Ok, re-built activating with SELinux and it is not working either. My problem seems indeed to be my build process rather than anything relating to my code :(. However, it does not get me closer of understanding what I am doing wrong. Here is the security config for the build with SELinux on:
# # Security options # CONFIG_KEYS=y CONFIG_PERSISTENT_KEYRINGS=y CONFIG_BIG_KEYS=y # CONFIG_ENCRYPTED_KEYS is not set CONFIG_KEYS_DEBUG_PROC_KEYS=y # CONFIG_SECURITY_DMESG_RESTRICT is not set CONFIG_SECURITY=y CONFIG_SECURITYFS=y CONFIG_SECURITY_NETWORK=y CONFIG_SECURITY_NETWORK_XFRM=y CONFIG_SECURITY_PATH=y CONFIG_INTEL_TXT=y CONFIG_LSM_MMAP_MIN_ADDR=65536 CONFIG_SECURITY_SELINUX=y CONFIG_SECURITY_SELINUX_BOOTPARAM=y CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE=1 CONFIG_SECURITY_SELINUX_DISABLE=y CONFIG_SECURITY_SELINUX_DEVELOP=y CONFIG_SECURITY_SELINUX_AVC_STATS=y CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=1 CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX=y CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX_VALUE=19 # CONFIG_SECURITY_SMACK is not set # CONFIG_SECURITY_TOMOYO is not set # CONFIG_SECURITY_APPARMOR is not set # CONFIG_SECURITY_YAMA is not set # CONFIG_SECURITY_HELLOWORLD is not set # CONFIG_IMA is not set # CONFIG_EVM is not set CONFIG_DEFAULT_SECURITY_SELINUX=y # CONFIG_DEFAULT_SECURITY_DAC is not set CONFIG_DEFAULT_SECURITY="selinux" CONFIG_CRYPTO=y Thanks a lot Dave for pointing in the right direction. Thomas On 19 January 2015 at 00:29, Thomas F. J.-M. Pasquier <[email protected]> wrote: > Here is the security part of the .config: > > # > # Security options > # > CONFIG_KEYS=y > CONFIG_PERSISTENT_KEYRINGS=y > CONFIG_BIG_KEYS=y > # CONFIG_ENCRYPTED_KEYS is not set > CONFIG_KEYS_DEBUG_PROC_KEYS=y > # CONFIG_SECURITY_DMESG_RESTRICT is not set > CONFIG_SECURITY=y > CONFIG_SECURITYFS=y > CONFIG_SECURITY_NETWORK=y > CONFIG_SECURITY_NETWORK_XFRM=y > CONFIG_SECURITY_PATH=y > CONFIG_INTEL_TXT=y > # CONFIG_SECURITY_SELINUX is not set > # CONFIG_SECURITY_SMACK is not set > # CONFIG_SECURITY_TOMOYO is not set > # CONFIG_SECURITY_APPARMOR is not set > # CONFIG_SECURITY_YAMA is not set > CONFIG_SECURITY_HELLOWORLD=y > # CONFIG_IMA is not set > # CONFIG_EVM is not set > CONFIG_DEFAULT_SECURITY_HELLOWORLD=y > # CONFIG_DEFAULT_SECURITY_DAC is not set > CONFIG_DEFAULT_SECURITY="helloworld" > CONFIG_CRYPTO=y > > > SELinux is not loading before my module. SELinux was working on the kernel > that came with the distribution, did not try to build my kernel with it on. > I will try to do so. > > Thank you very much, > Thomas > > On 19 January 2015 at 00:20, Dave Tian <[email protected]> wrote: > >> Did SELinux get loaded before your changes (Fedora uses SELinux by >> default)? Would you please post your security config? I still suspect that >> there was sth messed up in the config. >> >> Thanks, >> Dave >> >> >> On Jan 18, 2015, at 7:09 PM, Thomas F. J.-M. Pasquier <[email protected]> >> wrote: >> >> No, other LSM. Checked in the config file. The only one selected is mine >> and it is set "Default Security Module" when using menuconfig. >> >> On Mon Jan 19 2015 at 12:07:33 AM Tian Dave <[email protected]> >> wrote: >> >>> Then which LSM was triggered? SELinux? You probably need to disable >>> other LSM before making your LSM work. >>> >>> Thanks, >>> Dave >>> >>> 2015-01-18 18:49 GMT-05:00 Thomas F. J.-M. Pasquier <[email protected]>: >>> >>>> Hi everyone, >>>> >>>> Kernel version 3.17.8 >>>> >>>> I am trying to build a skeleton LSM module, but I am not having much >>>> luck so far. The problem seems to be that the LSM init function is never >>>> called. >>>> >>>> I am selecting my helloworld LSM when building the kernel and it is set >>>> as default (checked and re-checked in menuconfig + in the file). >>>> >>>> The build is going fine (my module is built as I would expect). The >>>> rest of the building procedure goes fine. I reboot, the new image works >>>> just fine except my LSM is not in (nor any other, it seems, for that >>>> matter). >>>> >>>> Here is the init function: >>>> static __init int hw_init(void){ >>>> /* avoid security registration races */ >>>> if (!security_module_enable(&hw_ops)){ >>>> printk(KERN_INFO "hw: Disabled at boot.\n"); >>>> return 0; >>>> } >>>> >>>> printk(KERN_INFO "hw: Initializing.\n"); >>>> >>>> if (register_security(&hw_ops)) >>>> panic("hw: Unable to register with kernel.\n"); >>>> else >>>> printk(KERN_INFO "hw: registered with the kernel.\n"); >>>> >>>> return 0; >>>> } >>>> >>>> security_initcall(hw_init); >>>> >>>> I looked at how it was done in SELinux and the other security module >>>> and I don't seem to be doing things differently or incorrectly. I checked >>>> the log level just in case and that's not the issue either. >>>> >>>> I am tempted to say the problem come from my building >>>> procedure/configuration, rather than the module/code in itself (the dist on >>>> top of the kernel is fedora21). I have been at it for a while now and any >>>> help would be most welcomed. >>>> >>>> Thank you in advance. >>>> >>>> Regards, >>>> Thomas >>>> >>>> >>>> >>>> _______________________________________________ >>>> Kernelnewbies mailing list >>>> [email protected] >>>> http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies >>>> >>>> >>> >> >
_______________________________________________ Kernelnewbies mailing list [email protected] http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
