* Cannot enable selinux with imx6ULL. Why?
@ 2018-10-21 10:48 Stefano Cappa
2018-10-27 18:10 ` Otavio Salvador
0 siblings, 1 reply; 9+ messages in thread
From: Stefano Cappa @ 2018-10-21 10:48 UTC (permalink / raw)
To: meta-freescale Mailing List
[-- Attachment #1: Type: text/plain, Size: 1176 bytes --]
I'm on Sumo branch with the latest linux-imx (no -fscl) and I'm using the
official NXP imx6 evk board.
I'm trying meta-selinux (I'm absolutely a noob with selinux, I'm still
experimenting and studying it :)) but I'm getting this error running "fixfiles
-f -F relabel":
Cleaning out /tmp
fixfiles: No suitable file systems found
Cleaning up labels on /tmp
secon: SELinux is not enabled
cat: /initial_contexts/unlabeled: No such file or directory
I wrote to one of the authors of meta-selinux and he said:
You need to make sure that the filesystem in use has extendded
attributes
enabled. A lot of silicon vendor versions have this disabled, or use a
filesystem where it's not supported.
ext*fs, xfs, etc usually support it, with the right kernel
configuration.
So, I added xattr to the DISTRO_FEATURES_append in my local.conf, but I'm
still having the same error.
And running 'mount' I get this:
/dev/<mynamehere> / type ext4 (rw,relatime,data=ordered)
What I'm missing?
Also, does imx6ULL supports meta-selinux? Or are there some limitations
about kernel that block me to activate selinux?
Thank u.
[-- Attachment #2: Type: text/html, Size: 2341 bytes --]
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Cannot enable selinux with imx6ULL. Why?
2018-10-21 10:48 Cannot enable selinux with imx6ULL. Why? Stefano Cappa
@ 2018-10-27 18:10 ` Otavio Salvador
2018-10-29 9:58 ` Stefano Cappa
0 siblings, 1 reply; 9+ messages in thread
From: Otavio Salvador @ 2018-10-27 18:10 UTC (permalink / raw)
To: Stefano Cappa; +Cc: meta-freescale Mailing List
On Sun, Oct 21, 2018 at 7:52 AM Stefano Cappa
<stefano.cappa.ks89@gmail.com> wrote:
> I'm on Sumo branch with the latest linux-imx (no -fscl) and I'm using the official NXP imx6 evk board.
>
> I'm trying meta-selinux (I'm absolutely a noob with selinux, I'm still experimenting and studying it :)) but I'm getting this error running "fixfiles -f -F relabel":
>
> Cleaning out /tmp
> fixfiles: No suitable file systems found
> Cleaning up labels on /tmp
> secon: SELinux is not enabled
> cat: /initial_contexts/unlabeled: No such file or directory
>
> I wrote to one of the authors of meta-selinux and he said:
>
> You need to make sure that the filesystem in use has extendded attributes
> enabled. A lot of silicon vendor versions have this disabled, or use a
> filesystem where it's not supported.
> ext*fs, xfs, etc usually support it, with the right kernel configuration.
>
> So, I added xattr to the DISTRO_FEATURES_append in my local.conf, but I'm still having the same error.
> And running 'mount' I get this:
> /dev/<mynamehere> / type ext4 (rw,relatime,data=ordered)
>
> What I'm missing?
> Also, does imx6ULL supports meta-selinux? Or are there some limitations about kernel that block me to activate selinux?
You need to enable the needed features on the kernel config. You
likely need to make a new layer to store the changes you will do and
modify the defconfig accordingly.
--
Otavio Salvador O.S. Systems
http://www.ossystems.com.br http://code.ossystems.com.br
Mobile: +55 (53) 9 9981-7854 Mobile: +1 (347) 903-9750
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Cannot enable selinux with imx6ULL. Why?
2018-10-27 18:10 ` Otavio Salvador
@ 2018-10-29 9:58 ` Stefano Cappa
2018-10-29 12:26 ` Otavio Salvador
0 siblings, 1 reply; 9+ messages in thread
From: Stefano Cappa @ 2018-10-29 9:58 UTC (permalink / raw)
To: Otavio Salvador; +Cc: meta-freescale Mailing List
[-- Attachment #1: Type: text/plain, Size: 3150 bytes --]
Ok. Yes I created a custom layer with recipes-kernel/linux folders and
inside these files:
- linux-imx_4.9.88.bbappend
- linux-imx_selinux.inc
- linux-imx/selinux.cfg (taken as it is from meta-selinux layer)
The content of linux-imx_4.9.88.bbappend is:
FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"
SRC_URI += "\
"
require ${@bb.utils.contains('DISTRO_FEATURES', 'selinux',
'${BPN}_selinux.inc', '', d)}
The content of linux-imx_selinux.inc is:
FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"
# Enable selinux support in the kernel if the feature is enabled
SRC_URI += "${@bb.utils.contains('DISTRO_FEATURES', 'selinux',
'file://selinux.cfg', '', d)}"
And selinux.cfg is:
CONFIG_AUDIT=y
CONFIG_NETWORK_SECMARK=y
CONFIG_EXT2_FS_SECURITY=y
CONFIG_EXT3_FS_SECURITY=y
CONFIG_EXT4_FS_SECURITY=y
CONFIG_JFS_SECURITY=y
CONFIG_REISERFS_FS_SECURITY=y
CONFIG_JFFS2_FS_SECURITY=y
CONFIG_SECURITY=y
CONFIG_SECURITYFS=y
CONFIG_SECURITY_NETWORK=y
CONFIG_SECURITY_SELINUX=y
CONFIG_SECURITY_SELINUX_BOOTPARAM=y
CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE=1
CONFIG_SECURITY_SELINUX_DISABLE=y
CONFIG_SECURITY_SELINUX_DEVELOP=y
CONFIG_SECURITY_SELINUX_AVC_STATS=y
CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=1
CONFIG_AUDIT_GENERIC=y
Am I missing something?
Thank you.
Il sab 27 ott 2018, 20:10 Otavio Salvador <otavio.salvador@ossystems.com.br>
ha scritto:
> On Sun, Oct 21, 2018 at 7:52 AM Stefano Cappa
> <stefano.cappa.ks89@gmail.com> wrote:
> > I'm on Sumo branch with the latest linux-imx (no -fscl) and I'm using
> the official NXP imx6 evk board.
> >
> > I'm trying meta-selinux (I'm absolutely a noob with selinux, I'm still
> experimenting and studying it :)) but I'm getting this error running
> "fixfiles -f -F relabel":
> >
> > Cleaning out /tmp
> > fixfiles: No suitable file systems found
> > Cleaning up labels on /tmp
> > secon: SELinux is not enabled
> > cat: /initial_contexts/unlabeled: No such file or directory
> >
> > I wrote to one of the authors of meta-selinux and he said:
> >
> > You need to make sure that the filesystem in use has extendded
> attributes
> > enabled. A lot of silicon vendor versions have this disabled, or
> use a
> > filesystem where it's not supported.
> > ext*fs, xfs, etc usually support it, with the right kernel
> configuration.
> >
> > So, I added xattr to the DISTRO_FEATURES_append in my local.conf, but
> I'm still having the same error.
> > And running 'mount' I get this:
> > /dev/<mynamehere> / type ext4 (rw,relatime,data=ordered)
> >
> > What I'm missing?
> > Also, does imx6ULL supports meta-selinux? Or are there some limitations
> about kernel that block me to activate selinux?
>
> You need to enable the needed features on the kernel config. You
> likely need to make a new layer to store the changes you will do and
> modify the defconfig accordingly.
>
> --
> Otavio Salvador O.S. Systems
> http://www.ossystems.com.br http://code.ossystems.com.br
> Mobile: +55 (53) 9 9981-7854 Mobile: +1 (347) 903-9750
>
[-- Attachment #2: Type: text/html, Size: 4306 bytes --]
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Cannot enable selinux with imx6ULL. Why?
2018-10-29 9:58 ` Stefano Cappa
@ 2018-10-29 12:26 ` Otavio Salvador
2018-10-29 12:33 ` Stefano Cappa
0 siblings, 1 reply; 9+ messages in thread
From: Otavio Salvador @ 2018-10-29 12:26 UTC (permalink / raw)
To: Stefano Cappa; +Cc: meta-freescale Mailing List
On Mon, Oct 29, 2018 at 6:59 AM Stefano Cappa
<stefano.cappa.ks89@gmail.com> wrote:
> Ok. Yes I created a custom layer with recipes-kernel/linux folders and inside these files:
...
> Am I missing something?
You are on the right path. I think extended attributes support is also
needed but I am not a SE Linux user.
--
Otavio Salvador O.S. Systems
http://www.ossystems.com.br http://code.ossystems.com.br
Mobile: +55 (53) 9 9981-7854 Mobile: +1 (347) 903-9750
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Cannot enable selinux with imx6ULL. Why?
2018-10-29 12:26 ` Otavio Salvador
@ 2018-10-29 12:33 ` Stefano Cappa
2018-10-29 17:34 ` Otavio Salvador
0 siblings, 1 reply; 9+ messages in thread
From: Stefano Cappa @ 2018-10-29 12:33 UTC (permalink / raw)
To: Otavio Salvador; +Cc: meta-freescale Mailing List
[-- Attachment #1: Type: text/plain, Size: 723 bytes --]
Perfect.
Do you know if there is a config property for xattrs in .Cfg file?
Il lun 29 ott 2018, 13:27 Otavio Salvador <otavio.salvador@ossystems.com.br>
ha scritto:
> On Mon, Oct 29, 2018 at 6:59 AM Stefano Cappa
> <stefano.cappa.ks89@gmail.com> wrote:
> > Ok. Yes I created a custom layer with recipes-kernel/linux folders and
> inside these files:
> ...
> > Am I missing something?
>
> You are on the right path. I think extended attributes support is also
> needed but I am not a SE Linux user.
>
> --
> Otavio Salvador O.S. Systems
> http://www.ossystems.com.br http://code.ossystems.com.br
> Mobile: +55 (53) 9 9981-7854 Mobile: +1 (347) 903-9750
>
[-- Attachment #2: Type: text/html, Size: 1270 bytes --]
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Cannot enable selinux with imx6ULL. Why?
2018-10-29 12:33 ` Stefano Cappa
@ 2018-10-29 17:34 ` Otavio Salvador
2018-11-01 11:22 ` Stefano Cappa
0 siblings, 1 reply; 9+ messages in thread
From: Otavio Salvador @ 2018-10-29 17:34 UTC (permalink / raw)
To: Stefano Cappa; +Cc: meta-freescale Mailing List
On Mon, Oct 29, 2018 at 9:34 AM Stefano Cappa
<stefano.cappa.ks89@gmail.com> wrote:
> Do you know if there is a config property for xattrs in .Cfg file?
Not on top of head.
--
Otavio Salvador O.S. Systems
http://www.ossystems.com.br http://code.ossystems.com.br
Mobile: +55 (53) 9 9981-7854 Mobile: +1 (347) 903-9750
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Cannot enable selinux with imx6ULL. Why?
2018-10-29 17:34 ` Otavio Salvador
@ 2018-11-01 11:22 ` Stefano Cappa
2018-11-01 12:53 ` Otavio Salvador
0 siblings, 1 reply; 9+ messages in thread
From: Stefano Cappa @ 2018-11-01 11:22 UTC (permalink / raw)
To: Otavio Salvador; +Cc: meta-freescale Mailing List
[-- Attachment #1: Type: text/plain, Size: 1936 bytes --]
When I run zcat /proc/config.gz I see that some options aren't applied
Some of these aren't enabled:
CONFIG_AUDIT=y
CONFIG_NETWORK_SECMARK=y
CONFIG_EXT2_FS_SECURITY=y
CONFIG_EXT3_FS_SECURITY=y
CONFIG_EXT4_FS_SECURITY=y
CONFIG_JFS_SECURITY=y
CONFIG_REISERFS_FS_SECURITY=y
CONFIG_JFFS2_FS_SECURITY=y
CONFIG_SECURITY=y
CONFIG_SECURITYFS=y
CONFIG_SECURITY_NETWORK=y
CONFIG_SECURITY_SELINUX=y
CONFIG_SECURITY_SELINUX_BOOTPARAM=y
CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE=1
CONFIG_SECURITY_SELINUX_DISABLE=y
CONFIG_SECURITY_SELINUX_DEVELOP=y
CONFIG_SECURITY_SELINUX_AVC_STATS=y
CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=1
CONFIG_AUDIT_GENERIC=y
For instance on my device I have:
#
# Security options
#
CONFIG_KEYS=y
# CONFIG_PERSISTENT_KEYRINGS is not set
# CONFIG_BIG_KEYS is not set
# CONFIG_ENCRYPTED_KEYS is not set
# CONFIG_KEY_DH_OPERATIONS is not set
# CONFIG_SECURITY_DMESG_RESTRICT is not set
*# CONFIG_SECURITY is not set*
CONFIG_SECURITYFS=y
CONFIG_HAVE_HARDENED_USERCOPY_ALLOCATOR=y
CONFIG_HAVE_ARCH_HARDENED_USERCOPY=y
# CONFIG_HARDENED_USERCOPY is not set
CONFIG_DEFAULT_SECURITY_DAC=y
CONFIG_DEFAULT_SECURITY=""
CONFIG_CRYPTO=y
It seems that cgf file isn't applied at all.
Do you have other ideas to apply these changes manually, instead on a
custom-layer to try to understand if I made an error in my layer or if is
it something else?
thank you.
Il giorno lun 29 ott 2018 alle ore 18:34 Otavio Salvador <
otavio.salvador@ossystems.com.br> ha scritto:
> On Mon, Oct 29, 2018 at 9:34 AM Stefano Cappa
> <stefano.cappa.ks89@gmail.com> wrote:
> > Do you know if there is a config property for xattrs in .Cfg file?
>
> Not on top of head.
>
> --
> Otavio Salvador O.S. Systems
> http://www.ossystems.com.br http://code.ossystems.com.br
> Mobile: +55 (53) 9 9981-7854 Mobile: +1 (347) 903-9750
> <(347)%20903-9750>
>
[-- Attachment #2: Type: text/html, Size: 2986 bytes --]
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Cannot enable selinux with imx6ULL. Why?
2018-11-01 11:22 ` Stefano Cappa
@ 2018-11-01 12:53 ` Otavio Salvador
2018-11-01 18:37 ` Stefano Cappa
0 siblings, 1 reply; 9+ messages in thread
From: Otavio Salvador @ 2018-11-01 12:53 UTC (permalink / raw)
To: Stefano Cappa; +Cc: meta-freescale Mailing List
On Thu, Nov 1, 2018 at 8:23 AM Stefano Cappa
<stefano.cappa.ks89@gmail.com> wrote:
...
> Do you have other ideas to apply these changes manually, instead on a custom-layer to try to understand if I made an error in my layer or if is it something else?
A dependency of the settings is likely not satisfied; I usually make
use of menuconfig, inside BitBake to do it.
--
Otavio Salvador O.S. Systems
http://www.ossystems.com.br http://code.ossystems.com.br
Mobile: +55 (53) 9 9981-7854 Mobile: +1 (347) 903-9750
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Cannot enable selinux with imx6ULL. Why?
2018-11-01 12:53 ` Otavio Salvador
@ 2018-11-01 18:37 ` Stefano Cappa
0 siblings, 0 replies; 9+ messages in thread
From: Stefano Cappa @ 2018-11-01 18:37 UTC (permalink / raw)
To: Otavio Salvador; +Cc: meta-freescale Mailing List
[-- Attachment #1: Type: text/plain, Size: 983 bytes --]
Good suggestion, thank you.
I enabled some features with menuconfig, but I don't understand how to
store the new .config file into my custom layer to apply it automatically
at every build. I made many experiments without success. I'm going crazy.
Il giorno gio 1 nov 2018 alle ore 13:53 Otavio Salvador <
otavio.salvador@ossystems.com.br> ha scritto:
> On Thu, Nov 1, 2018 at 8:23 AM Stefano Cappa
> <stefano.cappa.ks89@gmail.com> wrote:
> ...
> > Do you have other ideas to apply these changes manually, instead on a
> custom-layer to try to understand if I made an error in my layer or if is
> it something else?
>
> A dependency of the settings is likely not satisfied; I usually make
> use of menuconfig, inside BitBake to do it.
>
> --
> Otavio Salvador O.S. Systems
> http://www.ossystems.com.br http://code.ossystems.com.br
> Mobile: +55 (53) 9 9981-7854 Mobile: +1 (347) 903-9750
> <(347)%20903-9750>
>
[-- Attachment #2: Type: text/html, Size: 1577 bytes --]
^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2018-11-01 18:37 UTC | newest]
Thread overview: 9+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-10-21 10:48 Cannot enable selinux with imx6ULL. Why? Stefano Cappa
2018-10-27 18:10 ` Otavio Salvador
2018-10-29 9:58 ` Stefano Cappa
2018-10-29 12:26 ` Otavio Salvador
2018-10-29 12:33 ` Stefano Cappa
2018-10-29 17:34 ` Otavio Salvador
2018-11-01 11:22 ` Stefano Cappa
2018-11-01 12:53 ` Otavio Salvador
2018-11-01 18:37 ` Stefano Cappa
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.