Ondrej,
Yes. https://github.com/ni/meta-selinux is used to manage SElinux in the Yocto environment. SELinux is quite complex. After the SELinux is enabled, I have to deal with the policy.
Another challenge is to find out which application causes a denied AVC message in /var/log/audit/audit.log. Do you have any good suggestions for that challenge?
----henry
On Wed, Aug 9, 2023 at 12:46 AM Ondrej Mosnacek omosnace@redhat.com wrote:
You mean https://github.com/ni/meta-selinux ? If so, none of us [Red Hat SELinux engineers] works on it, AFAIK.
On Tue, Aug 8, 2023 at 8:03 PM Henry Zhang henryzhang62@gmail.com wrote:
Ondrej,
Yes. my SELINUX is enabled finally after CONFIG_LSM="integrity, selinux".
Do you guys manage meta-selinux?
----henry
On Tue, Aug 8, 2023 at 8:01 AM Ondrej Mosnacek omosnace@redhat.com
wrote:
Oh, right, I completely overlooked the file attachment. Sorry!
It seems your CONFIG_LSM is not set correctly. It is missing "selinux" and the order seems wrong, but since you have most of the listed modules disabled, you can set it to just:
CONFIG_LSM="integrity,selinux"
Then the kernel should boot with SELinux enabled.
On Tue, Aug 8, 2023 at 4:26 PM Henry Zhang henryzhang62@gmail.com
wrote:
Ondrej,
Thanks for your help! I am using Yocto embedded to compile. The kernel config file is
copied from /proc/config.gz in my linux device.
The kernel function selinux_init() is not triggered when booting up.
---henry
On Tue, Aug 8, 2023 at 1:17 AM Ondrej Mosnacek omosnace@redhat.com
wrote:
That is not a kernel config file. How are you building/installing the kernel? What Linux distribution (Fedora/CentOS/Ubuntu/...) is this
on?
On Mon, Aug 7, 2023 at 6:29 PM Henry Zhang henryzhang62@gmail.com
wrote:
Ondrej,
Attached is my kernel configuration file. ~# cat /etc/selinux/config # This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=enforcing # SELINUXTYPE= can take one of these values: # minimum - Minimum Security protection. # standard - Standard Security protection. # mls - Multi Level Security protection. # targeted - Targeted processes are protected. # mcs - Multi Category Security protection. SELINUXTYPE=mcs
# sestatus SELinux status: disabled
# getenforce Disabled
# setenforce 1 setenforce: SELinux is disabled
# dmesg|grep SELi [ 5.604171] systemd[1]: Starting SELinux init for /dev service
loading...
# dmesg|grep SELI [ 4.180494] systemd[1]: systemd 250.5+ running in system mode
(+PAM +AUDIT +SELINUX -APPARMOR +IMA -SMACK +SECCOMP -GCRYPT -GNUTLS -OPENSSL +ACL +BLKID -CURL -ELFUTILS -FIDO2 -IDN2 -IDN -IPTC +KMOD -LIBCRYPTSETUP)
"SELInux: Initializing" is not seen in dmesg.
Please comment on what is missing? On Sat, Aug 5, 2023 at 1:12 AM Ondrej Mosnacek <
omosnace@redhat.com> wrote:
> > On Sat, Aug 5, 2023 at 2:53 AM Henry Zhang <
henryzhang62@gmail.com> wrote:
> > > > Hi guys, > > > > I am porting selinux from kernel 4.14 to 5.15. Everything works
fine in kernel 4.14.
> > keep same /etc/selinux/conf and kernel parameters to enable
SELinux.
> > > > But the selinux_init() is not executed when kernel 5.15 boots
because no "SELinux: Initializing" is seen in dmesg.
> > > > This selinux_init() is defined in
http://tomoyo.osdn.jp/cgi-bin/lxr/source/security/selinux/hooks.c
> > > > DEFINE_LSM(selinux) = { > > 7288 .name = "selinux", > > 7289 .flags = LSM_FLAG_LEGACY_MAJOR |
LSM_FLAG_EXCLUSIVE,
> > 7290 .enabled = &selinux_enabled_boot, > > 7291 .blobs = &selinux_blob_sizes, > > 7292 .init = selinux_init, > > 7293 }; > > > > My question is why the selinux_init() is not called when kernel
5.15 boots up?
> > Hi Henry, > > Can you share your kernel build config? If you don't know what it
is
> or how to get it, then the next question would be: How did you > obtain/build the kernel in question? > > -- > Ondrej Mosnacek > Senior Software Engineer, Linux Security - SELinux kernel > Red Hat, Inc. >
-- Ondrej Mosnacek Senior Software Engineer, Linux Security - SELinux kernel Red Hat, Inc.
-- Ondrej Mosnacek Senior Software Engineer, Linux Security - SELinux kernel Red Hat, Inc.
-- Ondrej Mosnacek Senior Software Engineer, Linux Security - SELinux kernel Red Hat, Inc.