On Tue, Aug 18, 2020 at 4:38 PM W. Michael Petullo <mike@xxxxxxxx> wrote: > > > I am working with Thomas Petazzoni and the OpenWrt community to add > > SELinux support to OpenWrt. OpenWrt is a Linux distribution tailored > > for running routers and similar devices. > > > > https://github.com/openwrt/openwrt/pull/3207 > > https://github.com/openwrt/packages/pull/10664 > > > > I am interested in enabling KERNEL_SECURITY_SELINUX_DEVELOP, which I > > believe to be necessary if I am to enable and disable SELinux enforcement > > at runtime. However, it seems that enabling this option in the kernel > > causes the system to hang: > > > > [...] > > [ 1.668419] sd 0:0:0:0: [sda] Attached SCSI disk > > [ 1.675189] Waiting for root device PARTUUID=4ba37c2a-02... > > [ 2.100751] tsc: Refined TSC clocksource calibration: 1995.376 MHz > > [ 2.113719] clocksource: tsc: mask: 0xffffffffffffffff max_cycles: 0x39863c423f0, max_idle_ns: 881590675958 ns > > [ 2.122334] clocksource: Switched to clocksource tsc > > > > It is not clear to me whether the kernel or the init process is > > hanging. Things boot fine when KERNEL_SECURITY_SELINUX_DEVELOP=n. > > > > I have tried a number of kernel command line parameters, thinking perhaps > > SELinux is preventing the use of the console. This has not yet helped. > > > > The OpenWrt init is available at: > > > > https://git.openwrt.org/?p=project/procd.git, > > > > and it now includes a commit from Thomas that calls > > selinux_init_load_policy(). > > > > Does anyone have any idea what might be causing this hang? Is there > > a user-space requirement to finish the boot process when > > KERNEL_SECURITY_SELINUX_DEVELOP=y? > > > > I would also very much appreciate any comments on the two GitHub merge > > requests above. I think OpenWrt would provide a compelling use case for > > SELinux, and thus I (along with Thomas) have invested a fair amount of > > time trying to get this accepted by the OpenWrt team. > > Looks like my problem had to do with mangling grub.cfg. Things are > working nicely now. Great, thanks for working on this. I agree that OpenWrt could be a compelling use case for SELinux. In the case of Android, we started from scratch to create a policy tailored to its userspace and security goals. Have you considered doing the same for OpenWrt or are you just trying to use refpolicy?
