[meta-freescale] Cannot enable selinux with imx6ULL. Why?

Discussion:

Stefano Cappa

2018-10-21 10:48:13 UTC

I'm on Sumo branch with the latest linux-imx (no -fscl) and I'm using the
official NXP imx6 evk board.

I'm trying meta-selinux (I'm absolutely a noob with selinux, I'm still
experimenting and studying it :)) but I'm getting this error running "fixfiles
-f -F relabel":

Cleaning out /tmp
fixfiles: No suitable file systems found
Cleaning up labels on /tmp
secon: SELinux is not enabled
cat: /initial_contexts/unlabeled: No such file or directory

I wrote to one of the authors of meta-selinux and he said:

You need to make sure that the filesystem in use has extendded
attributes
enabled. A lot of silicon vendor versions have this disabled, or use a
filesystem where it's not supported.
ext*fs, xfs, etc usually support it, with the right kernel
configuration.

So, I added xattr to the DISTRO_FEATURES_append in my local.conf, but I'm
still having the same error.
And running 'mount' I get this:
/dev/<mynamehere> / type ext4 (rw,relatime,data=ordered)

What I'm missing?
Also, does imx6ULL supports meta-selinux? Or are there some limitations
about kernel that block me to activate selinux?

Thank u.

Otavio Salvador

2018-10-27 18:10:06 UTC

Permalink

On Sun, Oct 21, 2018 at 7:52 AM Stefano Cappa

I'm on Sumo branch with the latest linux-imx (no -fscl) and I'm using the official NXP imx6 evk board.
Cleaning out /tmp
fixfiles: No suitable file systems found
Cleaning up labels on /tmp
secon: SELinux is not enabled
cat: /initial_contexts/unlabeled: No such file or directory
You need to make sure that the filesystem in use has extendded attributes
enabled. A lot of silicon vendor versions have this disabled, or use a
filesystem where it's not supported.
ext*fs, xfs, etc usually support it, with the right kernel configuration.
So, I added xattr to the DISTRO_FEATURES_append in my local.conf, but I'm still having the same error.
/dev/<mynamehere> / type ext4 (rw,relatime,data=ordered)
What I'm missing?
Also, does imx6ULL supports meta-selinux? Or are there some limitations about kernel that block me to activate selinux?

You need to enable the needed features on the kernel config. You
likely need to make a new layer to store the changes you will do and
modify the defconfig accordingly.

--
Otavio Salvador O.S. Systems
http://www.ossystems.com.br http://code.ossystems.com.br
Mobile: +55 (53) 9 9981-7854 Mobile: +1 (347) 903-9750
--

Stefano Cappa

2018-10-29 09:58:15 UTC

Permalink

Ok. Yes I created a custom layer with recipes-kernel/linux folders and
inside these files:
- linux-imx_4.9.88.bbappend
- linux-imx_selinux.inc
- linux-imx/selinux.cfg (taken as it is from meta-selinux layer)

The content of linux-imx_4.9.88.bbappend is:

FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"

SRC_URI += "\
"

require ${@bb.utils.contains('DISTRO_FEATURES', 'selinux',
'${BPN}_selinux.inc', '', d)}

The content of linux-imx_selinux.inc is:

FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"

# Enable selinux support in the kernel if the feature is enabled
SRC_URI += "${@bb.utils.contains('DISTRO_FEATURES', 'selinux',
'file://selinux.cfg', '', d)}"

And selinux.cfg is:

CONFIG_AUDIT=y
CONFIG_NETWORK_SECMARK=y
CONFIG_EXT2_FS_SECURITY=y
CONFIG_EXT3_FS_SECURITY=y
CONFIG_EXT4_FS_SECURITY=y
CONFIG_JFS_SECURITY=y
CONFIG_REISERFS_FS_SECURITY=y
CONFIG_JFFS2_FS_SECURITY=y
CONFIG_SECURITY=y
CONFIG_SECURITYFS=y
CONFIG_SECURITY_NETWORK=y
CONFIG_SECURITY_SELINUX=y
CONFIG_SECURITY_SELINUX_BOOTPARAM=y
CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE=1
CONFIG_SECURITY_SELINUX_DISABLE=y
CONFIG_SECURITY_SELINUX_DEVELOP=y
CONFIG_SECURITY_SELINUX_AVC_STATS=y
CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=1
CONFIG_AUDIT_GENERIC=y

Am I missing something?

Thank you.

Post by Otavio Salvador
On Sun, Oct 21, 2018 at 7:52 AM Stefano Cappa

Post by Stefano Cappa
I'm on Sumo branch with the latest linux-imx (no -fscl) and I'm using

the official NXP imx6 evk board.

Post by Stefano Cappa
I'm trying meta-selinux (I'm absolutely a noob with selinux, I'm still

experimenting and studying it :)) but I'm getting this error running

Post by Stefano Cappa
Cleaning out /tmp
fixfiles: No suitable file systems found
Cleaning up labels on /tmp
secon: SELinux is not enabled
cat: /initial_contexts/unlabeled: No such file or directory
You need to make sure that the filesystem in use has extendded

attributes

Post by Stefano Cappa
enabled. A lot of silicon vendor versions have this disabled, or

use a

Post by Stefano Cappa
filesystem where it's not supported.
ext*fs, xfs, etc usually support it, with the right kernel

configuration.

Post by Stefano Cappa
So, I added xattr to the DISTRO_FEATURES_append in my local.conf, but

I'm still having the same error.

Post by Stefano Cappa
/dev/<mynamehere> / type ext4 (rw,relatime,data=ordered)
What I'm missing?
Also, does imx6ULL supports meta-selinux? Or are there some limitations

about kernel that block me to activate selinux?
You need to enable the needed features on the kernel config. You
likely need to make a new layer to store the changes you will do and
modify the defconfig accordingly.
--
Otavio Salvador O.S. Systems
http://www.ossystems.com.br http://code.ossystems.com.br
Mobile: +55 (53) 9 9981-7854 Mobile: +1 (347) 903-9750

Otavio Salvador

2018-10-29 12:26:57 UTC

Permalink

On Mon, Oct 29, 2018 at 6:59 AM Stefano Cappa
...

Post by Stefano Cappa
Am I missing something?

You are on the right path. I think extended attributes support is also
needed but I am not a SE Linux user.

--
Otavio Salvador O.S. Systems
http://www.ossystems.com.br http://code.ossystems.com.br
Mobile: +55 (53) 9 9981-7854 Mobile: +1 (347) 903-9750
--

Stefano Cappa

2018-10-29 12:33:56 UTC

Permalink

Perfect.

Do you know if there is a config property for xattrs in .Cfg file?

Post by Otavio Salvador
On Mon, Oct 29, 2018 at 6:59 AM Stefano Cappa

Post by Stefano Cappa
Ok. Yes I created a custom layer with recipes-kernel/linux folders and

...

Post by Stefano Cappa
Am I missing something?

You are on the right path. I think extended attributes support is also
needed but I am not a SE Linux user.
--
Otavio Salvador O.S. Systems
http://www.ossystems.com.br http://code.ossystems.com.br
Mobile: +55 (53) 9 9981-7854 Mobile: +1 (347) 903-9750

Otavio Salvador

2018-10-29 17:34:33 UTC

Permalink

On Mon, Oct 29, 2018 at 9:34 AM Stefano Cappa

Post by Stefano Cappa
Do you know if there is a config property for xattrs in .Cfg file?

Not on top of head.

--
Otavio Salvador O.S. Systems
http://www.ossystems.com.br http://code.ossystems.com.br
Mobile: +55 (53) 9 9981-7854 Mobile: +1 (347) 903-9750
--

Stefano Cappa

2018-11-01 11:22:21 UTC

Permalink

When I run zcat /proc/config.gz I see that some options aren't applied

Some of these aren't enabled:
CONFIG_AUDIT=y
CONFIG_NETWORK_SECMARK=y
CONFIG_EXT2_FS_SECURITY=y
CONFIG_EXT3_FS_SECURITY=y
CONFIG_EXT4_FS_SECURITY=y
CONFIG_JFS_SECURITY=y
CONFIG_REISERFS_FS_SECURITY=y
CONFIG_JFFS2_FS_SECURITY=y
CONFIG_SECURITY=y
CONFIG_SECURITYFS=y
CONFIG_SECURITY_NETWORK=y
CONFIG_SECURITY_SELINUX=y
CONFIG_SECURITY_SELINUX_BOOTPARAM=y
CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE=1
CONFIG_SECURITY_SELINUX_DISABLE=y
CONFIG_SECURITY_SELINUX_DEVELOP=y
CONFIG_SECURITY_SELINUX_AVC_STATS=y
CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=1
CONFIG_AUDIT_GENERIC=y

For instance on my device I have:
#
# Security options
#
CONFIG_KEYS=y
# CONFIG_PERSISTENT_KEYRINGS is not set
# CONFIG_BIG_KEYS is not set
# CONFIG_ENCRYPTED_KEYS is not set
# CONFIG_KEY_DH_OPERATIONS is not set
# CONFIG_SECURITY_DMESG_RESTRICT is not set
*# CONFIG_SECURITY is not set*
CONFIG_SECURITYFS=y
CONFIG_HAVE_HARDENED_USERCOPY_ALLOCATOR=y
CONFIG_HAVE_ARCH_HARDENED_USERCOPY=y
# CONFIG_HARDENED_USERCOPY is not set
CONFIG_DEFAULT_SECURITY_DAC=y
CONFIG_DEFAULT_SECURITY=""
CONFIG_CRYPTO=y

It seems that cgf file isn't applied at all.
Do you have other ideas to apply these changes manually, instead on a
custom-layer to try to understand if I made an error in my layer or if is
it something else?

thank you.

Il giorno lun 29 ott 2018 alle ore 18:34 Otavio Salvador <

Post by Otavio Salvador
On Mon, Oct 29, 2018 at 9:34 AM Stefano Cappa

Post by Stefano Cappa
Do you know if there is a config property for xattrs in .Cfg file?

Not on top of head.
--
Otavio Salvador O.S. Systems
http://www.ossystems.com.br http://code.ossystems.com.br
Mobile: +55 (53) 9 9981-7854 Mobile: +1 (347) 903-9750
<(347)%20903-9750>

Otavio Salvador

2018-11-01 12:53:26 UTC

Permalink

On Thu, Nov 1, 2018 at 8:23 AM Stefano Cappa
<***@gmail.com> wrote:
...

Do you have other ideas to apply these changes manually, instead on a custom-layer to try to understand if I made an error in my layer or if is it something else?

A dependency of the settings is likely not satisfied; I usually make
use of menuconfig, inside BitBake to do it.

--
Otavio Salvador O.S. Systems
http://www.ossystems.com.br http://code.ossystems.com.br
Mobile: +55 (53) 9 9981-7854 Mobile: +1 (347) 903-9750
--

Stefano Cappa

2018-11-01 18:37:20 UTC

Permalink

Good suggestion, thank you.

I enabled some features with menuconfig, but I don't understand how to
store the new .config file into my custom layer to apply it automatically
at every build. I made many experiments without success. I'm going crazy.

Il giorno gio 1 nov 2018 alle ore 13:53 Otavio Salvador <

Post by Otavio Salvador
On Thu, Nov 1, 2018 at 8:23 AM Stefano Cappa
...

Post by Stefano Cappa
Do you have other ideas to apply these changes manually, instead on a

custom-layer to try to understand if I made an error in my layer or if is
it something else?
A dependency of the settings is likely not satisfied; I usually make
use of menuconfig, inside BitBake to do it.
--
Otavio Salvador O.S. Systems
http://www.ossystems.com.br http://code.ossystems.com.br
Mobile: +55 (53) 9 9981-7854 Mobile: +1 (347) 903-9750
<(347)%20903-9750>