On Tue, 2013-10-22 at 11:45 -0500, Don Hoefer wrote:
We are building an embedded system where the customer is requiring
SELinux. It is our own hardware so we build our own kernel and
drivers and use the ext2, jfs and tempfs file systems. This is not
new for us, but incorporating SELinux is.
Does anyone know of a good knowledge resource for building embedded
systems with SELinux?
We are currently plowing through a frustrating step ahead/step back
process. We have SELinux running but it seems to be broken, for
example one of our problems is that ls -Z shows "?" for SELinux file
root@generic-powerpc:/#getfattr -m . -d var
# file: var
root@generic-powerpc:/# ls -Z
? bin ? boot ? dev ? etc ? home ? lib ?lost+found ? media ?
mnt ? proc ? sbin ?selinux ? share ? sys ? tmp ? usr ?
We were unsuccessful building policies on any of our development
systems (Ubuntu/Debian based) but we are now using a Fedora 19 system
and that is looking promising.
I wonder what problems you were having on Debian
Any pointers or help would be appreciated.
I just recently played a bit with SELinux for embedded systems ( also on
Debian), and for the most part it worked fine
There are plenty "gotchas" though, and it helps if you know SELinux well
You can create a nice lean monolithic policy, but some of the tools you
need are part of the policycoreutils package which is bloated with
modular policy specific utils.
( the policycoreutils package should be split up in "core"/"not core"
I believe i might be able to give good tips, advice, and guidance but i
can't suggest much without information about your requirements, and what
you've been trying etc
What i can already tell you is that there is a program called mdp in the
kernel source tree, that generates a "dummy" policy. Its very small and
probably a good start for someone not familiar with SELinux policy
There are some bugs in the program though, and the policy it generates
will not work without at least one change to it.
I can also recommend the book "SELinux by example". It touches on some
of the fundamentals ( much of the information is also on
I would also send this question to the selinux maillist because the
seandroid maintainer is reading that, and seandroid is a good example of
using SELinux on systems with very limited resources. He might also be
able to give good advice
selinux mailing list