines.
>
> --
> Regards
> Rajkumar.m
> +91 8501021114
>
> _______________________________________________
> Selinux mailing list
> Selinux@tycho.nsa.gov
> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
> To get help, send an email containing "help" to
> Selinux-request@tycho.nsa.gov.
>



-- 
Emre Can Kucukoglu

[-- Attachment #2: Type: text/html, Size: 3051 bytes --]

Re: How to start SELinux on embedded device

[rajkumar]

[-- Attachment #1: Type: text/plain, Size: 2461 bytes --]

Hi

Thank you Emre Can Kucukoglu,
I am just at understanding level.

need your support further.

Regards
Rajkumar



On Thursday 14 May 2015 01:14 PM, Emre Can Kucukoglu wrote:
> Hi Rajkumar,
>
> Basically, you need 3 major steps.
>
> 1. Enable security framework and SELinux configurations from linux kernel.
> like: CONFIG_SECURITY_SELINUX, DEFAULT_SECURITY_SELINUX, 
> SECURITY_SELINUX_AVC_STATS, CONFIG_SECURITY_SELINUX_BOOTPARAM, 
> SECURITY_SELINUX_DEVELOP, CONFIG_SECURITY_SELINUX_DISABLE
> 2. Then download and compile SELinux: 
> https://github.com/SELinuxProject/selinux. Add cross-compiled files to 
> your rootfs.
> 3. Download and configure SELinux reference policy project, however 
> keep in mind, you have lots of redundant policy modules in reference 
> policy, you should keep them out. Load policies, enable your SELinux. 
> (see setenforce, /etc/selinux/config, boot args, kernel configuration).
> 4. Later, you 'can' download and compile setools3 (vs3 is stable one i 
> guess) to ease your policy management.
>
> I think SELinux notebook is a good resource to learn how to use 
> SELinux, not how to port it.
> You can look my presentation about SELinux overview, however keep in 
> mind that it is not reviewed yet.
> https://docs.google.com/presentation/d/1Qtl_vaxvcAPse47d2sCWH6IAhn9XYFKkHEsOddobHpw/edit?usp=sharing
>
> In which step do you think you are?
>
> 2015-05-14 9:40 GMT+03:00 rajkumar <rajkumarmadhani@gmail.com 
> <mailto:rajkumarmadhani@gmail.com>>:
>
>     Hi I am Rajkumar new to SELinux.
>
>
>     My Requirement is to start SELinux porting on Embedded device
>     consists of ARM processor.
>     Using linux kernel version is 3.0.35.
>     I started reading The SELinux notebook 4th edition.
>     Made some changes in .config like enabling SELinux in kernel.
>     And what are the changes need to be done rootfs apart from DAC 
>     and in kernel.
>
>
>     Please provide guidelines.
>
>     -- 
>     Regards
>     Rajkumar.m
>     +91 8501021114 <tel:%2B91%208501021114>
>
>     _______________________________________________
>     Selinux mailing list
>     Selinux@tycho.nsa.gov <mailto:Selinux@tycho.nsa.gov>
>     To unsubscribe, send email to Selinux-leave@tycho.nsa.gov
>     <mailto:Selinux-leave@tycho.nsa.gov>.
>     To get help, send an email containing "help" to
>     Selinux-request@tycho.nsa.gov <mailto:Selinux-request@tycho.nsa.gov>.
>
>
>
>
> -- 
> Emre Can Kucukoglu

-- 
Regards
Rajkumar.m


[-- Attachment #2: Type: text/html, Size: 4910 bytes --]

Re: How to start SELinux on embedded device

[Stephen Smalley]

On 05/14/2015 02:40 AM, rajkumar wrote:
> Hi I am Rajkumar new to SELinux.
> 
> 
> My Requirement is to start SELinux porting on Embedded device consists
> of ARM processor.
> Using linux kernel version is 3.0.35.
> I started reading The SELinux notebook 4th edition.
> Made some changes in .config like enabling SELinux in kernel.
> And what are the changes need to be done rootfs apart from DAC  and in
> kernel.
> 
> 
> Please provide guidelines.

There are at least two actively maintained examples of SELinux for
embedded that you can use as a guide:

1.  Android SELinux, developed originally by us and contributed to the
Android Open Source Project, included in Android 4.3 (permissive), 4.4
(enforcing for root daemons), and 5.0 (enforcing for all processes).
See http://seandroid.bitbucket.org/index.html.  Advantages:  Minimalist
port of the SELinux userspace to Android (small footprint, no python or
other scripting language dependency on the target, elimination of glibc
dependencies, small policy written from scratch for Android).  Actively
maintained by Google as part of Android.  Disadvantages:  A fork of the
SELinux userspace (although there is ongoing work to reduce the
divergence and possibly reunify the core userspace at least), and
specialized for Android so you'd have to adapt to OpenEmbedded or
whatever you are using as your base distribution.

2.  meta-selinux layer for Yocto, developed and maintained by others
(Wind River originally, I believe, and now by several other people).
See http://git.yoctoproject.org/cgit/cgit.cgi/meta-selinux/.
Advantages:  A complete upstream SELinux userspace and refpolicy, tracks
upstream regularly.  Disadvantages:  Large footprint, all of the
dependencies associated with upstream selinux userspace in Linux
distributions although you could perhaps prune it.  There is a
packagegroup-selinux-minimal.bb that offers a smaller instantiation
without a python dependency I believe.

There have a number of other prior embedded SELinux efforts, but I don't
think any of them other than the two above are actively maintained or
publicly available.