You mean https://github.com/ni/meta-selinux ? If so, none of us [Red Hat SELinux engineers] works on it, AFAIK. On Tue, Aug 8, 2023 at 8:03 PM Henry Zhang <henryzhang62@xxxxxxxxx> wrote: > > Ondrej, > > Yes. my SELINUX is enabled finally after CONFIG_LSM="integrity, selinux". > > Do you guys manage meta-selinux? > > ----henry > > > On Tue, Aug 8, 2023 at 8:01 AM Ondrej Mosnacek <omosnace@xxxxxxxxxx> wrote: >> >> Oh, right, I completely overlooked the file attachment. Sorry! >> >> It seems your CONFIG_LSM is not set correctly. It is missing "selinux" >> and the order seems wrong, but since you have most of the listed >> modules disabled, you can set it to just: >> >> CONFIG_LSM="integrity,selinux" >> >> Then the kernel should boot with SELinux enabled. >> >> On Tue, Aug 8, 2023 at 4:26 PM Henry Zhang <henryzhang62@xxxxxxxxx> wrote: >> > >> > Ondrej, >> > >> > Thanks for your help! >> > I am using Yocto embedded to compile. The kernel config file is copied from /proc/config.gz in my linux device. >> > The kernel function selinux_init() is not triggered when booting up. >> > >> > ---henry >> > >> > >> > On Tue, Aug 8, 2023 at 1:17 AM Ondrej Mosnacek <omosnace@xxxxxxxxxx> wrote: >> >> >> >> That is not a kernel config file. How are you building/installing the >> >> kernel? What Linux distribution (Fedora/CentOS/Ubuntu/...) is this on? >> >> >> >> On Mon, Aug 7, 2023 at 6:29 PM Henry Zhang <henryzhang62@xxxxxxxxx> wrote: >> >> > >> >> > Ondrej, >> >> > >> >> > Attached is my kernel configuration file. >> >> > ~# cat /etc/selinux/config >> >> > # This file controls the state of SELinux on the system. >> >> > # SELINUX= can take one of these three values: >> >> > # enforcing - SELinux security policy is enforced. >> >> > # permissive - SELinux prints warnings instead of enforcing. >> >> > # disabled - No SELinux policy is loaded. >> >> > SELINUX=enforcing >> >> > # SELINUXTYPE= can take one of these values: >> >> > # minimum - Minimum Security protection. >> >> > # standard - Standard Security protection. >> >> > # mls - Multi Level Security protection. >> >> > # targeted - Targeted processes are protected. >> >> > # mcs - Multi Category Security protection. >> >> > SELINUXTYPE=mcs >> >> > >> >> > # sestatus >> >> > SELinux status: disabled >> >> > >> >> > # getenforce >> >> > Disabled >> >> > >> >> > # setenforce 1 >> >> > setenforce: SELinux is disabled >> >> > >> >> > # dmesg|grep SELi >> >> > [ 5.604171] systemd[1]: Starting SELinux init for /dev service loading... >> >> > >> >> > # dmesg|grep SELI >> >> > [ 4.180494] systemd[1]: systemd 250.5+ running in system mode (+PAM +AUDIT +SELINUX -APPARMOR +IMA -SMACK +SECCOMP -GCRYPT -GNUTLS -OPENSSL +ACL +BLKID -CURL -ELFUTILS -FIDO2 -IDN2 -IDN -IPTC +KMOD -LIBCRYPTSETUP) >> >> > >> >> > "SELInux: Initializing" is not seen in dmesg. >> >> > >> >> > Please comment on what is missing? >> >> > On Sat, Aug 5, 2023 at 1:12 AM Ondrej Mosnacek <omosnace@xxxxxxxxxx> wrote: >> >> >> >> >> >> On Sat, Aug 5, 2023 at 2:53 AM Henry Zhang <henryzhang62@xxxxxxxxx> wrote: >> >> >> > >> >> >> > Hi guys, >> >> >> > >> >> >> > I am porting selinux from kernel 4.14 to 5.15. Everything works fine in kernel 4.14. >> >> >> > keep same /etc/selinux/conf and kernel parameters to enable SELinux. >> >> >> > >> >> >> > But the selinux_init() is not executed when kernel 5.15 boots because no "SELinux: Initializing" is seen in dmesg. >> >> >> > >> >> >> > This selinux_init() is defined in http://tomoyo.osdn.jp/cgi-bin/lxr/source/security/selinux/hooks.c >> >> >> > >> >> >> > DEFINE_LSM(selinux) = { >> >> >> > 7288 .name = "selinux", >> >> >> > 7289 .flags = LSM_FLAG_LEGACY_MAJOR | LSM_FLAG_EXCLUSIVE, >> >> >> > 7290 .enabled = &selinux_enabled_boot, >> >> >> > 7291 .blobs = &selinux_blob_sizes, >> >> >> > 7292 .init = selinux_init, >> >> >> > 7293 }; >> >> >> > >> >> >> > My question is why the selinux_init() is not called when kernel 5.15 boots up? >> >> >> >> >> >> Hi Henry, >> >> >> >> >> >> Can you share your kernel build config? If you don't know what it is >> >> >> or how to get it, then the next question would be: How did you >> >> >> obtain/build the kernel in question? >> >> >> >> >> >> -- >> >> >> Ondrej Mosnacek >> >> >> Senior Software Engineer, Linux Security - SELinux kernel >> >> >> Red Hat, Inc. >> >> >> >> >> >> >> >> >> -- >> >> Ondrej Mosnacek >> >> Senior Software Engineer, Linux Security - SELinux kernel >> >> Red Hat, Inc. >> >> >> >> >> -- >> Ondrej Mosnacek >> Senior Software Engineer, Linux Security - SELinux kernel >> Red Hat, Inc. >> -- Ondrej Mosnacek Senior Software Engineer, Linux Security - SELinux kernel Red Hat, Inc. _______________________________________________ selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue