Hi Justin / Marco, [Re: SELinux with Busybox on morty] On 17.07.19 (Wed 16:05) Justin Clacherty wrote:
> Hi Joe, > > Is this something you or one of the other meta-selinux devs are able > to help out with or is it more of an upstream question? I'll see if I can give this a shot. :-) > > Cheers, > Justin. > > > > On 17 Jul 2017, at 4:57 pm, Marco Ostini <ma...@ostini.org> wrote: > > > > > > Hi All, > > > > At the moment I'm attempting to prepare a VM of morty with SELinux > > running well in enforcing mode. Once bedded down this will be > > running on an embedded system. > > > > We use Busybox to keep the environment slim. > > > > As you may be aware the file contexts of > > /etc/selinux/targeted/contexts/files/file_contexts don't include > > appropriate paths (/sbin + /usr/lib/busybox/sbin/) and relative file > > contexts for commands provided by Busybox. The /sbin files provided > > by Busybox are symlinks to their counterparts in > > /usr/lib/busybox/sbin/. > > > > I've attempted to use semanage to apply file contexts and look up > > login contexts. Any time I use semanage I receive this message: > > > > Error: Failed to read //etc/selinux/targeted/policy/policy.30 policy file > > > > In an attempt to mitigate this error I ran semodule --build and > > while it did rebuild the policy file, it didn't mitigate the error > > message generated by semanage. At the moment I'm applying temporary > > file contexts with chcon. > > > > My questions are: > > > > 1. Is it possible to run Busybox (providing init, getty, syslog ...) > > in SELinux enforcing. If so, where's the policy files? You haven't mentioned which policy you're currently using so I'm guessing it is the default you get from meta-selinux, that is refpolicy-git. I've been debugging some (I think) unrelated issues with refpolicy-git this week, so my advice would first to be try out 2.20151208, the current release version we have in tree. That's obviously also out of date, but it is currently better tested than the git recipe. All that said, yes, we have been, in the past, able to use busybox with SELinux enforcing enabled, though as you can see from the layer, we've had to tweak refpolicy to make it work well. I'm adding a colleague of mine here, Shrikant, who has done a fair bit of recent work with meta-selinux as well, he might have some additional insight into the current status of busybox-based systems. > > 2. Is there some documentation somewhere on reference builds of > > Morty with SELinux enforcing ? There is not at the moment, as far as I know. It's possible that someone else currently using that combination can help out with some guidance, but we haven't done any Morty+SELinux specific documentation. Since I'm investigating some other issues right now in a slightly different area, though, I may get some time next week to write up something quick for this for you, though. If I do, I'll be sure to share it here. -- -Joe MacDonald. :wq
signature.asc
Description: PGP signature
-- _______________________________________________ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
