Hello, Ivan. I'm unsure how policies are being built in Yocto. Usually, you should have /etc/selinux populated in your image with precompiled policies. At least, some default ones. On Fri, 6 Nov 2020 at 11:06, Ivan Li11 wrote: > Hi Anton and Jayanth, > > > > Thanks your suggestion, it’s workable to get correct status after adding > “selinux” to systemd bbappened file. > > > > BTW, may I check with you what does “precompiled policies under > /etc/selinux” mean ? > > Does it mean that I need to add “PREFERRED_PROVIDER_virtual/refpolicy = > "refpolicy-minimum"” to build/conf/local.conf file to assign policy in > advance ? > > > > Thanks, > > Ivan > > *From:* Jayanth Othayoth > *Sent:* Thursday, November 5, 2020 3:37 PM > *To:* Anton Kachalov > *Cc:* Ivan Li11 ; Andrew Jeffery ; > openbmc@lists.ozlabs.org; Artem Senichev > *Subject:* Re: [External] Re: SELinux support question > > > > > > I tried on one of the IBM box which got 32MB flash in 2018 time frame and > was able to got BMC read state . Reference patch (POC only) is available > here > > > > > https://gerrit.openbmc-project.xyz/q/topic:%22selinux%22+(status:open%20OR%20status:merged) > > > > On Wed, Nov 4, 2020 at 8:06 PM Anton Kachalov wrote: > > Hello, Ivan. > > > > Please check if the systemd has been compiled with selinux feature > enabled. It should be in charge of enforcing selinux rules at boot. > > > > You should add "selinux" to PACKAGECONFIG over here: > > > https://github.com/openbmc/openbmc/blob/master/meta-phosphor/recipes-core/systemd/systemd_%25.bbappend#L4 > > > > As well as adding "selinux" to the DISTRO_FEATURES variable in your > build/conf/local.conf file. > > > > Do you have precompiled policies under /etc/selinux ? > > > > If it still doesn't work, please also attach a boot log. > > > > > > On Tue, 3 Nov 2020 at 18:52, Ivan Li11 wrote: > > Hi Anton, > > > > Thanks your help and support. > > I’ve followed your suggestion to enable selinux kernel configuration and > have seen kernel message “[ 0.002268] SELinux: Initializing.” during boot > time, but still returns “Disabled” after executing getenforce command. > > The selinux mode and type I set in /etc/selinux/config file is permissive > and minimum. Could you help to advise me whether there’s some settings > need to set to avoid this problem. > > > > Thanks, > > Ivan > > *From:* Anton Kachalov > *Sent:* Tuesday, November 3, 2020 3:50 AM > *To:* Ivan Li11 > *Cc:* Andrew Jeffery ; Artem Senichev ; > openbmc@lists.ozlabs.org > *Subject:* Re: [External] Re: SELinux support question > > > > Hello, Ivan. > > > > Perhaps, you should enable selinux kernel configuration as well. The > openbmc kernels, if I'm not mistaken, have different recipes. > > > > The default configuration relies on linux-yocto package: > > > http://git.yoctoproject.org/cgit/cgit.cgi/meta-selinux/tree/recipes-kernel/linux > > > > You should include this selinux.cfg in on of the openbmc kernel layers: > > > > SRC_URI += "file://selinux.cfg" > > > > and copy selinux.cfg to one of the local files location. > > > > On Mon, 2 Nov 2020 at 18:46, Ivan Li11 wrote: > > > > -----Original Message----- > > From: Andrew Jeffery > > Sent: Monday, November 2, 2020 8:54 AM > > To: Artem Senichev ; Ivan Li11 > > Cc: openbmc@lists.ozlabs.org > > Subject: [External] Re: SELinux support question > > > > > > > > On Fri, 30 Oct 2020, at 16:25, Artem Senichev wrote: > > > Hi Ivan, > > > > > > Yocto has a layer for SELinux > > > (http://git.yoctoproject.org/cgit/cgit.cgi/meta-selinux), you can try > > > it. > > > But the layer depends on Python for management tools, which does not > > > exist in the OpenBMC image anymore. > > > The problem is that Python significantly increases image size, it will > > > be more than 32MiB, which causes some troubles with qemu emulation. > > > > The problem is broader than qemu though, it would also be broken on any > > platform shipping a 32MiB flash part if the image exceeds 32MiB. > > > > That said, if there are systems that ship bigger parts and enabling > SELinux for > > those is feasible, we should add those platform models to qemu so > emulating > > them isn't constrained by the existing platform support. > > > > Andrew > > Hi Andrew and Artem, > Per your suggestion, I try to enable SELinux with Yocto SELinux layer( > http://git.yoctoproject.org/cgit/cgit.cgi/meta-selinux) and 64MiB flash > part. > But encountered one problem which is when I use command "getenforce" to > check SELinux mode, it always returns "Disabled" even if SELinux mode in > config file '/etc/selinux/config' is permissive or enforcing by default. > > Please help to advise it. > >