SELinux support question

SELinux support question

[Ivan Li11]

[-- Attachment #1: Type: text/plain, Size: 204 bytes --]

Hi Team,

I would like to ask about SELinux support. It's seems that there's no SELinux related package in current OpenBMC.
Therefore, is it not supported for now ?
Please help to advise.

Thanks.

[-- Attachment #2: Type: text/html, Size: 2281 bytes --]

Re: SELinux support question

[Artem Senichev]

Hi Ivan,

Yocto has a layer for SELinux
(http://git.yoctoproject.org/cgit/cgit.cgi/meta-selinux), you can try
it.
But the layer depends on Python for management tools, which does not
exist in the OpenBMC image anymore.
The problem is that Python significantly increases image size, it will
be more than 32MiB, which causes some troubles with qemu emulation.

--
Best regards,
Artem Senichev

On Thu, Oct 29, 2020 at 7:48 PM Ivan Li11 <rli11@lenovo.com> wrote:
>
> Hi Team,
>
>
>
> I would like to ask about SELinux support. It’s seems that there’s no SELinux related package in current OpenBMC.
>
> Therefore, is it not supported for now ?
>
> Please help to advise.
>
>
>
> Thanks.

Re: SELinux support question

[Joseph Reynolds]

On 10/30/20 12:55 AM, Artem Senichev wrote:
> Hi Ivan,
>
> Yocto has a layer for SELinux
> (http://git.yoctoproject.org/cgit/cgit.cgi/meta-selinux), you can try
> it.
> But the layer depends on Python for management tools, which does not
> exist in the OpenBMC image anymore.
> The problem is that Python significantly increases image size, it will
> be more than 32MiB, which causes some troubles with qemu emulation.
>
> --
> Best regards,
> Artem Senichev
>
> On Thu, Oct 29, 2020 at 7:48 PM Ivan Li11 <rli11@lenovo.com> wrote:
>> Hi Team,
>>
>>
>>
>> I would like to ask about SELinux support. It’s seems that there’s no SELinux related package in current OpenBMC.
>>
>> Therefore, is it not supported for now ?
>>
>> Please help to advise.

SELinux and alternatives such as AppArmor and KRSI (Kernel Runtime 
Security Instrumentation) were discussed in various OpenBMC security 
working group meetings including 2020-05-13, 2020-04-01, and earlier.  
See the meeting minutes:
https://docs.google.com/document/d/1b7x9BaxsfcukQDqbvZsU2ehMq4xoJRQvLxxsDUWmAOI

I don't have any additional insight.

- Joseph

>>
>>
>>
>> Thanks.

Re: SELinux support question

[Anton Kachalov]

[-- Attachment #1: Type: text/plain, Size: 1491 bytes --]

Hello, Ivan.

Some OpenBMC hardening work is ongoing:
https://github.com/openbmc/openbmc/issues/3383

Do you have a specific use-cases for SELinux?

On Fri, 30 Oct 2020 at 22:07, Joseph Reynolds <jrey@linux.ibm.com> wrote:

> On 10/30/20 12:55 AM, Artem Senichev wrote:
> > Hi Ivan,
> >
> > Yocto has a layer for SELinux
> > (http://git.yoctoproject.org/cgit/cgit.cgi/meta-selinux), you can try
> > it.
> > But the layer depends on Python for management tools, which does not
> > exist in the OpenBMC image anymore.
> > The problem is that Python significantly increases image size, it will
> > be more than 32MiB, which causes some troubles with qemu emulation.
> >
> > --
> > Best regards,
> > Artem Senichev
> >
> > On Thu, Oct 29, 2020 at 7:48 PM Ivan Li11 <rli11@lenovo.com> wrote:
> >> Hi Team,
> >>
> >>
> >>
> >> I would like to ask about SELinux support. It’s seems that there’s no
> SELinux related package in current OpenBMC.
> >>
> >> Therefore, is it not supported for now ?
> >>
> >> Please help to advise.
>
> SELinux and alternatives such as AppArmor and KRSI (Kernel Runtime
> Security Instrumentation) were discussed in various OpenBMC security
> working group meetings including 2020-05-13, 2020-04-01, and earlier.
> See the meeting minutes:
>
> https://docs.google.com/document/d/1b7x9BaxsfcukQDqbvZsU2ehMq4xoJRQvLxxsDUWmAOI
>
> I don't have any additional insight.
>
> - Joseph
>
> >>
> >>
> >>
> >> Thanks.
>
>

[-- Attachment #2: Type: text/html, Size: 2382 bytes --]

Re: SELinux support question

[Andrew Jeffery]

On Fri, 30 Oct 2020, at 16:25, Artem Senichev wrote:
> Hi Ivan,
> 
> Yocto has a layer for SELinux
> (http://git.yoctoproject.org/cgit/cgit.cgi/meta-selinux), you can try
> it.
> But the layer depends on Python for management tools, which does not
> exist in the OpenBMC image anymore.
> The problem is that Python significantly increases image size, it will
> be more than 32MiB, which causes some troubles with qemu emulation.

The problem is broader than qemu though, it would also be broken on
any platform shipping a 32MiB flash part if the image exceeds 32MiB.

That said, if there are systems that ship bigger parts and enabling SELinux
for those is feasible, we should add those platform models to qemu so
emulating them isn't constrained by the existing platform support.

Andrew

RE: [External] Re: SELinux support question

[Ivan Li11]

> -----Original Message-----
> From: Andrew Jeffery <andrew@aj.id.au>
> Sent: Monday, November 2, 2020 8:54 AM
> To: Artem Senichev <artemsen@gmail.com>; Ivan Li11 <rli11@lenovo.com>
> Cc: openbmc@lists.ozlabs.org
> Subject: [External] Re: SELinux support question
> 
> 
> 
> On Fri, 30 Oct 2020, at 16:25, Artem Senichev wrote:
> > Hi Ivan,
> >
> > Yocto has a layer for SELinux
> > (http://git.yoctoproject.org/cgit/cgit.cgi/meta-selinux), you can try
> > it.
> > But the layer depends on Python for management tools, which does not
> > exist in the OpenBMC image anymore.
> > The problem is that Python significantly increases image size, it will
> > be more than 32MiB, which causes some troubles with qemu emulation.
> 
> The problem is broader than qemu though, it would also be broken on any
> platform shipping a 32MiB flash part if the image exceeds 32MiB.
> 
> That said, if there are systems that ship bigger parts and enabling SELinux for
> those is feasible, we should add those platform models to qemu so emulating
> them isn't constrained by the existing platform support.
> 
> Andrew

Hi Andrew and Artem,
Per your suggestion, I try to enable SELinux with Yocto SELinux layer(http://git.yoctoproject.org/cgit/cgit.cgi/meta-selinux) and 64MiB flash part.
But encountered one problem which is when I use command "getenforce" to check SELinux mode, it always returns "Disabled" even if SELinux mode in config file '/etc/selinux/config' is permissive or enforcing by default.

Please help to advise it.  

Re: [External] Re: SELinux support question

[Anton Kachalov]

[-- Attachment #1: Type: text/plain, Size: 2107 bytes --]

Hello, Ivan.

Perhaps, you should enable selinux kernel configuration as well. The
openbmc kernels, if I'm not mistaken, have different recipes.

The default configuration relies on linux-yocto package:
http://git.yoctoproject.org/cgit/cgit.cgi/meta-selinux/tree/recipes-kernel/linux

You should include this selinux.cfg in on of the openbmc kernel layers:

SRC_URI += "file://selinux.cfg"

and copy selinux.cfg to one of the local files location.

On Mon, 2 Nov 2020 at 18:46, Ivan Li11 <rli11@lenovo.com> wrote:

>
> > -----Original Message-----
> > From: Andrew Jeffery <andrew@aj.id.au>
> > Sent: Monday, November 2, 2020 8:54 AM
> > To: Artem Senichev <artemsen@gmail.com>; Ivan Li11 <rli11@lenovo.com>
> > Cc: openbmc@lists.ozlabs.org
> > Subject: [External] Re: SELinux support question
> >
> >
> >
> > On Fri, 30 Oct 2020, at 16:25, Artem Senichev wrote:
> > > Hi Ivan,
> > >
> > > Yocto has a layer for SELinux
> > > (http://git.yoctoproject.org/cgit/cgit.cgi/meta-selinux), you can try
> > > it.
> > > But the layer depends on Python for management tools, which does not
> > > exist in the OpenBMC image anymore.
> > > The problem is that Python significantly increases image size, it will
> > > be more than 32MiB, which causes some troubles with qemu emulation.
> >
> > The problem is broader than qemu though, it would also be broken on any
> > platform shipping a 32MiB flash part if the image exceeds 32MiB.
> >
> > That said, if there are systems that ship bigger parts and enabling
> SELinux for
> > those is feasible, we should add those platform models to qemu so
> emulating
> > them isn't constrained by the existing platform support.
> >
> > Andrew
>
> Hi Andrew and Artem,
> Per your suggestion, I try to enable SELinux with Yocto SELinux layer(
> http://git.yoctoproject.org/cgit/cgit.cgi/meta-selinux) and 64MiB flash
> part.
> But encountered one problem which is when I use command "getenforce" to
> check SELinux mode, it always returns "Disabled" even if SELinux mode in
> config file '/etc/selinux/config' is permissive or enforcing by default.
>
> Please help to advise it.
>

[-- Attachment #2: Type: text/html, Size: 3319 bytes --]

RE: [External] Re: SELinux support question

[Ivan Li11]

[-- Attachment #1: Type: text/plain, Size: 2956 bytes --]

Hi Anton,

Thanks your help and support.
I’ve followed your suggestion to enable selinux kernel configuration and have seen kernel message “[ 0.002268] SELinux:  Initializing.” during boot time, but still returns “Disabled” after executing getenforce command.
The selinux mode and type I set in /etc/selinux/config file is permissive and minimum.  Could you help to advise me whether there’s some settings need to set to avoid this problem.

Thanks,
Ivan
From: Anton Kachalov <rnouse@google.com>
Sent: Tuesday, November 3, 2020 3:50 AM
To: Ivan Li11 <rli11@lenovo.com>
Cc: Andrew Jeffery <andrew@aj.id.au>; Artem Senichev <artemsen@gmail.com>; openbmc@lists.ozlabs.org
Subject: Re: [External] Re: SELinux support question

Hello, Ivan.

Perhaps, you should enable selinux kernel configuration as well. The openbmc kernels, if I'm not mistaken, have different recipes.

The default configuration relies on linux-yocto package:
http://git.yoctoproject.org/cgit/cgit.cgi/meta-selinux/tree/recipes-kernel/linux

You should include this selinux.cfg in on of the openbmc kernel layers:

SRC_URI += "file://selinux.cfg"

and copy selinux.cfg to one of the local files location.

On Mon, 2 Nov 2020 at 18:46, Ivan Li11 <rli11@lenovo.com<mailto:rli11@lenovo.com>> wrote:

> -----Original Message-----
> From: Andrew Jeffery <andrew@aj.id.au<mailto:andrew@aj.id.au>>
> Sent: Monday, November 2, 2020 8:54 AM
> To: Artem Senichev <artemsen@gmail.com<mailto:artemsen@gmail.com>>; Ivan Li11 <rli11@lenovo.com<mailto:rli11@lenovo.com>>
> Cc: openbmc@lists.ozlabs.org<mailto:openbmc@lists.ozlabs.org>
> Subject: [External] Re: SELinux support question
>
>
>
> On Fri, 30 Oct 2020, at 16:25, Artem Senichev wrote:
> > Hi Ivan,
> >
> > Yocto has a layer for SELinux
> > (http://git.yoctoproject.org/cgit/cgit.cgi/meta-selinux), you can try
> > it.
> > But the layer depends on Python for management tools, which does not
> > exist in the OpenBMC image anymore.
> > The problem is that Python significantly increases image size, it will
> > be more than 32MiB, which causes some troubles with qemu emulation.
>
> The problem is broader than qemu though, it would also be broken on any
> platform shipping a 32MiB flash part if the image exceeds 32MiB.
>
> That said, if there are systems that ship bigger parts and enabling SELinux for
> those is feasible, we should add those platform models to qemu so emulating
> them isn't constrained by the existing platform support.
>
> Andrew

Hi Andrew and Artem,
Per your suggestion, I try to enable SELinux with Yocto SELinux layer(http://git.yoctoproject.org/cgit/cgit.cgi/meta-selinux) and 64MiB flash part.
But encountered one problem which is when I use command "getenforce" to check SELinux mode, it always returns "Disabled" even if SELinux mode in config file '/etc/selinux/config' is permissive or enforcing by default.

Please help to advise it.

[-- Attachment #2: Type: text/html, Size: 8164 bytes --]

Re: [External] Re: SELinux support question

[Anton Kachalov]

[-- Attachment #1: Type: text/plain, Size: 3669 bytes --]

Hello, Ivan.

Please check if the systemd has been compiled with selinux feature enabled.
It should be in charge of enforcing selinux rules at boot.

You should add "selinux" to PACKAGECONFIG over here:
https://github.com/openbmc/openbmc/blob/master/meta-phosphor/recipes-core/systemd/systemd_%25.bbappend#L4

As well as adding "selinux" to the DISTRO_FEATURES variable in your
build/conf/local.conf file.

Do you have precompiled policies under /etc/selinux ?

If it still doesn't work, please also attach a boot log.


On Tue, 3 Nov 2020 at 18:52, Ivan Li11 <rli11@lenovo.com> wrote:

> Hi Anton,
>
>
>
> Thanks your help and support.
>
> I’ve followed your suggestion to enable selinux kernel configuration and
> have seen kernel message “[ 0.002268] SELinux:  Initializing.” during boot
> time, but still returns “Disabled” after executing getenforce command.
>
> The selinux mode and type I set in /etc/selinux/config file is permissive
> and minimum.  Could you help to advise me whether there’s some settings
> need to set to avoid this problem.
>
>
>
> Thanks,
>
> Ivan
>
> *From:* Anton Kachalov <rnouse@google.com>
> *Sent:* Tuesday, November 3, 2020 3:50 AM
> *To:* Ivan Li11 <rli11@lenovo.com>
> *Cc:* Andrew Jeffery <andrew@aj.id.au>; Artem Senichev <artemsen@gmail.com>;
> openbmc@lists.ozlabs.org
> *Subject:* Re: [External] Re: SELinux support question
>
>
>
> Hello, Ivan.
>
>
>
> Perhaps, you should enable selinux kernel configuration as well. The
> openbmc kernels, if I'm not mistaken, have different recipes.
>
>
>
> The default configuration relies on linux-yocto package:
>
>
> http://git.yoctoproject.org/cgit/cgit.cgi/meta-selinux/tree/recipes-kernel/linux
>
>
>
> You should include this selinux.cfg in on of the openbmc kernel layers:
>
>
>
> SRC_URI += "file://selinux.cfg"
>
>
>
> and copy selinux.cfg to one of the local files location.
>
>
>
> On Mon, 2 Nov 2020 at 18:46, Ivan Li11 <rli11@lenovo.com> wrote:
>
>
> > -----Original Message-----
> > From: Andrew Jeffery <andrew@aj.id.au>
> > Sent: Monday, November 2, 2020 8:54 AM
> > To: Artem Senichev <artemsen@gmail.com>; Ivan Li11 <rli11@lenovo.com>
> > Cc: openbmc@lists.ozlabs.org
> > Subject: [External] Re: SELinux support question
> >
> >
> >
> > On Fri, 30 Oct 2020, at 16:25, Artem Senichev wrote:
> > > Hi Ivan,
> > >
> > > Yocto has a layer for SELinux
> > > (http://git.yoctoproject.org/cgit/cgit.cgi/meta-selinux), you can try
> > > it.
> > > But the layer depends on Python for management tools, which does not
> > > exist in the OpenBMC image anymore.
> > > The problem is that Python significantly increases image size, it will
> > > be more than 32MiB, which causes some troubles with qemu emulation.
> >
> > The problem is broader than qemu though, it would also be broken on any
> > platform shipping a 32MiB flash part if the image exceeds 32MiB.
> >
> > That said, if there are systems that ship bigger parts and enabling
> SELinux for
> > those is feasible, we should add those platform models to qemu so
> emulating
> > them isn't constrained by the existing platform support.
> >
> > Andrew
>
> Hi Andrew and Artem,
> Per your suggestion, I try to enable SELinux with Yocto SELinux layer(
> http://git.yoctoproject.org/cgit/cgit.cgi/meta-selinux) and 64MiB flash
> part.
> But encountered one problem which is when I use command "getenforce" to
> check SELinux mode, it always returns "Disabled" even if SELinux mode in
> config file '/etc/selinux/config' is permissive or enforcing by default.
>
> Please help to advise it.
>
>

[-- Attachment #2: Type: text/html, Size: 8126 bytes --]

Re: [External] Re: SELinux support question

[Jayanth Othayoth]

[-- Attachment #1: Type: text/plain, Size: 4131 bytes --]

I tried on one of the IBM box which got 32MB flash in 2018 time frame and
was able to got BMC read state . Reference patch (POC only) is available
here

https://gerrit.openbmc-project.xyz/q/topic:%22selinux%22+(status:open%20OR%20status:merged)

On Wed, Nov 4, 2020 at 8:06 PM Anton Kachalov <rnouse@google.com> wrote:

> Hello, Ivan.
>
> Please check if the systemd has been compiled with selinux feature
> enabled. It should be in charge of enforcing selinux rules at boot.
>
> You should add "selinux" to PACKAGECONFIG over here:
>
> https://github.com/openbmc/openbmc/blob/master/meta-phosphor/recipes-core/systemd/systemd_%25.bbappend#L4
>
> As well as adding "selinux" to the DISTRO_FEATURES variable in your
> build/conf/local.conf file.
>
> Do you have precompiled policies under /etc/selinux ?
>
> If it still doesn't work, please also attach a boot log.
>
>
> On Tue, 3 Nov 2020 at 18:52, Ivan Li11 <rli11@lenovo.com> wrote:
>
>> Hi Anton,
>>
>>
>>
>> Thanks your help and support.
>>
>> I’ve followed your suggestion to enable selinux kernel configuration and
>> have seen kernel message “[ 0.002268] SELinux:  Initializing.” during boot
>> time, but still returns “Disabled” after executing getenforce command.
>>
>> The selinux mode and type I set in /etc/selinux/config file is permissive
>> and minimum.  Could you help to advise me whether there’s some settings
>> need to set to avoid this problem.
>>
>>
>>
>> Thanks,
>>
>> Ivan
>>
>> *From:* Anton Kachalov <rnouse@google.com>
>> *Sent:* Tuesday, November 3, 2020 3:50 AM
>> *To:* Ivan Li11 <rli11@lenovo.com>
>> *Cc:* Andrew Jeffery <andrew@aj.id.au>; Artem Senichev <
>> artemsen@gmail.com>; openbmc@lists.ozlabs.org
>> *Subject:* Re: [External] Re: SELinux support question
>>
>>
>>
>> Hello, Ivan.
>>
>>
>>
>> Perhaps, you should enable selinux kernel configuration as well. The
>> openbmc kernels, if I'm not mistaken, have different recipes.
>>
>>
>>
>> The default configuration relies on linux-yocto package:
>>
>>
>> http://git.yoctoproject.org/cgit/cgit.cgi/meta-selinux/tree/recipes-kernel/linux
>>
>>
>>
>> You should include this selinux.cfg in on of the openbmc kernel layers:
>>
>>
>>
>> SRC_URI += "file://selinux.cfg"
>>
>>
>>
>> and copy selinux.cfg to one of the local files location.
>>
>>
>>
>> On Mon, 2 Nov 2020 at 18:46, Ivan Li11 <rli11@lenovo.com> wrote:
>>
>>
>> > -----Original Message-----
>> > From: Andrew Jeffery <andrew@aj.id.au>
>> > Sent: Monday, November 2, 2020 8:54 AM
>> > To: Artem Senichev <artemsen@gmail.com>; Ivan Li11 <rli11@lenovo.com>
>> > Cc: openbmc@lists.ozlabs.org
>> > Subject: [External] Re: SELinux support question
>> >
>> >
>> >
>> > On Fri, 30 Oct 2020, at 16:25, Artem Senichev wrote:
>> > > Hi Ivan,
>> > >
>> > > Yocto has a layer for SELinux
>> > > (http://git.yoctoproject.org/cgit/cgit.cgi/meta-selinux), you can try
>> > > it.
>> > > But the layer depends on Python for management tools, which does not
>> > > exist in the OpenBMC image anymore.
>> > > The problem is that Python significantly increases image size, it will
>> > > be more than 32MiB, which causes some troubles with qemu emulation.
>> >
>> > The problem is broader than qemu though, it would also be broken on any
>> > platform shipping a 32MiB flash part if the image exceeds 32MiB.
>> >
>> > That said, if there are systems that ship bigger parts and enabling
>> SELinux for
>> > those is feasible, we should add those platform models to qemu so
>> emulating
>> > them isn't constrained by the existing platform support.
>> >
>> > Andrew
>>
>> Hi Andrew and Artem,
>> Per your suggestion, I try to enable SELinux with Yocto SELinux layer(
>> http://git.yoctoproject.org/cgit/cgit.cgi/meta-selinux) and 64MiB flash
>> part.
>> But encountered one problem which is when I use command "getenforce" to
>> check SELinux mode, it always returns "Disabled" even if SELinux mode in
>> config file '/etc/selinux/config' is permissive or enforcing by default.
>>
>> Please help to advise it.
>>
>>

[-- Attachment #2: Type: text/html, Size: 8990 bytes --]

RE: [External] Re: SELinux support question

[Ivan Li11]

[-- Attachment #1: Type: text/plain, Size: 4793 bytes --]

Hi Anton and Jayanth,

Thanks your suggestion, it’s workable to get correct status after adding “selinux” to systemd bbappened file.

BTW,  may I check with you what does “precompiled policies under /etc/selinux” mean ?
Does it mean that I need to add “PREFERRED_PROVIDER_virtual/refpolicy = "refpolicy-minimum"” to build/conf/local.conf file to assign policy in advance ?

Thanks,
Ivan
From: Jayanth Othayoth <ojayanth@gmail.com>
Sent: Thursday, November 5, 2020 3:37 PM
To: Anton Kachalov <rnouse@google.com>
Cc: Ivan Li11 <rli11@lenovo.com>; Andrew Jeffery <andrew@aj.id.au>; openbmc@lists.ozlabs.org; Artem Senichev <artemsen@gmail.com>
Subject: Re: [External] Re: SELinux support question


I tried on one of the IBM box which got 32MB flash in 2018 time frame and was able to got BMC read state . Reference patch (POC only) is available here

https://gerrit.openbmc-project.xyz/q/topic:%22selinux%22+(status:open%20OR%20status:merged)

On Wed, Nov 4, 2020 at 8:06 PM Anton Kachalov <rnouse@google.com<mailto:rnouse@google.com>> wrote:
Hello, Ivan.

Please check if the systemd has been compiled with selinux feature enabled. It should be in charge of enforcing selinux rules at boot.

You should add "selinux" to PACKAGECONFIG over here:
https://github.com/openbmc/openbmc/blob/master/meta-phosphor/recipes-core/systemd/systemd_%25.bbappend#L4

As well as adding "selinux" to the DISTRO_FEATURES variable in your build/conf/local.conf file.

Do you have precompiled policies under /etc/selinux ?

If it still doesn't work, please also attach a boot log.


On Tue, 3 Nov 2020 at 18:52, Ivan Li11 <rli11@lenovo.com<mailto:rli11@lenovo.com>> wrote:
Hi Anton,

Thanks your help and support.
I’ve followed your suggestion to enable selinux kernel configuration and have seen kernel message “[ 0.002268] SELinux:  Initializing.” during boot time, but still returns “Disabled” after executing getenforce command.
The selinux mode and type I set in /etc/selinux/config file is permissive and minimum.  Could you help to advise me whether there’s some settings need to set to avoid this problem.

Thanks,
Ivan
From: Anton Kachalov <rnouse@google.com<mailto:rnouse@google.com>>
Sent: Tuesday, November 3, 2020 3:50 AM
To: Ivan Li11 <rli11@lenovo.com<mailto:rli11@lenovo.com>>
Cc: Andrew Jeffery <andrew@aj.id.au<mailto:andrew@aj.id.au>>; Artem Senichev <artemsen@gmail.com<mailto:artemsen@gmail.com>>; openbmc@lists.ozlabs.org<mailto:openbmc@lists.ozlabs.org>
Subject: Re: [External] Re: SELinux support question

Hello, Ivan.

Perhaps, you should enable selinux kernel configuration as well. The openbmc kernels, if I'm not mistaken, have different recipes.

The default configuration relies on linux-yocto package:
http://git.yoctoproject.org/cgit/cgit.cgi/meta-selinux/tree/recipes-kernel/linux

You should include this selinux.cfg in on of the openbmc kernel layers:

SRC_URI += "file://selinux.cfg"

and copy selinux.cfg to one of the local files location.

On Mon, 2 Nov 2020 at 18:46, Ivan Li11 <rli11@lenovo.com<mailto:rli11@lenovo.com>> wrote:

> -----Original Message-----
> From: Andrew Jeffery <andrew@aj.id.au<mailto:andrew@aj.id.au>>
> Sent: Monday, November 2, 2020 8:54 AM
> To: Artem Senichev <artemsen@gmail.com<mailto:artemsen@gmail.com>>; Ivan Li11 <rli11@lenovo.com<mailto:rli11@lenovo.com>>
> Cc: openbmc@lists.ozlabs.org<mailto:openbmc@lists.ozlabs.org>
> Subject: [External] Re: SELinux support question
>
>
>
> On Fri, 30 Oct 2020, at 16:25, Artem Senichev wrote:
> > Hi Ivan,
> >
> > Yocto has a layer for SELinux
> > (http://git.yoctoproject.org/cgit/cgit.cgi/meta-selinux), you can try
> > it.
> > But the layer depends on Python for management tools, which does not
> > exist in the OpenBMC image anymore.
> > The problem is that Python significantly increases image size, it will
> > be more than 32MiB, which causes some troubles with qemu emulation.
>
> The problem is broader than qemu though, it would also be broken on any
> platform shipping a 32MiB flash part if the image exceeds 32MiB.
>
> That said, if there are systems that ship bigger parts and enabling SELinux for
> those is feasible, we should add those platform models to qemu so emulating
> them isn't constrained by the existing platform support.
>
> Andrew

Hi Andrew and Artem,
Per your suggestion, I try to enable SELinux with Yocto SELinux layer(http://git.yoctoproject.org/cgit/cgit.cgi/meta-selinux) and 64MiB flash part.
But encountered one problem which is when I use command "getenforce" to check SELinux mode, it always returns "Disabled" even if SELinux mode in config file '/etc/selinux/config' is permissive or enforcing by default.

Please help to advise it.

[-- Attachment #2: Type: text/html, Size: 16078 bytes --]

Re: [External] Re: SELinux support question

[Anton Kachalov]

[-- Attachment #1: Type: text/plain, Size: 5169 bytes --]

Hello, Ivan.

I'm unsure how policies are being built in Yocto. Usually, you should have
/etc/selinux populated in your image with precompiled policies. At least,
some default ones.

On Fri, 6 Nov 2020 at 11:06, Ivan Li11 <rli11@lenovo.com> wrote:

> Hi Anton and Jayanth,
>
>
>
> Thanks your suggestion, it’s workable to get correct status after adding
> “selinux” to systemd bbappened file.
>
>
>
> BTW,  may I check with you what does “precompiled policies under
> /etc/selinux” mean ?
>
> Does it mean that I need to add “PREFERRED_PROVIDER_virtual/refpolicy =
> "refpolicy-minimum"” to build/conf/local.conf file to assign policy in
> advance ?
>
>
>
> Thanks,
>
> Ivan
>
> *From:* Jayanth Othayoth <ojayanth@gmail.com>
> *Sent:* Thursday, November 5, 2020 3:37 PM
> *To:* Anton Kachalov <rnouse@google.com>
> *Cc:* Ivan Li11 <rli11@lenovo.com>; Andrew Jeffery <andrew@aj.id.au>;
> openbmc@lists.ozlabs.org; Artem Senichev <artemsen@gmail.com>
> *Subject:* Re: [External] Re: SELinux support question
>
>
>
>
>
> I tried on one of the IBM box which got 32MB flash in 2018 time frame and
> was able to got BMC read state . Reference patch (POC only) is available
> here
>
>
>
>
> https://gerrit.openbmc-project.xyz/q/topic:%22selinux%22+(status:open%20OR%20status:merged)
>
>
>
> On Wed, Nov 4, 2020 at 8:06 PM Anton Kachalov <rnouse@google.com> wrote:
>
> Hello, Ivan.
>
>
>
> Please check if the systemd has been compiled with selinux feature
> enabled. It should be in charge of enforcing selinux rules at boot.
>
>
>
> You should add "selinux" to PACKAGECONFIG over here:
>
>
> https://github.com/openbmc/openbmc/blob/master/meta-phosphor/recipes-core/systemd/systemd_%25.bbappend#L4
>
>
>
> As well as adding "selinux" to the DISTRO_FEATURES variable in your
> build/conf/local.conf file.
>
>
>
> Do you have precompiled policies under /etc/selinux ?
>
>
>
> If it still doesn't work, please also attach a boot log.
>
>
>
>
>
> On Tue, 3 Nov 2020 at 18:52, Ivan Li11 <rli11@lenovo.com> wrote:
>
> Hi Anton,
>
>
>
> Thanks your help and support.
>
> I’ve followed your suggestion to enable selinux kernel configuration and
> have seen kernel message “[ 0.002268] SELinux:  Initializing.” during boot
> time, but still returns “Disabled” after executing getenforce command.
>
> The selinux mode and type I set in /etc/selinux/config file is permissive
> and minimum.  Could you help to advise me whether there’s some settings
> need to set to avoid this problem.
>
>
>
> Thanks,
>
> Ivan
>
> *From:* Anton Kachalov <rnouse@google.com>
> *Sent:* Tuesday, November 3, 2020 3:50 AM
> *To:* Ivan Li11 <rli11@lenovo.com>
> *Cc:* Andrew Jeffery <andrew@aj.id.au>; Artem Senichev <artemsen@gmail.com>;
> openbmc@lists.ozlabs.org
> *Subject:* Re: [External] Re: SELinux support question
>
>
>
> Hello, Ivan.
>
>
>
> Perhaps, you should enable selinux kernel configuration as well. The
> openbmc kernels, if I'm not mistaken, have different recipes.
>
>
>
> The default configuration relies on linux-yocto package:
>
>
> http://git.yoctoproject.org/cgit/cgit.cgi/meta-selinux/tree/recipes-kernel/linux
>
>
>
> You should include this selinux.cfg in on of the openbmc kernel layers:
>
>
>
> SRC_URI += "file://selinux.cfg"
>
>
>
> and copy selinux.cfg to one of the local files location.
>
>
>
> On Mon, 2 Nov 2020 at 18:46, Ivan Li11 <rli11@lenovo.com> wrote:
>
>
> > -----Original Message-----
> > From: Andrew Jeffery <andrew@aj.id.au>
> > Sent: Monday, November 2, 2020 8:54 AM
> > To: Artem Senichev <artemsen@gmail.com>; Ivan Li11 <rli11@lenovo.com>
> > Cc: openbmc@lists.ozlabs.org
> > Subject: [External] Re: SELinux support question
> >
> >
> >
> > On Fri, 30 Oct 2020, at 16:25, Artem Senichev wrote:
> > > Hi Ivan,
> > >
> > > Yocto has a layer for SELinux
> > > (http://git.yoctoproject.org/cgit/cgit.cgi/meta-selinux), you can try
> > > it.
> > > But the layer depends on Python for management tools, which does not
> > > exist in the OpenBMC image anymore.
> > > The problem is that Python significantly increases image size, it will
> > > be more than 32MiB, which causes some troubles with qemu emulation.
> >
> > The problem is broader than qemu though, it would also be broken on any
> > platform shipping a 32MiB flash part if the image exceeds 32MiB.
> >
> > That said, if there are systems that ship bigger parts and enabling
> SELinux for
> > those is feasible, we should add those platform models to qemu so
> emulating
> > them isn't constrained by the existing platform support.
> >
> > Andrew
>
> Hi Andrew and Artem,
> Per your suggestion, I try to enable SELinux with Yocto SELinux layer(
> http://git.yoctoproject.org/cgit/cgit.cgi/meta-selinux) and 64MiB flash
> part.
> But encountered one problem which is when I use command "getenforce" to
> check SELinux mode, it always returns "Disabled" even if SELinux mode in
> config file '/etc/selinux/config' is permissive or enforcing by default.
>
> Please help to advise it.
>
>

[-- Attachment #2: Type: text/html, Size: 13957 bytes --]