busybox + SELinux (warrior) - reboot issue

busybox + SELinux (warrior) - reboot issue

[Yair Itzhaki]

[-- Attachment #1: Type: text/plain, Size: 1021 bytes --]

Hi ,
I'm using Poky (Warrior), with busybox (aiming at a lightweight system).
Recently, added SELinux to my project (by adding "packagegroup-core-selinux" to my local.conf, with mls policy).

Booted with "selinux=1 enforing=0".
The auto-relabeling reported an error, since the root is mounted RO.
So, patched slelinux-autorelabel script to mount "/" RW before relabeling.

Booted again.
This time, selinux-init had the same issue ( / mounted RO).
Patched this one as well, but the system keeps rebooting:
It seems that the init process keeps it's kernel_t context, which forces re-labeling, reboot and so on…. (per the selinux-init script)

Q1: Is SELinux+busybox a valid combination, or should I switch to systemd?
Q2: Which context should the init process end up as?

BTW – the build of "core-image-selinux" fails, with the following error
   Copying files into the device: set_inode_xattr: No data available while reading attribute "security.selinux" of "network"
Any idea?

Thanks,
Yair



[-- Attachment #2: Type: text/html, Size: 4831 bytes --]

Re: [yocto] busybox + SELinux (warrior) - reboot issue

[Yi Zhao]

[-- Attachment #1.1: Type: text/plain, Size: 1589 bytes --]

Hi Yair,


On 11/14/19 2:06 AM, Yair Itzhaki wrote:
>
> Hi ,
>
> I'm using Poky (Warrior), with busybox (aiming at a lightweight system).
>
> Recently, added SELinux to my project (by adding 
> "packagegroup-core-selinux" to my local.conf, with mls policy).
>
> Booted with "selinux=1 enforing=0".
>
> The auto-relabeling reported an error, since the root is mounted RO.
>
> So, patched slelinux-autorelabel script to mount "/" RW before relabeling.
>
> Booted again.
>
> This time, selinux-init had the same issue ( / mounted RO).
>
> Patched this one as well, but the system keeps rebooting:
>
> It seems that the init process keeps it's kernel_t context, which 
> forces re-labeling, reboot and so on…. (per the selinux-init script)
>
> Q1: Is SELinux+busybox a valid combination, or should I switch to systemd?
>
SElinux+busybox should work. But there are some security label issues 
with busybox.

I attached a fix. You can try it.


> Q2: Which context should the init process end up as?
>
This is because /sbin/init.sysvinit doesn't set the correct label. 
Please also see the attachment. I will send the formal patch later.


> BTW – the build of "core-image-selinux" fails, with the following error
>
> Copying files into the device: set_inode_xattr: No data available 
> while reading attribute "security.selinux" of "network"
>
I didn't encountered this issue. Please make sure the setting 
DISTRO_FEATURES_append = " acl xattr pam selinux" is in your conf/local.conf


//Yi


> Any idea?
>
> Thanks,
>
> Yair
>
>

[-- Attachment #1.2: Type: text/html, Size: 7154 bytes --]

[-- Attachment #2: fix.patch --]
[-- Type: text/x-patch, Size: 1552 bytes --]

diff --git a/config/file_contexts.subs_dist b/config/file_contexts.subs_dist
index 04fca3c..c720871 100644
--- a/config/file_contexts.subs_dist
+++ b/config/file_contexts.subs_dist
@@ -44,7 +44,7 @@
 
 # busybox aliases
 # quickly match up the busybox built-in tree to the base filesystem tree
-/usr/lib/busybox/bin /bin
-/usr/lib/busybox/sbin /sbin
+/usr/lib/busybox/bin /usr/bin
+/usr/lib/busybox/sbin /usr/sbin
 /usr/lib/busybox/usr /usr
 
diff --git a/policy/modules/system/getty.fc b/policy/modules/system/getty.fc
index 116ea64..d688249 100644
--- a/policy/modules/system/getty.fc
+++ b/policy/modules/system/getty.fc
@@ -4,6 +4,7 @@
 /run/agetty\.reload	--	gen_context(system_u:object_r:getty_runtime_t,s0)
 
 /usr/bin/.*getty	--	gen_context(system_u:object_r:getty_exec_t,s0)
+/usr/bin/start_getty   --  gen_context(system_u:object_r:bin_t,s0)
 
 /usr/sbin/.*getty	--	gen_context(system_u:object_r:getty_exec_t,s0)
 
diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc
index 11a6ce9..3c063b1 100644
--- a/policy/modules/system/init.fc
+++ b/policy/modules/system/init.fc
@@ -40,6 +40,7 @@ ifdef(`distro_gentoo',`
 /usr/libexec/dcc/stop-.* --	gen_context(system_u:object_r:initrc_exec_t,s0)
 
 /usr/sbin/init(ng)?	--	gen_context(system_u:object_r:init_exec_t,s0)
+/usr/sbin/init\.sysvinit	--	gen_context(system_u:object_r:init_exec_t,s0)
 /usr/sbin/open_init_pty	--	gen_context(system_u:object_r:initrc_exec_t,s0)
 /usr/sbin/upstart	--	gen_context(system_u:object_r:init_exec_t,s0)
 

Re: busybox + SELinux (warrior) - reboot issue

[Ayoub Zaki]

[-- Attachment #1: Type: text/plain, Size: 232 bytes --]

Hi,

you should inherit in your image recipe the following bbclass:

inherit selinux-image

It will set the security label of your filesystem using your refpolicy offline so it does not need to relabel again.

Best regards

[-- Attachment #2: Type: text/html, Size: 279 bytes --]

Re: busybox + SELinux (warrior) - reboot issue

[Mark Hatle]

I've been trying to find time to look into it, but I've not had any so far.

I'd suggest trying it on more full Linux system first to see if that resolves
the issue.  If it does, then it's simply a configuration and you can use the
audit messages to help figure it out..  but the fact it's rebooting suggests to
me that something is incorrect in the initscripts when used with busybox.

--Mark

On 11/21/19 8:54 AM, Yair Itzhaki wrote:
> Anybody?
> 
>  
> 
> Thanks,
> 
> Yair
> 
>  
> 
>  
> 
> 

Re: busybox + SELinux (warrior) - reboot issue

[Yair Itzhaki]

[-- Attachment #1: Type: text/plain, Size: 31 bytes --]

Anybody?

Thanks,
Yair



[-- Attachment #2: Type: text/html, Size: 2124 bytes --]