Re: [yocto] SELinux doesn't work on t4240qds

Wed, 23 Jul 2014 07:42:07 -0700 

On 7/23/14, 7:15 AM, zhenhua....@freescale.com wrote:

I tried dora(poky + meta-selinux + meta-fsl-ppc), following error message 
appears during kernel boot up, please help.

RAMDISK: gzip image found at block 0
VFS: Mounted root (ext2 filesystem) on device 1:0.
devtmpfs: mounted
Freeing unused kernel memory: 340k freed
Mount failed for selinuxfs on /sys/fs/selinux:  No such file or directory
Sounds like the selinuxfs was not enabled -- or the /sys/fs/selinux mount mount was not created by default. I'd start with suspecting the kernel configuration, and then look to see if the early init scripts for selinux are incorrect and need to add that mount mount. 

--Mark


Unable to load SELinux Policy. Machine is in enforcing mode. Halting now.
Kernel panic - not syncing: Attempted to kill init! exitcode=0x00000100

Call Trace:
[c0000002f9143ae0] [c000000000008b2c] .show_stack+0x7c/0x1f0 (unreliable)
[c0000002f9143bb0] [c000000000816e48] .panic+0xec/0x24c
[c0000002f9143c40] [c00000000003d094] .do_exit+0x964/0xa40
[c0000002f9143d30] [c00000000003e354] .do_group_exit+0x54/0xf0
[c0000002f9143dc0] [c00000000003e404] .SyS_exit_group+0x14/0x20
[c0000002f9143e30] [c000000000000598] syscall_exit+0x0/0x88
Rebooting in 180 seconds..


Best Regards,

Zhenhua



-----Original Message-----
From: yocto-boun...@yoctoproject.org [mailto:yocto-
boun...@yoctoproject.org] On Behalf Of zhenhua....@freescale.com
Sent: Wednesday, July 23, 2014 10:29 AM
To: Mark Hatle; yocto@yoctoproject.org
Subject: Re: [yocto] SELinux doesn't work on t4240qds

Hi Mark,

Thanks for your comments.


-----Original Message-----
From: yocto-boun...@yoctoproject.org [mailto:yocto-
boun...@yoctoproject.org] On Behalf Of Mark Hatle

On 7/22/14, 10:11 AM, zhenhua....@freescale.com wrote:

Hi all,


Which release are you using.

[Luo Zhenhua-B19537] I tried poky daisy + meta-fsl-ppc master + meta-
selinux master


The last version I used w/ meta-selinux was the 1.5 release.

We're planning on updating it to master in the 'near' future [patches
welcome!], and I've been told by a few others of success w/ 1.7.

[Luo Zhenhua-B19537] I will try master and dora.


Did you enable the 'selinux' distribution flag?
If so, it should have enabled all of the components necessary for this

stuff to be enabled.
[Luo Zhenhua-B19537] Yes, selinux is in DISTRO_FEATURES.


Best Regards,

Zhenhua


--Mark


I use the meta-selinux layer to build a core-image-selinux rootfs
image, and build kernel with following options enabled.

CONFIG_AUDIT=y

CONFIG_NETWORK_SECMARK=y

CONFIG_EXT2_FS_SECURITY=y

CONFIG_EXT3_FS_SECURITY=y

CONFIG_EXT4_FS_SECURITY=y

CONFIG_JFS_SECURITY=y

CONFIG_REISERFS_FS_SECURITY=y

CONFIG_JFFS2_FS_SECURITY=y

CONFIG_SECURITY_NETWORK=y

CONFIG_SECURITY_SELINUX=y

CONFIG_SECURITY_SELINUX_BOOTPARAM=y

CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE=1

CONFIG_SECURITY_SELINUX_DISABLE=y

CONFIG_SECURITY_SELINUX_DEVELOP=y

CONFIG_SECURITY_SELINUX_AVC_STATS=y

CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=1

I use the generated images to boot up FSL PPC t4240qds board(tried
both NFS boot and RAM boot with ext2.gz.u-boot rootfs), the SELinux
is not turned on after kernel boot up.

following is some information in rootfs.

root@t4240qds:~# sestatus

SELinux status:                 disabled

root@t4240qds:~#

root@t4240qds:~# cat /etc/selinux/config

# This file controls the state of SELinux on the system.

# SELINUX= can take one of these three values:

#     enforcing - SELinux security policy is enforced.

#     permissive - SELinux prints warnings instead of enforcing.

#     disabled - No SELinux policy is loaded.

SELINUX=enforcing

# SELINUXTYPE= can take one of these two values:

#     standard - Standard Security protection.

#     mls - Multi Level Security protection.

SELINUXTYPE=mls

root@t4240qds:~# cat /proc/cmdline

root=/dev/ram rw console=ttyS0,115200 selinux=1

root@t4240qds:~# setenforce 1

setenforce: SELinux is disabled

root@t4240qds:~# getenforce

Disabled

root@t4240qds:~#

Can somebody shed some light on the issue?

Best Regards,

Zhenhua





--
_______________________________________________
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto

--
_______________________________________________
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto


--
_______________________________________________
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto

Reply via email to