[External] Re: SELinux support question

Ivan Li11 rli11 at lenovo.com
Fri Nov 6 21:06:29 AEDT 2020 

Hi Anton and Jayanth,

Thanks your suggestion, it’s workable to get correct status after adding “selinux” to systemd bbappened file.

BTW,  may I check with you what does “precompiled policies under /etc/selinux” mean ?
Does it mean that I need to add “PREFERRED_PROVIDER_virtual/refpolicy = "refpolicy-minimum"” to build/conf/local.conf file to assign policy in advance ?

Thanks,
Ivan
From: Jayanth Othayoth <ojayanth at gmail.com>
Sent: Thursday, November 5, 2020 3:37 PM
To: Anton Kachalov <rnouse at google.com>
Cc: Ivan Li11 <rli11 at lenovo.com>; Andrew Jeffery <andrew at aj.id.au>; openbmc at lists.ozlabs.org; Artem Senichev <artemsen at gmail.com>
Subject: Re: [External] Re: SELinux support question


I tried on one of the IBM box which got 32MB flash in 2018 time frame and was able to got BMC read state . Reference patch (POC only) is available here

https://gerrit.openbmc-project.xyz/q/topic:%22selinux%22+(status:open%20OR%20status:merged)

On Wed, Nov 4, 2020 at 8:06 PM Anton Kachalov <rnouse at google.com<mailto:rnouse at google.com>> wrote:
Hello, Ivan.

Please check if the systemd has been compiled with selinux feature enabled. It should be in charge of enforcing selinux rules at boot.

You should add "selinux" to PACKAGECONFIG over here:
https://github.com/openbmc/openbmc/blob/master/meta-phosphor/recipes-core/systemd/systemd_%25.bbappend#L4

As well as adding "selinux" to the DISTRO_FEATURES variable in your build/conf/local.conf file.

Do you have precompiled policies under /etc/selinux ?

If it still doesn't work, please also attach a boot log.


On Tue, 3 Nov 2020 at 18:52, Ivan Li11 <rli11 at lenovo.com<mailto:rli11 at lenovo.com>> wrote:
Hi Anton,

Thanks your help and support.
I’ve followed your suggestion to enable selinux kernel configuration and have seen kernel message “[ 0.002268] SELinux:  Initializing.” during boot time, but still returns “Disabled” after executing getenforce command.
The selinux mode and type I set in /etc/selinux/config file is permissive and minimum.  Could you help to advise me whether there’s some settings need to set to avoid this problem.

Thanks,
Ivan
From: Anton Kachalov <rnouse at google.com<mailto:rnouse at google.com>>
Sent: Tuesday, November 3, 2020 3:50 AM
To: Ivan Li11 <rli11 at lenovo.com<mailto:rli11 at lenovo.com>>
Cc: Andrew Jeffery <andrew at aj.id.au<mailto:andrew at aj.id.au>>; Artem Senichev <artemsen at gmail.com<mailto:artemsen at gmail.com>>; openbmc at lists.ozlabs.org<mailto:openbmc at lists.ozlabs.org>
Subject: Re: [External] Re: SELinux support question

Hello, Ivan.

Perhaps, you should enable selinux kernel configuration as well. The openbmc kernels, if I'm not mistaken, have different recipes.

The default configuration relies on linux-yocto package:
http://git.yoctoproject.org/cgit/cgit.cgi/meta-selinux/tree/recipes-kernel/linux

You should include this selinux.cfg in on of the openbmc kernel layers:

SRC_URI += "file://selinux.cfg"

and copy selinux.cfg to one of the local files location.

On Mon, 2 Nov 2020 at 18:46, Ivan Li11 <rli11 at lenovo.com<mailto:rli11 at lenovo.com>> wrote:

> -----Original Message-----
> From: Andrew Jeffery <andrew at aj.id.au<mailto:andrew at aj.id.au>>
> Sent: Monday, November 2, 2020 8:54 AM
> To: Artem Senichev <artemsen at gmail.com<mailto:artemsen at gmail.com>>; Ivan Li11 <rli11 at lenovo.com<mailto:rli11 at lenovo.com>>
> Cc: openbmc at lists.ozlabs.org<mailto:openbmc at lists.ozlabs.org>
> Subject: [External] Re: SELinux support question
>
>
>
> On Fri, 30 Oct 2020, at 16:25, Artem Senichev wrote:
> > Hi Ivan,
> >
> > Yocto has a layer for SELinux
> > (http://git.yoctoproject.org/cgit/cgit.cgi/meta-selinux), you can try
> > it.
> > But the layer depends on Python for management tools, which does not
> > exist in the OpenBMC image anymore.
> > The problem is that Python significantly increases image size, it will
> > be more than 32MiB, which causes some troubles with qemu emulation.
>
> The problem is broader than qemu though, it would also be broken on any
> platform shipping a 32MiB flash part if the image exceeds 32MiB.
>
> That said, if there are systems that ship bigger parts and enabling SELinux for
> those is feasible, we should add those platform models to qemu so emulating
> them isn't constrained by the existing platform support.
>
> Andrew

Hi Andrew and Artem,
Per your suggestion, I try to enable SELinux with Yocto SELinux layer(http://git.yoctoproject.org/cgit/cgit.cgi/meta-selinux) and 64MiB flash part.
But encountered one problem which is when I use command "getenforce" to check SELinux mode, it always returns "Disabled" even if SELinux mode in config file '/etc/selinux/config' is permissive or enforcing by default.

Please help to advise it.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ozlabs.org/pipermail/openbmc/attachments/20201106/f749b427/attachment-0001.htm>

More information about the openbmc mailing list