Need information for building embedded system.

Dominick Grift dominick.grift at gmail.com
Tue Oct 22 18:11:14 UTC 2013 

On Tue, 2013-10-22 at 11:45 -0500, Don Hoefer wrote:
>  We are building an embedded system where the customer is requiring
> SELinux.  It is our own hardware so we build our own kernel and
> drivers and use the ext2, jfs and tempfs file systems.  This is not
> new for us, but incorporating SELinux is.
> 
> 
>  Does anyone know of a good knowledge resource for building embedded
> systems with SELinux?

http://selinuxproject.org/page/Main_Page

> 
> We are currently plowing through a frustrating step ahead/step back
> process.  We have SELinux running but it seems to be broken, for
> example one of our problems is that ls -Z shows "?" for SELinux file
> contexts:
> root at generic-powerpc:/#getfattr -m . -d var
> # file: var
> security.selinux="system_u:object_r:var_t"
> 
> root at generic-powerpc:/# ls -Z
> ? bin  ? boot  ? dev  ? etc  ? home  ? lib  ?lost+found  ? media  ?
> mnt  ? proc  ? sbin  ?selinux  ? share  ? sys  ? tmp  ? usr  ?
> var  ?www
> 
> We were unsuccessful building policies on any of our development
> systems (Ubuntu/Debian based) but we are now using a Fedora 19 system
> and that is looking promising.

I wonder what problems you were having on Debian

> 
> Any pointers or help would be appreciated.

I just recently played a bit with SELinux for embedded systems ( also on
Debian), and for the most part it worked fine

There are plenty "gotchas" though, and it helps if you know SELinux well

You can create a nice lean monolithic policy, but some of the tools you
need are part of the policycoreutils package which is bloated with
modular policy specific utils.

( the policycoreutils package should be split up in "core"/"not core" )

I believe i might be able to give good tips, advice, and guidance but i
can't suggest much without information about your requirements, and what
you've been trying etc

What i can already tell you is that there is a program called mdp in the
kernel source tree, that generates a "dummy" policy. Its very small and
probably a good start for someone not familiar with SELinux policy

There are some bugs in the program though, and the policy it generates
will not work without at least one change to it.

I can also recommend the book "SELinux by example". It touches on some
of the fundamentals ( much of the information is also on
selinuxproject.org though)

I would also send this question to the selinux maillist because the
seandroid maintainer is reading that, and seandroid is a good example of
using SELinux on systems with very limited resources. He might also be
able to give good advice

> 
> Don Hoefer
> 
> 
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux

More information about the selinux mailing list