On 7/22/14, 9:28 PM, zhenhua....@freescale.com wrote:
Hi Mark,
Thanks for your comments.
-----Original Message-----
From: yocto-boun...@yoctoproject.org [mailto:yocto-
boun...@yoctoproject.org] On Behalf Of Mark Hatle
On 7/22/14, 10:11 AM, zhenhua....@freescale.com wrote:
Hi all,
Which release are you using.
[Luo Zhenhua-B19537] I tried poky daisy + meta-fsl-ppc master + meta-selinux
master
This makes me suspect a kernel issues. The last time I looked at meta-fsl-ppc,
it had a custom kernel (didn't use the linux-yocto kernel). It appears (based
on your original message) that all of the needed values were enabled:
http://git.yoctoproject.org/cgit/cgit.cgi/meta-selinux/tree/recipes-kernel/linux/linux-yocto/selinux.cfg
So I'm at a loss to explain the issue. The only other suggestion would be to
pass 'selinux=1' or is it 'enforce=1' on the command line and see if that starts
the system up in enforcing mode.
The last version I used w/ meta-selinux was the 1.5 release.
We're planning on updating it to master in the 'near' future [patches
welcome!], and I've been told by a few others of success w/ 1.7.
(I meant 1.6 above BTW, since there is no 1.7 yet.)
[Luo Zhenhua-B19537] I will try master and dora.
Try dora, it's possible there is something minor that isn't right.
Did you enable the 'selinux' distribution flag?
If so, it should have enabled all of the components necessary for this stuff to
be enabled.
[Luo Zhenhua-B19537] Yes, selinux is in DISTRO_FEATURES.
That should be was was needed. The first boot should provision the system and
reboot. After that things should be enabled and functional.
--Mark
Best Regards,
Zhenhua
--Mark
I use the meta-selinux layer to build a core-image-selinux rootfs
image, and build kernel with following options enabled.
CONFIG_AUDIT=y
CONFIG_NETWORK_SECMARK=y
CONFIG_EXT2_FS_SECURITY=y
CONFIG_EXT3_FS_SECURITY=y
CONFIG_EXT4_FS_SECURITY=y
CONFIG_JFS_SECURITY=y
CONFIG_REISERFS_FS_SECURITY=y
CONFIG_JFFS2_FS_SECURITY=y
CONFIG_SECURITY_NETWORK=y
CONFIG_SECURITY_SELINUX=y
CONFIG_SECURITY_SELINUX_BOOTPARAM=y
CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE=1
CONFIG_SECURITY_SELINUX_DISABLE=y
CONFIG_SECURITY_SELINUX_DEVELOP=y
CONFIG_SECURITY_SELINUX_AVC_STATS=y
CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=1
I use the generated images to boot up FSL PPC t4240qds board(tried
both NFS boot and RAM boot with ext2.gz.u-boot rootfs), the SELinux is
not turned on after kernel boot up.
following is some information in rootfs.
root@t4240qds:~# sestatus
SELinux status: disabled
root@t4240qds:~#
root@t4240qds:~# cat /etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=enforcing
# SELINUXTYPE= can take one of these two values:
# standard - Standard Security protection.
# mls - Multi Level Security protection.
SELINUXTYPE=mls
root@t4240qds:~# cat /proc/cmdline
root=/dev/ram rw console=ttyS0,115200 selinux=1
root@t4240qds:~# setenforce 1
setenforce: SELinux is disabled
root@t4240qds:~# getenforce
Disabled
root@t4240qds:~#
Can somebody shed some light on the issue?
Best Regards,
Zhenhua
--
_______________________________________________
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
--
_______________________________________________
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
