2010/3/18 KaiGai Kohei <kaigai@xxxxxxxxxxxxx>
This time I tried with busybox-1.11.3, Please have a look at the errors:
manav@manav-desktop:busybox-1.11.3$ make ARCH=arm CROSS_CONFIG=arm-none-linux-gnueabi-
SPLIT include/autoconf.h -> include/config/*
GEN include/bbconfigopts.h
HOSTCC applets/usage
applets/usage.c: In function 'main':
applets/usage.c:27: warning: ignoring return value of 'write', declared with attribute warn_unused_result
GEN include/usage_compressed.h
HOSTCC applets/applet_tables
In file included from applets/../include/busybox.h:10,
from applets/applet_tables.c:16:
applets/../include/libbb.h:56:29: error: selinux/selinux.h: No such file or directory
applets/../include/libbb.h:57:29: error: selinux/context.h: No such file or directory
applets/../include/libbb.h:58:27: error: selinux/flask.h: No such file or directory
applets/../include/libbb.h:59:36: error: selinux/av_permissions.h: No such file or directory
In file included from applets/../include/busybox.h:10,
from applets/applet_tables.c:16:
applets/../include/libbb.h:1007: error: expected ')' before 'sid'
applets/../include/libbb.h:1008: error: expected '=', ',', ';', 'asm' or '__attribute__' before 'set_security_context_component'
applets/../include/libbb.h:1010: error: expected ')' before 'scontext'
make[1]: *** [applets/applet_tables] Error 1
make: *** [applets] Error 2
yes, I will surely check for this, and let you know the results.
I have replaced the binary.
Thanks guys for your support, let me come up with results.
(2010/03/17 17:27), Manvendra Pratap Singh wrote:
>
>
> 2010/3/17 KaiGai Kohei <kaigai@xxxxxxxxxxxxx <mailto:kaigai@xxxxxxxxxxxxx>>
>
> (2010/03/17 16:12), Manvendra Pratap Singh wrote:What kind of errors did you see?
> > Hi KaiGai,
> >
> > I checked /etc/selinux/base_policy/contexts/default_contexts and
> > /etc/selinux/base_policy/contexts/users/root both in my rootfs
> and it is
> > in correct place. But it still giving me same SID problem. Please
> give
> > some idea.
>
> Does it have correct format? Does it contains an entry which matches
> with the security context of your logind daemon?
>
> If your policy does not define domain-transitions appropriately,
> all the process may work with kernel_t, init_t or initrc_t.
> If so, get_default_context() cannot find out configured entry.
>
>
> I am very new to SELinux, so I may not be able to answer your all
> questions correctly. I compiled base policy and then included it in my
> rootfs ( at /etc/selinux/base_policy). I compiled busbox-1.13.0 and
> 2.6.29 linux-kernel with SELinux support. I faced lot of errors and
> problems while compiling busybox with SELinux (utilities) support.
If we cannot build busybox with SELinux support in the recent releases,
we need to fix them.
This time I tried with busybox-1.11.3, Please have a look at the errors:
manav@manav-desktop:busybox-1.11.3$ make ARCH=arm CROSS_CONFIG=arm-none-linux-gnueabi-
SPLIT include/autoconf.h -> include/config/*
GEN include/bbconfigopts.h
HOSTCC applets/usage
applets/usage.c: In function 'main':
applets/usage.c:27: warning: ignoring return value of 'write', declared with attribute warn_unused_result
GEN include/usage_compressed.h
HOSTCC applets/applet_tables
In file included from applets/../include/busybox.h:10,
from applets/applet_tables.c:16:
applets/../include/libbb.h:56:29: error: selinux/selinux.h: No such file or directory
applets/../include/libbb.h:57:29: error: selinux/context.h: No such file or directory
applets/../include/libbb.h:58:27: error: selinux/flask.h: No such file or directory
applets/../include/libbb.h:59:36: error: selinux/av_permissions.h: No such file or directory
In file included from applets/../include/busybox.h:10,
from applets/applet_tables.c:16:
applets/../include/libbb.h:1007: error: expected ')' before 'sid'
applets/../include/libbb.h:1008: error: expected '=', ',', ';', 'asm' or '__attribute__' before 'set_security_context_component'
applets/../include/libbb.h:1010: error: expected ')' before 'scontext'
make[1]: *** [applets/applet_tables] Error 1
make: *** [applets] Error 2
> thenHmm... It seems to me reason of the matter is still unclear.
> I booted beagle. And faced above problem. I did not try any extra code
> other then base_policy, Because initially I wanted to see the kernel
> booting with SELinux support and working SELinux utilities provided by
> busybox.
>
> What is your policy type? The standard reference policy?, or others?
>
>
> I think my policy is standard reference policy.
Could you check the following items at least?
- The security policy was correctly loaded?
If OK, the kernel exports log messages as Stephen noted.
yes, I will surely check for this, and let you know the results.
- What kind of matter you faced when you build busybox and libselinux?
If you modified the code, what kind of changes were applied?
- Is the filesystem correctly labeled?
If files don't have valid security context, SELinux considers all the
files have "unlabeled_t" context, but it is not expected for reference
policy.
Right now, I doubt your /sbin/init could not load the security policy
correctly. SELinux performs permissive mode, if it failed to load the
policy. So, you can see the login prompt without any fails, because it
means bootstrap sequence was correctly done.
Also note that /sbin/init applet of busybox also support to load the
policy at first. If you applied different binary, it needs to be replaced.
I have replaced the binary.
Thanks guys for your support, let me come up with results.
Thanks,
> Thanks,
>
> > On Wed, Mar 17, 2010 at 11:38 AM, Manvendra Pratap Singh
> > <manav.emb@xxxxxxxxx <mailto:manav.emb@xxxxxxxxx>
> > Thanks for reply KaiGai Kohei, I will follow your suggestion> > <mailto:kaigai@xxxxxxxxxxxxx <mailto:kaigai@xxxxxxxxxxxxx>>>
> and let
> > you know about it.
> >
> > ---
> > Manav
> > Hyderabad
> >
> > 2010/3/17 KaiGai Kohei <kaigai@xxxxxxxxxxxxx
> <mailto:kaigai@xxxxxxxxxxxxx>
> <mailto:kaigai@xxxxxxxxxxxxx> <mailto:kaigai@xxxxxxxxxxxxx> >
> > (2010/03/17 13:22), Manvendra Pratap Singh wrote:
> > > Can anyone suggest me good guide for SELinux on omap3
> > (beagleboard). I
> > > tried it myself but I am not able to login after booting. On
> > loging in
> > > root I get a msg "Cann't get SID for root". Please help me on
> > this
> > > issue. Here take a look at boot-log.
> > >
> > >
> > > [ 0.000000] Security Framework initialized
> > > [ 0.000000] SELinux: Initializing.
> > >
> > >
> > > beagleboard login: root
> > > login: can't get SID for root
> >
> > This message come from logind applet of busybox.
> >
> > It tries to fetch the default security context of the
> root session.
> >
> > Put "/etc/selinux/<SELINUXTYPE>/contexts/default_contexts" or
> > "/etc/selinux/<SELINUXTYPE>/contexts/users/root" correctly, and
> > try it again.
> >
> > Thanks,
> >
> > >
> > > Embinux Linux 1.1 beagleboard ttyS2
> > >
> > > beagleboard login:
> > >
> > >
> > >
> > > ---
> > > Manav
> > > Hyderabad
> > >
> > >
> > >
> > > On Thu, Mar 11, 2010 at 3:38 PM, Manvendra Pratap Singh
> > > <manav.emb@xxxxxxxxx <mailto:manav.emb@xxxxxxxxx>
> <mailto:manav.emb@xxxxxxxxx <mailto:manav.emb@xxxxxxxxx>>
> > <mailto:manav.emb@xxxxxxxxx <mailto:manav.emb@xxxxxxxxx>
> <mailto:manav.emb@xxxxxxxxx <mailto:manav.emb@xxxxxxxxx>>>> wrote:
> > >
> > > Thanks for the information. I asked about working busybox
> > and linux
> > > kernel versions because when I am enabling selinux in busybox
> > > (1.13.0), it is giving me lot of compilation errors and I
> > think some
> > > code is also missing. Although the kernel (2.6.29) which
> > I am using
> > > is working fine. If you tell anything more on this then
> > it will be a
> > > great help.
> > >
> > >
> > > --
> > > Manav
> > > Hyderabad
> > >
> > >
> > >
> > > On Wed, Mar 10, 2010 at 11:19 PM, Stephen Smalley
> > <sds@xxxxxxxxxxxxx <mailto:sds@xxxxxxxxxxxxx>
> <mailto:sds@xxxxxxxxxxxxx <mailto:sds@xxxxxxxxxxxxx>>
> > > <mailto:sds@xxxxxxxxxxxxx <mailto:sds@xxxxxxxxxxxxx>
> <mailto:sds@xxxxxxxxxxxxx <mailto:sds@xxxxxxxxxxxxx>>>> wrote:
> > >
> > > On Wed, 2010-03-10 at 22:44 +0530, Manvendra Pratap
> > Singh wrote:
> > > > Hi Stephen,
> > > >
> > > > May be I could not make myself clear to you. My question was
> > > not about
> > > > linux on omap3, it was about SELinux on omap3. Anyways thanks
> > > for your
> > > > reply. I will check the links given by you.
> > >
> > > SELinux isn't platform-specific, and is a component
> > of the Linux 2.6
> > > kernel.
> > >
> > > --
> > > Stephen Smalley
> > > National Security Agency
> > >
> > >
> > >
> >
> >
> > --
> > KaiGai Kohei <kaigai@xxxxxxxxxxxxx
> <mailto:kaigai@xxxxxxxxxxxxx>>>
> >
> >
> >
> >
> >
> > --
> > Manav
> > Hyderabad
>
>
> --
> KaiGai Kohei <kaigai@xxxxxxxxxxxxx <mailto:kaigai@xxxxxxxxxxxxx>>
>
>
>
>
> --
> Manav
> Hyderabad
--
KaiGai Kohei <kaigai@xxxxxxxxxxxxx>
--
Manav
Hyderabad
