Hello,
I am having one heck of a time getting SELinux working on ARM in QEMU. I compiled the 2.6.31.4 kernel following the instructions here:
http://fedoraproject.org/wiki/Architectures/ARM/HowToQemu#Build_Kernel_Image...
And I added these lines to the .config:
CONFIG_SECURITY_SELINUX=y CONFIG_SECURITY_SELINUX_BOOTPARAM=y CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE=1 CONFIG_SECURITY_SELINUX_DISABLE=y CONFIG_SECURITY_SELINUX_DEVELOP=y CONFIG_SECURITY_SELINUX_AVC_STATS=y CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=1
And I used menuconfig to switch on Auditing support, Security labels for ext[234].
During boot I see this message, so I know there's at least *something* in there:
SELinux: Initializing.
I also see selinuxfs in /proc/filesystems.
But it doesn't seem to actually be working:
[root@fedora-arm ~]# sestatus -v SELinux status: disabled
Any help is appreciated.
Thanks, Per
On Wednesday 21 October 2009 01:51:23 am Per Nystrom wrote:
During boot I see this message, so I know there's at least *something* in there:
SELinux: Initializing.
Do you have targeted policy installed? Are there any messages in syslog related to selinux?
[root@fedora-arm ~]# sestatus -v SELinux status: disabled
SE Linux is disabled if policy loading doesn't happen or is unsuccessful in loading.
-Steve
On Wed, 2009-10-21 at 11:15 -0400, Steve Grubb wrote:
On Wednesday 21 October 2009 01:51:23 am Per Nystrom wrote:
During boot I see this message, so I know there's at least *something* in there:
SELinux: Initializing.
Do you have targeted policy installed? Are there any messages in syslog related to selinux?
Seems to be installed:
[root@fedora-arm ~]# rpm -qa 'selinux*' selinux-policy-3.6.12-39.fc11.noarch selinux-policy-targeted-3.6.12-39.fc11.noarch
These are the only messages I see from dmesg:
[root@fedora-arm ~]# dmesg | grep -i selinux SELinux: Initializing. SELinux: Starting in permissive mode
Thanks, Per
On Wednesday 21 October 2009 02:32:04 pm Per Nystrom wrote:
These are the only messages I see from dmesg:
[root@fedora-arm ~]# dmesg | grep -i selinux SELinux: Initializing. SELinux: Starting in permissive mode
OK, did some checking. SE Linux policy is loaded in the initrd in F-11. The reason why is because if its done from /etc/rc.sysinit, then init has the wrong context and that leads to lots of problems. So, you would need to boot via initrd to have selinux working. The initrd only needs to call load_policy and nothing else.
Another approach used back in F-9/10 was to patch init itself to load policy. That patch could probably be pulled from cvs.
-Steve
On Wed, 2009-10-21 at 15:38 -0400, Steve Grubb wrote:
On Wednesday 21 October 2009 02:32:04 pm Per Nystrom wrote:
These are the only messages I see from dmesg:
[root@fedora-arm ~]# dmesg | grep -i selinux SELinux: Initializing. SELinux: Starting in permissive mode
OK, did some checking. SE Linux policy is loaded in the initrd in F-11. The reason why is because if its done from /etc/rc.sysinit, then init has the wrong context and that leads to lots of problems. So, you would need to boot via initrd to have selinux working. The initrd only needs to call load_policy and nothing else.
Another approach used back in F-9/10 was to patch init itself to load policy. That patch could probably be pulled from cvs.
Which approach is likely to be supported in the ARM distribution going forward? I'd rather keep things simple and not use an initrd, but I'd like to know if that patch is going to make it into F11 ARM and later releases.
Thanks, Per
-----Original Message----- From: fedora-arm-bounces@redhat.com [mailto:fedora-arm- bounces@redhat.com] On Behalf Of Per Nystrom Sent: 22 October 2009 02:14 To: Steve Grubb Cc: fedora-arm@redhat.com Subject: Re: [fedora-arm] SELinux on F11 on ARM (in QEMU)?
On Wed, 2009-10-21 at 15:38 -0400, Steve Grubb wrote:
On Wednesday 21 October 2009 02:32:04 pm Per Nystrom wrote:
These are the only messages I see from dmesg:
[root@fedora-arm ~]# dmesg | grep -i selinux SELinux: Initializing. SELinux: Starting in permissive mode
OK, did some checking. SE Linux policy is loaded in the
initrd in F-11. The
reason why is because if its done from /etc/rc.sysinit, then
init has the
wrong context and that leads to lots of problems. So, you
would need to boot
via initrd to have selinux working. The initrd only needs to
call load_policy
and nothing else.
Another approach used back in F-9/10 was to patch init itself
to load policy.
That patch could probably be pulled from cvs.
Which approach is likely to be supported in the ARM distribution going forward? I'd rather keep things simple and not use an initrd, but I'd like to know if that patch is going to make it into F11 ARM and later releases.
If possible, could you please go ahead and see how the patch works for you?
To begin with let us at least keep the patch around/accessible. If it works for you, I'll spin a pre-built fc11/fc12 rpm with that patch for users to pick up.
As a policy we do not want to diverge from upstream Fedora packages. But we could make that call based on how many users pick this approach.
Thanks, Per
Kedar.
fedora-arm mailing list fedora-arm@redhat.com https://www.redhat.com/mailman/listinfo/fedora-arm
On Thursday 22 October 2009 12:33:24 pm Kedar Sovani wrote:
If possible, could you please go ahead and see how the patch works for you?
I did some more checking. The patch in question was prior to upstart. So, what you need is the sysvinit package from F-8. And I suspect that changes a lot of things.
To begin with let us at least keep the patch around/accessible. If it works for you, I'll spin a pre-built fc11/fc12 rpm with that patch for users to pick up.
It might be possible to port the patch to upstart. This is the patch in question:
http://cvs.fedoraproject.org/viewvc/rpms/sysvinit/F-8/sysvinit-selinux.patch...
As a policy we do not want to diverge from upstream Fedora packages. But we could make that call based on how many users pick this approach.
-Steve
On Thursday 22 October 2009 12:56:02 pm Steve Grubb wrote:
To begin with let us at least keep the patch around/accessible. If it works for you, I'll spin a pre-built fc11/fc12 rpm with that patch for users to pick up.
It might be possible to port the patch to upstart. This is the patch in question:
Here's a srpm for anyone that wants to try this out.
http://people.redhat.com/sgrubb/files/upstart-0.3.11-2.fc11.src.rpm
No idea if it loads policy, but my system still boots with the patch applied. (I don't have a kernel with selinux enabled.)
-Steve
On Thu, 2009-10-22 at 15:20 -0400, Steve Grubb wrote:
On Thursday 22 October 2009 12:56:02 pm Steve Grubb wrote:
To begin with let us at least keep the patch around/accessible. If it works for you, I'll spin a pre-built fc11/fc12 rpm with that patch for users to pick up.
It might be possible to port the patch to upstart. This is the patch in question:
Here's a srpm for anyone that wants to try this out.
http://people.redhat.com/sgrubb/files/upstart-0.3.11-2.fc11.src.rpm
No idea if it loads policy, but my system still boots with the patch applied. (I don't have a kernel with selinux enabled.)
Thanks Steve. I'll try to find some time to fiddle with it this weekend and report back.
On Thu, 2009-10-22 at 21:54 -0700, Per Nystrom wrote:
On Thu, 2009-10-22 at 15:20 -0400, Steve Grubb wrote:
On Thursday 22 October 2009 12:56:02 pm Steve Grubb wrote:
To begin with let us at least keep the patch around/accessible. If it works for you, I'll spin a pre-built fc11/fc12 rpm with that patch for users to pick up.
It might be possible to port the patch to upstart. This is the patch in question:
Here's a srpm for anyone that wants to try this out.
http://people.redhat.com/sgrubb/files/upstart-0.3.11-2.fc11.src.rpm
No idea if it loads policy, but my system still boots with the patch applied. (I don't have a kernel with selinux enabled.)
Thanks Steve. I'll try to find some time to fiddle with it this weekend and report back.
I couldn't wait for the weekend. I compiled and installed your patched srpm and I think we're making progress. But now I get a whole lot of messages like below during boot and then it comes up in maintenance mode. From within maintenance mode I can do this:
(Repair filesystem) 1 # sestatus SELinux status: enabled SELinuxfs mount: /selinux Current mode: permissive Mode from config file: permissive Policy version: 24 Policy from config file: targeted
But I have nothing in /dev/ except console, null, and zero so I can't actually fsck root. Not that it really needs it -- when I reboot with selinux=0 it comes up normally and with a clean root filesystem.
So I can confirm that the patch doesn't break anything if selinux is disabled, but we're not quite there yet for selinux without initrd.
Thanks again, Per
-----
Welcome to Fedora Press 'I' to enter interactive startup. Starting udev: mount: wrong fs type, bad option, bad superblock on none, missing codepage or helper program, or other error (for several filesystems (e.g. nfs, cifs) you might need a /sbin/mount.<type> helper program) In some cases useful info is found in syslog - try dmesg | tail or so
mkdir: cannot create directory `/dev/pts': Read-only file system mkdir: cannot create directory `/dev/shm': Read-only file system ln: creating symbolic link `/dev/fd': Read-only file system ln: creating symbolic link `/dev/stdin': Read-only file system ln: creating symbolic link `/dev/stdout': Read-only file system ln: creating symbolic link `/dev/stderr': Read-only file system ln: creating symbolic link `/dev/core': Read-only file system mkdir: cannot create directory `/dev/pts': Read-only file system mkdir: cannot create directory `/dev/shm': Read-only file system ln: creating symbolic link `/dev/MAKEDEV': Read-only file system mkdir: cannot create directory `/dev/net': Read-only file system /bin/mknod: `/dev/loop0': Read-only file system /bin/chown: cannot access `/dev/loop0': No such file or directory /bin/mknod: `/dev/loop1': Read-only file system /bin/chown: cannot access `/dev/loop1': No such file or directory /bin/mknod: `/dev/loop2': Read-only file system /bin/chown: cannot access `/dev/loop2': No such file or directory /bin/mknod: `/dev/loop3': Read-only file system /bin/chown: cannot access `/dev/loop3': No such file or directory /bin/mknod: `/dev/loop4': Read-only file system /bin/chown: cannot access `/dev/loop4': No such file or directory /bin/mknod: `/dev/loop5': Read-only file system /bin/chown: cannot access `/dev/loop5': No such file or directory /bin/mknod: `/dev/loop6': Read-only file system /bin/chown: cannot access `/dev/loop6': No such file or directory /bin/mknod: `/dev/loop7': Read-only file system /bin/chown: cannot access `/dev/loop7': No such file or directory /bin/mknod: `/dev/net/tun': No such file or directory /bin/chown: cannot access `/dev/net/tun': No such file or directory /bin/mknod: `/dev/ppp': Read-only file system /bin/chown: cannot access `/dev/ppp': No such file or directory /bin/mknod: `/dev/lp0': Read-only file system /bin/chown: cannot access `/dev/lp0': No such file or directory /bin/mknod: `/dev/lp1': Read-only file system /bin/chown: cannot access `/dev/lp1': No such file or directory /bin/mknod: `/dev/lp2': Read-only file system /bin/chown: cannot access `/dev/lp2': No such file or directory /bin/mknod: `/dev/lp3': Read-only file system /bin/chown: cannot access `/dev/lp3': No such file or directory /sbin/restorecon: stat error on /dev/loop0: No such file or directory /sbin/restorecon: stat error on /dev/loop1: No such file or directory /sbin/restorecon: stat error on /dev/loop2: No such file or directory /sbin/restorecon: stat error on /dev/loop3: No such file or directory /sbin/restorecon: stat error on /dev/loop4: No such file or directory /sbin/restorecon: stat error on /dev/loop5: No such file or directory /sbin/restorecon: stat error on /dev/loop6: No such file or directory /sbin/restorecon: stat error on /dev/loop7: No such file or directory /sbin/restorecon: stat error on /dev/net/tun: No such file or directory /sbin/restorecon: stat error on /dev/ppp: No such file or directory /sbin/restorecon: stat error on /dev/lp0: No such file or directory /sbin/restorecon: stat error on /dev/lp1: No such file or directory /sbin/restorecon: stat error on /dev/lp2: No such file or directory /sbin/restorecon: stat error on /dev/lp3: No such file or directory udevd[413]: rmdir(/dev/.udev) failed: Read-only file system
udevd[413]: rmdir(/dev/.udev) failed: Read-only file system
udevd-event[450]: unable to create db file '/dev/.udev/db/\x2fdevices \x2fdev:e8\x2frtc\x2frtc0': No such file or directory
..... many, many more udevd-event messages of the same type
On Thu, 2009-10-22 at 21:54 -0700, Per Nystrom wrote:
But now I get a whole lot of messages like below during boot and then it comes up in maintenance mode. From within maintenance mode I can do this:
(Repair filesystem) 1 # sestatus SELinux status: enabled SELinuxfs mount: /selinux Current mode: permissive Mode from config file: permissive Policy version: 24 Policy from config file: targeted
This is looking better. This means policy is loaded.
But I have nothing in /dev/ except console, null, and zero so I can't actually fsck root. Not that it really needs it -- when I reboot with selinux=0 it comes up normally and with a clean root filesystem.
I think your disk needs relabeling. You might need to do a
touch /.autorelabel
and then boot with selinux=permissive. You also might be able to just do
restorecon -i -r /
from the maintenance mode.
So I can confirm that the patch doesn't break anything if selinux is disabled, but we're not quite there yet for selinux without initrd.
One other question, is this ext3 and it has ACL enabled, too?
CONFIG_EXT3_FS_XATTR=y CONFIG_EXT3_FS_POSIX_ACL=y CONFIG_EXT3_FS_SECURITY=y
-Steve
On Fri, 2009-10-23 at 12:31 -0400, Steve Grubb wrote:
On Thu, 2009-10-22 at 21:54 -0700, Per Nystrom wrote:
But I have nothing in /dev/ except console, null, and zero so I can't actually fsck root. Not that it really needs it -- when I reboot with selinux=0 it comes up normally and with a clean root filesystem.
I think your disk needs relabeling. You might need to do a
touch /.autorelabel
I did this, but I don't think it ever gets to that point in the boot sequence.
and then boot with selinux=permissive. You also might be able to just do
restorecon -i -r /
from the maintenance mode.
I can't do anything from maintenance mode: the root filesystem is mounted read only but its block device doesn't exist under /dev:
(Repair filesystem) 3 # df Filesystem 1K-blocks Used Available Use% Mounted on /dev/sda 4128320 1224236 2694320 32% / (Repair filesystem) 4 # ls -l /dev/sda ls: cannot access /dev/sda: No such file or directory
So I can confirm that the patch doesn't break anything if selinux is disabled, but we're not quite there yet for selinux without initrd.
One other question, is this ext3 and it has ACL enabled, too?
CONFIG_EXT3_FS_XATTR=y CONFIG_EXT3_FS_POSIX_ACL=y CONFIG_EXT3_FS_SECURITY=y
Actually I'm on EXT2 right now but could easily change it to ext3. Here are the relative bits from my kernel .config:
egrep "(FS_XATTR|FS_POSIX_ACL| FS_SECURITY)" /var/tmp/linux-2.6.31.4/.config CONFIG_EXT2_FS_XATTR=y CONFIG_EXT2_FS_POSIX_ACL=y CONFIG_EXT2_FS_SECURITY=y CONFIG_EXT3_FS_XATTR=y CONFIG_EXT3_FS_POSIX_ACL=y CONFIG_EXT3_FS_SECURITY=y CONFIG_EXT4_FS_XATTR=y CONFIG_EXT4_FS_POSIX_ACL=y CONFIG_EXT4_FS_SECURITY=y CONFIG_FS_POSIX_ACL=y CONFIG_TMPFS_POSIX_ACL=y # CONFIG_JFFS2_FS_XATTR is not set
-Per
On Friday 23 October 2009 01:24:44 pm Per Nystrom wrote:
But I have nothing in dev except console, null, and zero so I can't actually fsck root. Not that it really needs it -- when I reboot with selinux=0 it comes up normally and with a clean root filesystem.
I think your disk needs relabeling. You might need to do a
touch /.autorelabel
I did this, but I don't think it ever gets to that point in the boot sequence.
Just so everyone knows how this turned out...I worked with Per offline to see if we could come up with a solution that preserved the current boot method this project has setup. It looks like we've hit a deadend for the moment in getting SE Linux working.
However, in chatting with Dan HorĂ¡k, he says that he has SE Linux working by using the kernels that he's been releasing. (See his announcements on this mail list.) The difference is that it uses a ramdisk during boot and that takes care of loading policy just like the main Fedora distribution does. This boot method would also need to be used if you ever wanted to run in the FIPS-140 mode.
-Steve
On Wed, 2009-10-21 at 11:15 -0400, Steve Grubb wrote:
On Wednesday 21 October 2009 01:51:23 am Per Nystrom wrote:
During boot I see this message, so I know there's at least *something* in there:
SELinux: Initializing.
Do you have targeted policy installed? Are there any messages in syslog related to selinux?
Seems to be installed:
[root@fedora-arm ~]# rpm -qa 'selinux*' selinux-policy-3.6.12-39.fc11.noarch selinux-policy-targeted-3.6.12-39.fc11.noarch
These are the only messages I see from dmesg:
[root@fedora-arm ~]# dmesg | grep -i selinux SELinux: Initializing. SELinux: Starting in permissive mode
Thanks, Per