Re: Re: Need information on building embedded systems.

Re: Re: Need information on building embedded systems.

[Don Hoefer]

 We are using kernel 3.8.13, busybox 1.20.2.  init says that it is version 2.88, along with that we have the typical Sys-V init with /etc/rc?.d startup scripts.

 Thank you for the links, we'll digest the Android stuff.
 
 Don Hoefer 


On 10/24/13, Stephen Smalley<sds@tycho.nsa.gov> wrote:
 
On 10/24/2013 01:15 PM, Don Hoefer wrote:
> We are building an embedded system where the customer requires SELinux. It is our own hardware so we build our own kernel and drivers and use the ext2, jfs and tempfs file systems. This is not new for us, but incorporating SELinux is.
> 
> Does anyone know of a good knowledge resource for building embedded systems with SELinux?
> 
> We are currently plowing through a frustrating step ahead/step back process. We are either unable to build a policy, or a minimal policy we build often causes the development system to fail to boot. Any policy we get onto the embedded system appears to fail to load properly. We think that some pieces may be missing but we are unable to debug due to lack of knowledge.
> 
> I suspect that our boot process with SELinux is incomplete and that we are missing some libraries, for example:
> 
> root@generic-powerpc:~#semanage
> Traceback (most recent call last):
> File "/usr/sbin/semanage", line 24, in <module>
> import seobject
> File "/usr/lib/python2.7/site-packages/seobject.py", line 24,in <module>
> import pwd, grp, string, selinux, tempfile, os, re, sys,stat
> ImportError: No module named selinux
> 
> Also, the selinux fs is not mounted and policies are not loaded during boot. We can do this with init scripts but isn't it too late by then?
> 
> Any help would be welcome.

I'd suggest you have a look at what we did in porting SELinux to
Android, both regard to our approach and possible reuse of some of our
minimalist port of libselinux and other components. See:
http://selinuxproject.org/page/SEAndroid

There is a published technical paper linked from that page that
describes the approach in detail, along with several presentations
describing it and of course how to obtain the code itself.

You really don't need much of the SELinux userspace for an embedded
system. Aside from our minimalist port of libselinux and a
reimplementation of specific utilities as part of the Android init
built-in commands and toolbox, we left the rest of the SELinux userspace
either completely unused or only used on the build host itself, not on
the device. We certainly didn't bother porting semanage or any other
python components.

We also wrote a policy from scratch tailored to Android and to a very
well-defined set of security goals, as described in the paper and
presentations. We did not use the SELinux reference policy nor did we
use anything generated by mdp as a starting point.

It would help to know your kernel (version) and what userspace you are
using as your baseline (e.g. are you using busybox? what is providing
your init program?).






--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Re: Need information on building embedded systems.

[Don Hoefer]

 Here is a complete list of what we are working with. the processor is a Freescale PowerPC.



kernel: 3.8.13
libselinux:  2.1.9
checkpolicy:  2.1.8
libsepol:  2.1.4
policycoreutils:  2.1.10
busybox:  1.20.2
eldk:  5.3
 Don Hoefer


On 10/24/13, Stephen Smalley<sds@tycho.nsa.gov> wrote:
 
On 10/24/2013 01:15 PM, Don Hoefer wrote:
> We are building an embedded system where the customer requires SELinux. It is our own hardware so we build our own kernel and drivers and use the ext2, jfs and tempfs file systems. This is not new for us, but incorporating SELinux is.
> 
> Does anyone know of a good knowledge resource for building embedded systems with SELinux?
> 
> We are currently plowing through a frustrating step ahead/step back process. We are either unable to build a policy, or a minimal policy we build often causes the development system to fail to boot. Any policy we get onto the embedded system appears to fail to load properly. We think that some pieces may be missing but we are unable to debug due to lack of knowledge.
> 
> I suspect that our boot process with SELinux is incomplete and that we are missing some libraries, for example:
> 
> root@generic-powerpc:~#semanage
> Traceback (most recent call last):
> File "/usr/sbin/semanage", line 24, in <module>
> import seobject
> File "/usr/lib/python2.7/site-packages/seobject.py", line 24,in <module>
> import pwd, grp, string, selinux, tempfile, os, re, sys,stat
> ImportError: No module named selinux
> 
> Also, the selinux fs is not mounted and policies are not loaded during boot. We can do this with init scripts but isn't it too late by then?
> 
> Any help would be welcome.

I'd suggest you have a look at what we did in porting SELinux to
Android, both regard to our approach and possible reuse of some of our
minimalist port of libselinux and other components. See:
http://selinuxproject.org/page/SEAndroid

There is a published technical paper linked from that page that
describes the approach in detail, along with several presentations
describing it and of course how to obtain the code itself.

You really don't need much of the SELinux userspace for an embedded
system. Aside from our minimalist port of libselinux and a
reimplementation of specific utilities as part of the Android init
built-in commands and toolbox, we left the rest of the SELinux userspace
either completely unused or only used on the build host itself, not on
the device. We certainly didn't bother porting semanage or any other
python components.

We also wrote a policy from scratch tailored to Android and to a very
well-defined set of security goals, as described in the paper and
presentations. We did not use the SELinux reference policy nor did we
use anything generated by mdp as a starting point.

It would help to know your kernel (version) and what userspace you are
using as your baseline (e.g. are you using busybox? what is providing
your init program?).






--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Need information on building embedded systems.

[Stephen Smalley]

On 10/24/2013 03:04 PM, Don Hoefer wrote:
>  Here is a complete list of what we are working with. the processor is a Freescale PowerPC.
> 
> 
> 
<snip>
> libselinux:  2.1.9
> checkpolicy:  2.1.8
> libsepol:  2.1.4
> policycoreutils:  2.1.10
<snip>

Are you using those specific versions because newer ones have
dependencies on components that don't exist in your embedded Linux?
That's ok, just wondering.

The folks who previously did work on embedded SELinux prior to our
Android work tried to introduce an EMBEDDED option for libselinux (make
EMBEDDED=y) that would omit certain portions they didn't need or want.
That is still present but likely won't build at the moment; you'd have
to exclude some additional files as well to get it back into a buildable
state.

Or you could possibly just use our Android port of libselinux, as that
is already greatly reduced and avoids any glibc-specific dependencies.

checkpolicy and libsepol are only truly required on the build host, not
the device, unless you need/want the ability to downgrade policy formats
at load time.

The parts of policycoreutils that matter to you should already exist in
some form in busybox if you build it with SELinux support enabled



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.