[External] Re: SELinux support question

Anton Kachalov rnouse at google.com
Thu Nov 5 01:34:04 AEDT 2020


Hello, Ivan.

Please check if the systemd has been compiled with selinux feature enabled.
It should be in charge of enforcing selinux rules at boot.

You should add "selinux" to PACKAGECONFIG over here:
https://github.com/openbmc/openbmc/blob/master/meta-phosphor/recipes-core/systemd/systemd_%25.bbappend#L4

As well as adding "selinux" to the DISTRO_FEATURES variable in your
build/conf/local.conf file.

Do you have precompiled policies under /etc/selinux ?

If it still doesn't work, please also attach a boot log.


On Tue, 3 Nov 2020 at 18:52, Ivan Li11 <rli11 at lenovo.com> wrote:

> Hi Anton,
>
>
>
> Thanks your help and support.
>
> I’ve followed your suggestion to enable selinux kernel configuration and
> have seen kernel message “[ 0.002268] SELinux:  Initializing.” during boot
> time, but still returns “Disabled” after executing getenforce command.
>
> The selinux mode and type I set in /etc/selinux/config file is permissive
> and minimum.  Could you help to advise me whether there’s some settings
> need to set to avoid this problem.
>
>
>
> Thanks,
>
> Ivan
>
> *From:* Anton Kachalov <rnouse at google.com>
> *Sent:* Tuesday, November 3, 2020 3:50 AM
> *To:* Ivan Li11 <rli11 at lenovo.com>
> *Cc:* Andrew Jeffery <andrew at aj.id.au>; Artem Senichev <artemsen at gmail.com>;
> openbmc at lists.ozlabs.org
> *Subject:* Re: [External] Re: SELinux support question
>
>
>
> Hello, Ivan.
>
>
>
> Perhaps, you should enable selinux kernel configuration as well. The
> openbmc kernels, if I'm not mistaken, have different recipes.
>
>
>
> The default configuration relies on linux-yocto package:
>
>
> http://git.yoctoproject.org/cgit/cgit.cgi/meta-selinux/tree/recipes-kernel/linux
>
>
>
> You should include this selinux.cfg in on of the openbmc kernel layers:
>
>
>
> SRC_URI += "file://selinux.cfg"
>
>
>
> and copy selinux.cfg to one of the local files location.
>
>
>
> On Mon, 2 Nov 2020 at 18:46, Ivan Li11 <rli11 at lenovo.com> wrote:
>
>
> > -----Original Message-----
> > From: Andrew Jeffery <andrew at aj.id.au>
> > Sent: Monday, November 2, 2020 8:54 AM
> > To: Artem Senichev <artemsen at gmail.com>; Ivan Li11 <rli11 at lenovo.com>
> > Cc: openbmc at lists.ozlabs.org
> > Subject: [External] Re: SELinux support question
> >
> >
> >
> > On Fri, 30 Oct 2020, at 16:25, Artem Senichev wrote:
> > > Hi Ivan,
> > >
> > > Yocto has a layer for SELinux
> > > (http://git.yoctoproject.org/cgit/cgit.cgi/meta-selinux), you can try
> > > it.
> > > But the layer depends on Python for management tools, which does not
> > > exist in the OpenBMC image anymore.
> > > The problem is that Python significantly increases image size, it will
> > > be more than 32MiB, which causes some troubles with qemu emulation.
> >
> > The problem is broader than qemu though, it would also be broken on any
> > platform shipping a 32MiB flash part if the image exceeds 32MiB.
> >
> > That said, if there are systems that ship bigger parts and enabling
> SELinux for
> > those is feasible, we should add those platform models to qemu so
> emulating
> > them isn't constrained by the existing platform support.
> >
> > Andrew
>
> Hi Andrew and Artem,
> Per your suggestion, I try to enable SELinux with Yocto SELinux layer(
> http://git.yoctoproject.org/cgit/cgit.cgi/meta-selinux) and 64MiB flash
> part.
> But encountered one problem which is when I use command "getenforce" to
> check SELinux mode, it always returns "Disabled" even if SELinux mode in
> config file '/etc/selinux/config' is permissive or enforcing by default.
>
> Please help to advise it.
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ozlabs.org/pipermail/openbmc/attachments/20201104/bc76b14e/attachment-0001.htm>


More information about the openbmc mailing list