Ondrej,
Yes. https://github.com/ni/meta-selinux is used to manage SElinux in the Yocto environment.
SELinux is quite complex. After the SELinux is enabled, I have to deal with the policy.
Another challenge is to find out which application causes a denied AVC message in /var/log/audit/audit.log.
Do you have any good suggestions for that challenge?
----henry
On Wed, Aug 9, 2023 at 12:46 AM Ondrej Mosnacek <omosnace@xxxxxxxxxx> wrote:
You mean https://github.com/ni/meta-selinux ? If so, none of us [Red
Hat SELinux engineers] works on it, AFAIK.
On Tue, Aug 8, 2023 at 8:03 PM Henry Zhang <henryzhang62@xxxxxxxxx> wrote:
>
> Ondrej,
>
> Yes. my SELINUX is enabled finally after CONFIG_LSM="integrity, selinux".
>
> Do you guys manage meta-selinux?
>
> ----henry
>
>
> On Tue, Aug 8, 2023 at 8:01 AM Ondrej Mosnacek <omosnace@xxxxxxxxxx> wrote:
>>
>> Oh, right, I completely overlooked the file attachment. Sorry!
>>
>> It seems your CONFIG_LSM is not set correctly. It is missing "selinux"
>> and the order seems wrong, but since you have most of the listed
>> modules disabled, you can set it to just:
>>
>> CONFIG_LSM="integrity,selinux"
>>
>> Then the kernel should boot with SELinux enabled.
>>
>> On Tue, Aug 8, 2023 at 4:26 PM Henry Zhang <henryzhang62@xxxxxxxxx> wrote:
>> >
>> > Ondrej,
>> >
>> > Thanks for your help!
>> > I am using Yocto embedded to compile. The kernel config file is copied from /proc/config.gz in my linux device.
>> > The kernel function selinux_init() is not triggered when booting up.
>> >
>> > ---henry
>> >
>> >
>> > On Tue, Aug 8, 2023 at 1:17 AM Ondrej Mosnacek <omosnace@xxxxxxxxxx> wrote:
>> >>
>> >> That is not a kernel config file. How are you building/installing the
>> >> kernel? What Linux distribution (Fedora/CentOS/Ubuntu/...) is this on?
>> >>
>> >> On Mon, Aug 7, 2023 at 6:29 PM Henry Zhang <henryzhang62@xxxxxxxxx> wrote:
>> >> >
>> >> > Ondrej,
>> >> >
>> >> > Attached is my kernel configuration file.
>> >> > ~# cat /etc/selinux/config
>> >> > # This file controls the state of SELinux on the system.
>> >> > # SELINUX= can take one of these three values:
>> >> > # enforcing - SELinux security policy is enforced.
>> >> > # permissive - SELinux prints warnings instead of enforcing.
>> >> > # disabled - No SELinux policy is loaded.
>> >> > SELINUX=enforcing
>> >> > # SELINUXTYPE= can take one of these values:
>> >> > # minimum - Minimum Security protection.
>> >> > # standard - Standard Security protection.
>> >> > # mls - Multi Level Security protection.
>> >> > # targeted - Targeted processes are protected.
>> >> > # mcs - Multi Category Security protection.
>> >> > SELINUXTYPE=mcs
>> >> >
>> >> > # sestatus
>> >> > SELinux status: disabled
>> >> >
>> >> > # getenforce
>> >> > Disabled
>> >> >
>> >> > # setenforce 1
>> >> > setenforce: SELinux is disabled
>> >> >
>> >> > # dmesg|grep SELi
>> >> > [ 5.604171] systemd[1]: Starting SELinux init for /dev service loading...
>> >> >
>> >> > # dmesg|grep SELI
>> >> > [ 4.180494] systemd[1]: systemd 250.5+ running in system mode (+PAM +AUDIT +SELINUX -APPARMOR +IMA -SMACK +SECCOMP -GCRYPT -GNUTLS -OPENSSL +ACL +BLKID -CURL -ELFUTILS -FIDO2 -IDN2 -IDN -IPTC +KMOD -LIBCRYPTSETUP)
>> >> >
>> >> > "SELInux: Initializing" is not seen in dmesg.
>> >> >
>> >> > Please comment on what is missing?
>> >> > On Sat, Aug 5, 2023 at 1:12 AM Ondrej Mosnacek <omosnace@xxxxxxxxxx> wrote:
>> >> >>
>> >> >> On Sat, Aug 5, 2023 at 2:53 AM Henry Zhang <henryzhang62@xxxxxxxxx> wrote:
>> >> >> >
>> >> >> > Hi guys,
>> >> >> >
>> >> >> > I am porting selinux from kernel 4.14 to 5.15. Everything works fine in kernel 4.14.
>> >> >> > keep same /etc/selinux/conf and kernel parameters to enable SELinux.
>> >> >> >
>> >> >> > But the selinux_init() is not executed when kernel 5.15 boots because no "SELinux: Initializing" is seen in dmesg.
>> >> >> >
>> >> >> > This selinux_init() is defined in http://tomoyo.osdn.jp/cgi-bin/lxr/source/security/selinux/hooks.c
>> >> >> >
>> >> >> > DEFINE_LSM(selinux) = {
>> >> >> > 7288 .name = "selinux",
>> >> >> > 7289 .flags = LSM_FLAG_LEGACY_MAJOR | LSM_FLAG_EXCLUSIVE,
>> >> >> > 7290 .enabled = &selinux_enabled_boot,
>> >> >> > 7291 .blobs = &selinux_blob_sizes,
>> >> >> > 7292 .init = selinux_init,
>> >> >> > 7293 };
>> >> >> >
>> >> >> > My question is why the selinux_init() is not called when kernel 5.15 boots up?
>> >> >>
>> >> >> Hi Henry,
>> >> >>
>> >> >> Can you share your kernel build config? If you don't know what it is
>> >> >> or how to get it, then the next question would be: How did you
>> >> >> obtain/build the kernel in question?
>> >> >>
>> >> >> --
>> >> >> Ondrej Mosnacek
>> >> >> Senior Software Engineer, Linux Security - SELinux kernel
>> >> >> Red Hat, Inc.
>> >> >>
>> >>
>> >>
>> >> --
>> >> Ondrej Mosnacek
>> >> Senior Software Engineer, Linux Security - SELinux kernel
>> >> Red Hat, Inc.
>> >>
>>
>>
>> --
>> Ondrej Mosnacek
>> Senior Software Engineer, Linux Security - SELinux kernel
>> Red Hat, Inc.
>>
--
Ondrej Mosnacek
Senior Software Engineer, Linux Security - SELinux kernel
Red Hat, Inc.
_______________________________________________ selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
