On 01/29/2016 02:03 PM, Thomas Downing wrote:
On Friday, January 29, 2016 13:02:42 Stephen Smalley wrote:
On 01/29/2016 12:25 PM, Thomas Downing wrote:
Hi,
I need to get SELinux running on an appliance we are building, not based
on a distro that already supports SELinux.
I've got all the userspace stuff built, (including setools3) without any
warnings or errors. I followed instructions for installing and loading
refpolicy, no warnings or errors. (Except the python tools, which all
import selinux.py, which does not seem to be included in the source
tree.)
I'm booting with kernel options "security=selinux selinux=1", and dmesg
shows SELinux initializing, and no errors or warnings.
sestatus output:
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: refpolicy
Current mode: permissive
Mode from config file: permissive
Policy MLS status: disabled
Policy deny_unknown status: denied
Max kernel policy version: 30
Problem is: fixfiles does not actually label anything, and the underlying
reason is that none of the mounted disk filesystems (all ext4) have
option 'seclabel'.
Any pointers?
Also, given the absence of the seclabel option, I question if the kernel
part of SELinux is in fact really happy...and if it isn't, I'm dead in
the water anyway.
This implies that you haven't loaded a policy into the kernel. Normally
this is done by init; both sysvinit and systemd should already include
the necessary bits but you may have to enable them in your configure.
Okay, my bad, I thought I had done "make load" in
/etc/selinux/refpolicy/src/policy, but I guess I missed that. So now
"seclabel" shows up on all ext4 file systems in /proc/mounts, so that is good.
Now running "fixfiles -F -f -v -l fixfiles.log relabel" does not complain.
But now I've got two other problems:
1. Looking at the log file produced, only a few files are said to be labeled,
outside of /run/udev, /dev etc. What happened to everything else in
file_contexts?
2. None of the files that the log file claims were relabeled, are in fact
labeled, according to 'ls -Z'.
There is no sysvinit script for selinux stuff for this distro, I need to create
all that. Looking at Fedora 22 that is current SELinux enabled, I can't find
the systemd unit file that does the load, or I would use that as a reference.
On the other hand, I seems I should be able to use what "make load" does as a
reference as well. Is that a valid assuption?
SELinux initialization is normally done directly from init code, not
from a script file or unit file, because we need init to load policy and
then re-exec itself or dynamically switch contexts to get init into its
own security context (otherwise it will be left in the kernel's domain).
sysvinit and systemd source code already include that support (as does
Android init); if using them, you might just need to rebuild with the
appropriate configure flags.
Alternatively, you could invoke "load_policy -i" from an initramfs
script after switching to the real root and before executing init.
If you run restorecon -v /path/to/file for one of these files that
wasn't labeled, what does it say? What does ls -Z show for the file
before and after?
_______________________________________________
Selinux mailing list
Selinux@xxxxxxxxxxxxx
To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
