All of lore.kernel.org
 help / color / mirror / Atom feed
* Cannot enable selinux with imx6ULL. Why?
@ 2018-10-21 10:48 Stefano Cappa
  2018-10-27 18:10 ` Otavio Salvador
  0 siblings, 1 reply; 9+ messages in thread
From: Stefano Cappa @ 2018-10-21 10:48 UTC (permalink / raw)
  To: meta-freescale Mailing List

[-- Attachment #1: Type: text/plain, Size: 1176 bytes --]

I'm on Sumo branch with the latest linux-imx (no -fscl) and I'm using the
official NXP imx6 evk board.

I'm trying meta-selinux (I'm absolutely a noob with selinux, I'm still
experimenting and studying it :)) but I'm getting this error running "fixfiles
-f -F relabel":

Cleaning out /tmp
    fixfiles: No suitable file systems found
    Cleaning up labels on /tmp
    secon: SELinux is not enabled
    cat: /initial_contexts/unlabeled: No such file or directory

I wrote to one of the authors of meta-selinux and he said:

    You need to make sure that the filesystem in use has extendded
attributes
    enabled.  A lot of silicon vendor versions have this disabled, or use a
    filesystem where it's not supported.
    ext*fs, xfs, etc usually support it, with the right kernel
configuration.

So, I added xattr to the DISTRO_FEATURES_append in my local.conf, but I'm
still having the same error.
And running 'mount' I get this:
   /dev/<mynamehere>   / type ext4 (rw,relatime,data=ordered)

What I'm missing?
Also, does imx6ULL supports meta-selinux? Or are there some limitations
about kernel that block me to activate selinux?

Thank u.

[-- Attachment #2: Type: text/html, Size: 2341 bytes --]

^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: Cannot enable selinux with imx6ULL. Why?
  2018-10-21 10:48 Cannot enable selinux with imx6ULL. Why? Stefano Cappa
@ 2018-10-27 18:10 ` Otavio Salvador
  2018-10-29  9:58   ` Stefano Cappa
  0 siblings, 1 reply; 9+ messages in thread
From: Otavio Salvador @ 2018-10-27 18:10 UTC (permalink / raw)
  To: Stefano Cappa; +Cc: meta-freescale Mailing List

On Sun, Oct 21, 2018 at 7:52 AM Stefano Cappa
<stefano.cappa.ks89@gmail.com> wrote:
> I'm on Sumo branch with the latest linux-imx (no -fscl) and I'm using the official NXP imx6 evk board.
>
> I'm trying meta-selinux (I'm absolutely a noob with selinux, I'm still experimenting and studying it :)) but I'm getting this error running "fixfiles -f -F relabel":
>
> Cleaning out /tmp
>     fixfiles: No suitable file systems found
>     Cleaning up labels on /tmp
>     secon: SELinux is not enabled
>     cat: /initial_contexts/unlabeled: No such file or directory
>
> I wrote to one of the authors of meta-selinux and he said:
>
>     You need to make sure that the filesystem in use has extendded attributes
>     enabled.  A lot of silicon vendor versions have this disabled, or use a
>     filesystem where it's not supported.
>     ext*fs, xfs, etc usually support it, with the right kernel configuration.
>
> So, I added xattr to the DISTRO_FEATURES_append in my local.conf, but I'm still having the same error.
> And running 'mount' I get this:
>    /dev/<mynamehere>   / type ext4 (rw,relatime,data=ordered)
>
> What I'm missing?
> Also, does imx6ULL supports meta-selinux? Or are there some limitations about kernel that block me to activate selinux?

You need to enable the needed features on the kernel config. You
likely need to make a new layer to store the changes you will do and
modify the defconfig accordingly.

-- 
Otavio Salvador                             O.S. Systems
http://www.ossystems.com.br        http://code.ossystems.com.br
Mobile: +55 (53) 9 9981-7854          Mobile: +1 (347) 903-9750


^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: Cannot enable selinux with imx6ULL. Why?
  2018-10-27 18:10 ` Otavio Salvador
@ 2018-10-29  9:58   ` Stefano Cappa
  2018-10-29 12:26     ` Otavio Salvador
  0 siblings, 1 reply; 9+ messages in thread
From: Stefano Cappa @ 2018-10-29  9:58 UTC (permalink / raw)
  To: Otavio Salvador; +Cc: meta-freescale Mailing List

[-- Attachment #1: Type: text/plain, Size: 3150 bytes --]

Ok. Yes I created a custom layer with recipes-kernel/linux folders and
inside these files:
- linux-imx_4.9.88.bbappend
- linux-imx_selinux.inc
- linux-imx/selinux.cfg (taken as it is from meta-selinux layer)

The content of linux-imx_4.9.88.bbappend is:

FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"

SRC_URI += "\
"

require ${@bb.utils.contains('DISTRO_FEATURES', 'selinux',
'${BPN}_selinux.inc', '', d)}


The content of linux-imx_selinux.inc is:

FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"

# Enable selinux support in the kernel if the feature is enabled
SRC_URI += "${@bb.utils.contains('DISTRO_FEATURES', 'selinux',
'file://selinux.cfg', '', d)}"


And selinux.cfg is:

CONFIG_AUDIT=y
CONFIG_NETWORK_SECMARK=y
CONFIG_EXT2_FS_SECURITY=y
CONFIG_EXT3_FS_SECURITY=y
CONFIG_EXT4_FS_SECURITY=y
CONFIG_JFS_SECURITY=y
CONFIG_REISERFS_FS_SECURITY=y
CONFIG_JFFS2_FS_SECURITY=y
CONFIG_SECURITY=y
CONFIG_SECURITYFS=y
CONFIG_SECURITY_NETWORK=y
CONFIG_SECURITY_SELINUX=y
CONFIG_SECURITY_SELINUX_BOOTPARAM=y
CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE=1
CONFIG_SECURITY_SELINUX_DISABLE=y
CONFIG_SECURITY_SELINUX_DEVELOP=y
CONFIG_SECURITY_SELINUX_AVC_STATS=y
CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=1
CONFIG_AUDIT_GENERIC=y

Am I missing something?

Thank you.



Il sab 27 ott 2018, 20:10 Otavio Salvador <otavio.salvador@ossystems.com.br>
ha scritto:

> On Sun, Oct 21, 2018 at 7:52 AM Stefano Cappa
> <stefano.cappa.ks89@gmail.com> wrote:
> > I'm on Sumo branch with the latest linux-imx (no -fscl) and I'm using
> the official NXP imx6 evk board.
> >
> > I'm trying meta-selinux (I'm absolutely a noob with selinux, I'm still
> experimenting and studying it :)) but I'm getting this error running
> "fixfiles -f -F relabel":
> >
> > Cleaning out /tmp
> >     fixfiles: No suitable file systems found
> >     Cleaning up labels on /tmp
> >     secon: SELinux is not enabled
> >     cat: /initial_contexts/unlabeled: No such file or directory
> >
> > I wrote to one of the authors of meta-selinux and he said:
> >
> >     You need to make sure that the filesystem in use has extendded
> attributes
> >     enabled.  A lot of silicon vendor versions have this disabled, or
> use a
> >     filesystem where it's not supported.
> >     ext*fs, xfs, etc usually support it, with the right kernel
> configuration.
> >
> > So, I added xattr to the DISTRO_FEATURES_append in my local.conf, but
> I'm still having the same error.
> > And running 'mount' I get this:
> >    /dev/<mynamehere>   / type ext4 (rw,relatime,data=ordered)
> >
> > What I'm missing?
> > Also, does imx6ULL supports meta-selinux? Or are there some limitations
> about kernel that block me to activate selinux?
>
> You need to enable the needed features on the kernel config. You
> likely need to make a new layer to store the changes you will do and
> modify the defconfig accordingly.
>
> --
> Otavio Salvador                             O.S. Systems
> http://www.ossystems.com.br        http://code.ossystems.com.br
> Mobile: +55 (53) 9 9981-7854          Mobile: +1 (347) 903-9750
>

[-- Attachment #2: Type: text/html, Size: 4306 bytes --]

^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: Cannot enable selinux with imx6ULL. Why?
  2018-10-29  9:58   ` Stefano Cappa
@ 2018-10-29 12:26     ` Otavio Salvador
  2018-10-29 12:33       ` Stefano Cappa
  0 siblings, 1 reply; 9+ messages in thread
From: Otavio Salvador @ 2018-10-29 12:26 UTC (permalink / raw)
  To: Stefano Cappa; +Cc: meta-freescale Mailing List

On Mon, Oct 29, 2018 at 6:59 AM Stefano Cappa
<stefano.cappa.ks89@gmail.com> wrote:
> Ok. Yes I created a custom layer with recipes-kernel/linux folders and inside these files:
...
> Am I missing something?

You are on the right path. I think extended attributes support is also
needed but I am not a SE Linux user.

-- 
Otavio Salvador                             O.S. Systems
http://www.ossystems.com.br        http://code.ossystems.com.br
Mobile: +55 (53) 9 9981-7854          Mobile: +1 (347) 903-9750


^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: Cannot enable selinux with imx6ULL. Why?
  2018-10-29 12:26     ` Otavio Salvador
@ 2018-10-29 12:33       ` Stefano Cappa
  2018-10-29 17:34         ` Otavio Salvador
  0 siblings, 1 reply; 9+ messages in thread
From: Stefano Cappa @ 2018-10-29 12:33 UTC (permalink / raw)
  To: Otavio Salvador; +Cc: meta-freescale Mailing List

[-- Attachment #1: Type: text/plain, Size: 723 bytes --]

Perfect.

Do you know if there is a config property for xattrs in .Cfg file?

Il lun 29 ott 2018, 13:27 Otavio Salvador <otavio.salvador@ossystems.com.br>
ha scritto:

> On Mon, Oct 29, 2018 at 6:59 AM Stefano Cappa
> <stefano.cappa.ks89@gmail.com> wrote:
> > Ok. Yes I created a custom layer with recipes-kernel/linux folders and
> inside these files:
> ...
> > Am I missing something?
>
> You are on the right path. I think extended attributes support is also
> needed but I am not a SE Linux user.
>
> --
> Otavio Salvador                             O.S. Systems
> http://www.ossystems.com.br        http://code.ossystems.com.br
> Mobile: +55 (53) 9 9981-7854          Mobile: +1 (347) 903-9750
>

[-- Attachment #2: Type: text/html, Size: 1270 bytes --]

^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: Cannot enable selinux with imx6ULL. Why?
  2018-10-29 12:33       ` Stefano Cappa
@ 2018-10-29 17:34         ` Otavio Salvador
  2018-11-01 11:22           ` Stefano Cappa
  0 siblings, 1 reply; 9+ messages in thread
From: Otavio Salvador @ 2018-10-29 17:34 UTC (permalink / raw)
  To: Stefano Cappa; +Cc: meta-freescale Mailing List

On Mon, Oct 29, 2018 at 9:34 AM Stefano Cappa
<stefano.cappa.ks89@gmail.com> wrote:
> Do you know if there is a config property for xattrs in .Cfg file?

Not on top of head.

-- 
Otavio Salvador                             O.S. Systems
http://www.ossystems.com.br        http://code.ossystems.com.br
Mobile: +55 (53) 9 9981-7854          Mobile: +1 (347) 903-9750


^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: Cannot enable selinux with imx6ULL. Why?
  2018-10-29 17:34         ` Otavio Salvador
@ 2018-11-01 11:22           ` Stefano Cappa
  2018-11-01 12:53             ` Otavio Salvador
  0 siblings, 1 reply; 9+ messages in thread
From: Stefano Cappa @ 2018-11-01 11:22 UTC (permalink / raw)
  To: Otavio Salvador; +Cc: meta-freescale Mailing List

[-- Attachment #1: Type: text/plain, Size: 1936 bytes --]

When I run zcat /proc/config.gz I see that some options aren't applied

Some of these aren't enabled:
CONFIG_AUDIT=y
CONFIG_NETWORK_SECMARK=y
CONFIG_EXT2_FS_SECURITY=y
CONFIG_EXT3_FS_SECURITY=y
CONFIG_EXT4_FS_SECURITY=y
CONFIG_JFS_SECURITY=y
CONFIG_REISERFS_FS_SECURITY=y
CONFIG_JFFS2_FS_SECURITY=y
CONFIG_SECURITY=y
CONFIG_SECURITYFS=y
CONFIG_SECURITY_NETWORK=y
CONFIG_SECURITY_SELINUX=y
CONFIG_SECURITY_SELINUX_BOOTPARAM=y
CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE=1
CONFIG_SECURITY_SELINUX_DISABLE=y
CONFIG_SECURITY_SELINUX_DEVELOP=y
CONFIG_SECURITY_SELINUX_AVC_STATS=y
CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=1
CONFIG_AUDIT_GENERIC=y

For instance on my device I have:
#
# Security options
#
CONFIG_KEYS=y
# CONFIG_PERSISTENT_KEYRINGS is not set
# CONFIG_BIG_KEYS is not set
# CONFIG_ENCRYPTED_KEYS is not set
# CONFIG_KEY_DH_OPERATIONS is not set
# CONFIG_SECURITY_DMESG_RESTRICT is not set
*# CONFIG_SECURITY is not set*
CONFIG_SECURITYFS=y
CONFIG_HAVE_HARDENED_USERCOPY_ALLOCATOR=y
CONFIG_HAVE_ARCH_HARDENED_USERCOPY=y
# CONFIG_HARDENED_USERCOPY is not set
CONFIG_DEFAULT_SECURITY_DAC=y
CONFIG_DEFAULT_SECURITY=""
CONFIG_CRYPTO=y


It seems that cgf file isn't applied at all.
Do you have other ideas to apply these changes manually, instead on a
custom-layer to try to understand if I made an error in my layer or if is
it something else?

thank you.

Il giorno lun 29 ott 2018 alle ore 18:34 Otavio Salvador <
otavio.salvador@ossystems.com.br> ha scritto:

> On Mon, Oct 29, 2018 at 9:34 AM Stefano Cappa
> <stefano.cappa.ks89@gmail.com> wrote:
> > Do you know if there is a config property for xattrs in .Cfg file?
>
> Not on top of head.
>
> --
> Otavio Salvador                             O.S. Systems
> http://www.ossystems.com.br        http://code.ossystems.com.br
> Mobile: +55 (53) 9 9981-7854          Mobile: +1 (347) 903-9750
> <(347)%20903-9750>
>

[-- Attachment #2: Type: text/html, Size: 2986 bytes --]

^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: Cannot enable selinux with imx6ULL. Why?
  2018-11-01 11:22           ` Stefano Cappa
@ 2018-11-01 12:53             ` Otavio Salvador
  2018-11-01 18:37               ` Stefano Cappa
  0 siblings, 1 reply; 9+ messages in thread
From: Otavio Salvador @ 2018-11-01 12:53 UTC (permalink / raw)
  To: Stefano Cappa; +Cc: meta-freescale Mailing List

On Thu, Nov 1, 2018 at 8:23 AM Stefano Cappa
<stefano.cappa.ks89@gmail.com> wrote:
...
> Do you have other ideas to apply these changes manually, instead on a custom-layer to try to understand if I made an error in my layer or if is it something else?

A dependency of the settings is likely not satisfied; I usually make
use of menuconfig, inside BitBake to do it.

-- 
Otavio Salvador                             O.S. Systems
http://www.ossystems.com.br        http://code.ossystems.com.br
Mobile: +55 (53) 9 9981-7854          Mobile: +1 (347) 903-9750


^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: Cannot enable selinux with imx6ULL. Why?
  2018-11-01 12:53             ` Otavio Salvador
@ 2018-11-01 18:37               ` Stefano Cappa
  0 siblings, 0 replies; 9+ messages in thread
From: Stefano Cappa @ 2018-11-01 18:37 UTC (permalink / raw)
  To: Otavio Salvador; +Cc: meta-freescale Mailing List

[-- Attachment #1: Type: text/plain, Size: 983 bytes --]

Good suggestion, thank you.

I enabled some features with menuconfig, but I don't understand how to
store the new .config file into my custom layer to apply it automatically
at every build. I made many experiments without success. I'm going crazy.

Il giorno gio 1 nov 2018 alle ore 13:53 Otavio Salvador <
otavio.salvador@ossystems.com.br> ha scritto:

> On Thu, Nov 1, 2018 at 8:23 AM Stefano Cappa
> <stefano.cappa.ks89@gmail.com> wrote:
> ...
> > Do you have other ideas to apply these changes manually, instead on a
> custom-layer to try to understand if I made an error in my layer or if is
> it something else?
>
> A dependency of the settings is likely not satisfied; I usually make
> use of menuconfig, inside BitBake to do it.
>
> --
> Otavio Salvador                             O.S. Systems
> http://www.ossystems.com.br        http://code.ossystems.com.br
> Mobile: +55 (53) 9 9981-7854          Mobile: +1 (347) 903-9750
> <(347)%20903-9750>
>

[-- Attachment #2: Type: text/html, Size: 1577 bytes --]

^ permalink raw reply	[flat|nested] 9+ messages in thread

end of thread, other threads:[~2018-11-01 18:37 UTC | newest]

Thread overview: 9+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-10-21 10:48 Cannot enable selinux with imx6ULL. Why? Stefano Cappa
2018-10-27 18:10 ` Otavio Salvador
2018-10-29  9:58   ` Stefano Cappa
2018-10-29 12:26     ` Otavio Salvador
2018-10-29 12:33       ` Stefano Cappa
2018-10-29 17:34         ` Otavio Salvador
2018-11-01 11:22           ` Stefano Cappa
2018-11-01 12:53             ` Otavio Salvador
2018-11-01 18:37               ` Stefano Cappa

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.