RE: [External] Re: SELinux support question

From: Ivan Li11 <rli11@lenovo.com>
To: Jayanth Othayoth <ojayanth@gmail.com>,
	Anton Kachalov <rnouse@google.com>
Cc: Andrew Jeffery <andrew@aj.id.au>,
	"openbmc@lists.ozlabs.org" <openbmc@lists.ozlabs.org>,
	Artem Senichev <artemsen@gmail.com>
Subject: RE: [External] Re: SELinux support question
Date: Fri, 6 Nov 2020 10:06:29 +0000	[thread overview]
Message-ID: <HK2PR03MB45802CA98BD94FE35F318F7DD3ED0@HK2PR03MB4580.apcprd03.prod.outlook.com> (raw)
In-Reply-To: <CACkAXSrDq+OOFc-44J=KcJw14XQorL=OUpORy_gzitn09yb7Eg@mail.gmail.com>

[-- Attachment #1: Type: text/plain, Size: 4793 bytes --]

Hi Anton and Jayanth,

Thanks your suggestion, it’s workable to get correct status after adding “selinux” to systemd bbappened file.

BTW,  may I check with you what does “precompiled policies under /etc/selinux” mean ?
Does it mean that I need to add “PREFERRED_PROVIDER_virtual/refpolicy = "refpolicy-minimum"” to build/conf/local.conf file to assign policy in advance ?

Thanks,
Ivan
From: Jayanth Othayoth <ojayanth@gmail.com>
Sent: Thursday, November 5, 2020 3:37 PM
To: Anton Kachalov <rnouse@google.com>
Cc: Ivan Li11 <rli11@lenovo.com>; Andrew Jeffery <andrew@aj.id.au>; openbmc@lists.ozlabs.org; Artem Senichev <artemsen@gmail.com>
Subject: Re: [External] Re: SELinux support question

I tried on one of the IBM box which got 32MB flash in 2018 time frame and was able to got BMC read state . Reference patch (POC only) is available here

https://gerrit.openbmc-project.xyz/q/topic:%22selinux%22+(status:open%20OR%20status:merged)

On Wed, Nov 4, 2020 at 8:06 PM Anton Kachalov <rnouse@google.com<mailto:rnouse@google.com>> wrote:
Hello, Ivan.

Please check if the systemd has been compiled with selinux feature enabled. It should be in charge of enforcing selinux rules at boot.

You should add "selinux" to PACKAGECONFIG over here:
https://github.com/openbmc/openbmc/blob/master/meta-phosphor/recipes-core/systemd/systemd_%25.bbappend#L4

As well as adding "selinux" to the DISTRO_FEATURES variable in your build/conf/local.conf file.

Do you have precompiled policies under /etc/selinux ?

If it still doesn't work, please also attach a boot log.

On Tue, 3 Nov 2020 at 18:52, Ivan Li11 <rli11@lenovo.com<mailto:rli11@lenovo.com>> wrote:
Hi Anton,

Thanks your help and support.
I’ve followed your suggestion to enable selinux kernel configuration and have seen kernel message “[ 0.002268] SELinux:  Initializing.” during boot time, but still returns “Disabled” after executing getenforce command.
The selinux mode and type I set in /etc/selinux/config file is permissive and minimum.  Could you help to advise me whether there’s some settings need to set to avoid this problem.

Thanks,
Ivan
From: Anton Kachalov <rnouse@google.com<mailto:rnouse@google.com>>
Sent: Tuesday, November 3, 2020 3:50 AM
To: Ivan Li11 <rli11@lenovo.com<mailto:rli11@lenovo.com>>
Cc: Andrew Jeffery <andrew@aj.id.au<mailto:andrew@aj.id.au>>; Artem Senichev <artemsen@gmail.com<mailto:artemsen@gmail.com>>; openbmc@lists.ozlabs.org<mailto:openbmc@lists.ozlabs.org>
Subject: Re: [External] Re: SELinux support question

Hello, Ivan.

Perhaps, you should enable selinux kernel configuration as well. The openbmc kernels, if I'm not mistaken, have different recipes.

The default configuration relies on linux-yocto package:
http://git.yoctoproject.org/cgit/cgit.cgi/meta-selinux/tree/recipes-kernel/linux

You should include this selinux.cfg in on of the openbmc kernel layers:

SRC_URI += "file://selinux.cfg"

and copy selinux.cfg to one of the local files location.

On Mon, 2 Nov 2020 at 18:46, Ivan Li11 <rli11@lenovo.com<mailto:rli11@lenovo.com>> wrote:

> -----Original Message-----
> From: Andrew Jeffery <andrew@aj.id.au<mailto:andrew@aj.id.au>>
> Sent: Monday, November 2, 2020 8:54 AM
> To: Artem Senichev <artemsen@gmail.com<mailto:artemsen@gmail.com>>; Ivan Li11 <rli11@lenovo.com<mailto:rli11@lenovo.com>>
> Cc: openbmc@lists.ozlabs.org<mailto:openbmc@lists.ozlabs.org>
> Subject: [External] Re: SELinux support question
>
>
>
> On Fri, 30 Oct 2020, at 16:25, Artem Senichev wrote:
> > Hi Ivan,
> >
> > Yocto has a layer for SELinux
> > (http://git.yoctoproject.org/cgit/cgit.cgi/meta-selinux), you can try
> > it.
> > But the layer depends on Python for management tools, which does not
> > exist in the OpenBMC image anymore.
> > The problem is that Python significantly increases image size, it will
> > be more than 32MiB, which causes some troubles with qemu emulation.
>
> The problem is broader than qemu though, it would also be broken on any
> platform shipping a 32MiB flash part if the image exceeds 32MiB.
>
> That said, if there are systems that ship bigger parts and enabling SELinux for
> those is feasible, we should add those platform models to qemu so emulating
> them isn't constrained by the existing platform support.
>
> Andrew

Hi Andrew and Artem,
Per your suggestion, I try to enable SELinux with Yocto SELinux layer(http://git.yoctoproject.org/cgit/cgit.cgi/meta-selinux) and 64MiB flash part.
But encountered one problem which is when I use command "getenforce" to check SELinux mode, it always returns "Disabled" even if SELinux mode in config file '/etc/selinux/config' is permissive or enforcing by default.

Please help to advise it.

[-- Attachment #2: Type: text/html, Size: 16078 bytes --]