Ondrej,
Thanks for your help!
I am using Yocto embedded to compile. The kernel config file is copied from /proc/config.gz in my linux device.
The kernel function selinux_init() is not triggered when booting up.
---henry
On Tue, Aug 8, 2023 at 1:17 AM Ondrej Mosnacek <omosnace@xxxxxxxxxx> wrote:
That is not a kernel config file. How are you building/installing the
kernel? What Linux distribution (Fedora/CentOS/Ubuntu/...) is this on?
On Mon, Aug 7, 2023 at 6:29 PM Henry Zhang <henryzhang62@xxxxxxxxx> wrote:
>
> Ondrej,
>
> Attached is my kernel configuration file.
> ~# cat /etc/selinux/config
> # This file controls the state of SELinux on the system.
> # SELINUX= can take one of these three values:
> # enforcing - SELinux security policy is enforced.
> # permissive - SELinux prints warnings instead of enforcing.
> # disabled - No SELinux policy is loaded.
> SELINUX=enforcing
> # SELINUXTYPE= can take one of these values:
> # minimum - Minimum Security protection.
> # standard - Standard Security protection.
> # mls - Multi Level Security protection.
> # targeted - Targeted processes are protected.
> # mcs - Multi Category Security protection.
> SELINUXTYPE=mcs
>
> # sestatus
> SELinux status: disabled
>
> # getenforce
> Disabled
>
> # setenforce 1
> setenforce: SELinux is disabled
>
> # dmesg|grep SELi
> [ 5.604171] systemd[1]: Starting SELinux init for /dev service loading...
>
> # dmesg|grep SELI
> [ 4.180494] systemd[1]: systemd 250.5+ running in system mode (+PAM +AUDIT +SELINUX -APPARMOR +IMA -SMACK +SECCOMP -GCRYPT -GNUTLS -OPENSSL +ACL +BLKID -CURL -ELFUTILS -FIDO2 -IDN2 -IDN -IPTC +KMOD -LIBCRYPTSETUP)
>
> "SELInux: Initializing" is not seen in dmesg.
>
> Please comment on what is missing?
> On Sat, Aug 5, 2023 at 1:12 AM Ondrej Mosnacek <omosnace@xxxxxxxxxx> wrote:
>>
>> On Sat, Aug 5, 2023 at 2:53 AM Henry Zhang <henryzhang62@xxxxxxxxx> wrote:
>> >
>> > Hi guys,
>> >
>> > I am porting selinux from kernel 4.14 to 5.15. Everything works fine in kernel 4.14.
>> > keep same /etc/selinux/conf and kernel parameters to enable SELinux.
>> >
>> > But the selinux_init() is not executed when kernel 5.15 boots because no "SELinux: Initializing" is seen in dmesg.
>> >
>> > This selinux_init() is defined in http://tomoyo.osdn.jp/cgi-bin/lxr/source/security/selinux/hooks.c
>> >
>> > DEFINE_LSM(selinux) = {
>> > 7288 .name = "selinux",
>> > 7289 .flags = LSM_FLAG_LEGACY_MAJOR | LSM_FLAG_EXCLUSIVE,
>> > 7290 .enabled = &selinux_enabled_boot,
>> > 7291 .blobs = &selinux_blob_sizes,
>> > 7292 .init = selinux_init,
>> > 7293 };
>> >
>> > My question is why the selinux_init() is not called when kernel 5.15 boots up?
>>
>> Hi Henry,
>>
>> Can you share your kernel build config? If you don't know what it is
>> or how to get it, then the next question would be: How did you
>> obtain/build the kernel in question?
>>
>> --
>> Ondrej Mosnacek
>> Senior Software Engineer, Linux Security - SELinux kernel
>> Red Hat, Inc.
>>
--
Ondrej Mosnacek
Senior Software Engineer, Linux Security - SELinux kernel
Red Hat, Inc.
_______________________________________________ selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue