KaiGai said:
I unmounted and remounted /selinux after I copied the new libselinux.so.1 onto the device. sestatus still returns disabled.
I also have the following in /etc/fstab:
KaiGai said:
/sbin/init is implemented using busybox, but I'm not sure if the SELinux support option is turned on. I will have to check on this in the morning.
Russell said:
The output of sestatus is:
Justin said:
The output from ldd /sbin/init is:
Oddly enough this is also the output when sestatus reports SELinux as enabled. sysvinit is installed.
I rebooted with the boot parameters appended, but still sestatus reports SELinux as disabled. Even stranger is dmesg has the following:
It is late here right now =)). I will try the strace on sestatus tomorrow morning.
-Willis
I guess selinuxfs is not mounted.
I unmounted and remounted /selinux after I copied the new libselinux.so.1 onto the device. sestatus still returns disabled.
I also have the following in /etc/fstab:
selinux /selinux selinuxfs noauto 0 0
KaiGai said:
If your /sbin/init is implemented using busybox, consider to turn on
"SELinux support" option
/sbin/init is implemented using busybox, but I'm not sure if the SELinux support option is turned on. I will have to check on this in the morning.
Russell said:
What exactly is the output of "sestatus"?
The output of sestatus is:
SELinux status: disabled
Justin said:
do a ldd /sbin/init, you should see libsepol, and libselinux if not install sysvinit
The output from ldd /sbin/init is:
libc.so.6 => /lib/libc.so.6 (0x40025000)
/lib/ld-linux.so.3 (0x40000000)
Oddly enough this is also the output when sestatus reports SELinux as enabled. sysvinit is installed.
in grub.conf put selinux=1 enforcing=1/0 <~~~1=on 0=off
I rebooted with the boot parameters appended, but still sestatus reports SELinux as disabled. Even stranger is dmesg has the following:
....
Security Framework initialized
SELinux: Initializing.
SELinux: Starting in permissive mode
.......
SELinux: Registering netfilter hooks
io scheduler noop registered
io scheduler deadline registered (default)
......
It is late here right now =)). I will try the strace on sestatus tomorrow morning.
-Willis
On Tue, Jul 15, 2008 at 8:54 PM, KaiGai Kohei <kaigai@xxxxxxxxxxxxx> wrote:
Willis,
I guess selinuxfs is not mounted.
In SELinux environment, /sbin/init is extended to mount selinuxfs
on /selinux. It enables to communicate between kernel and userspaces.
If your /sbin/init is implemented using busybox, consider to turn on
"SELinux support" option and make /selinux directory on your jffs2 image.
Willis Vandevanter wrote:
-----BEGIN PGP SIGNED MESSAGE-----OpenMoko devices (www.openmoko.org <http://www.openmoko.org>) as a Google Summer Of Code project
Hash: SHA1
Hello All,
I am working on developing a targeted SELinux policy for
(http://code.google.com/p/selinux-openmoko/).
Background:
I have cross-compiled the necessary SELinux code (libselinux-1.34.15,
checkpolicy-1.34.7, libsemanage-1.10.9, libsepol-1.16.14,
policycoreutils-1.34.16) and devloped a very basic targeted policy. I
ported the code on to the device. The policy compiles (make) and
installs (make install).
Where I am stuck:
When cross-compiling libselinux I get some strange behavior.
Specifically, I compiled libselinux with the following flags:
make
CC=/usr/local/openmoko/arm/arm-angstrom-linux-gnueabi/bin/cc ARCH=arm
LIBDIR=/usr/local/openmoko/arm/arm-angstrom-linux-gnueabi/lib
I then copied the new libselinux.so.1 on to the device. sestatus
returns that SELinux is enabled and lists the correct policy version,
Is it your host environment, isn't it?
etc. *BUT* make relabel doesn't work. make relabel (or setfiles) givesbinaries are also available. I am using a 2.6.24.7 <http://2.6.24.7> kernel with SELinux
the following error:
file_contexts/file_contexts: Invalid argument make: *** [relabel] Error 1
The error seems to be that file_contexts is not being interpreted as a
regular file (i.e. S_ISREG(sb.st_mode) in setfiles.c is returning 0).
I assume this is because I compiled libselinux without the OpenMoko
specific header files (ie with my host-x86 /usr/include rather than
the device specific ones), so I re-compiled libselinux:
make
CC=/usr/local/openmoko/arm/arm-angstrom-linux-gnueabi/bin/ccARCH=arm
LIBDIR=/usr/local/openmoko/arm/arm-angstrom-linux-gnueabi/lib
INCLUDEDIR=/usr/local/openmoko/arm/arm-angstrom-linux-gnueabi/usr/include
I then copied libselinux.so.1 on to the device. setfiles will now
correctly label the filesystem, but sestatus now returns SELinux as
disabled. I set /etc/selinux/config file to permissive and rebooted,
but it is still listed as disabled.
How is SELinux determined to be enabled? Could missing or
mis-configured header files in the OpenMoko /usr/include cause SELinux
to appear as disabled?
I apologize for the long email. The policy I am using is available at
http://code.google.com/p/selinux-openmoko/. The cross-compiled
and JFFS2 XATTR enabled.
Thank you for your help,
Willis
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFIfSH2qCokMvr1WNARAuJdAJ0Q9iWp7+V0jTxen92WfE8RFnpJeACgiRyX
vAFzngclbVPHIZ/YckQi3Sg=
=P7dW
-----END PGP SIGNATURE-----
--
OSS Platform Development Division, NEC
KaiGai Kohei <kaigai@xxxxxxxxxxxxx>
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
