Hi Yair,

Hi ,

I'm using Poky (Warrior), with busybox (aiming at a lightweight system).

Recently, added SELinux to my project (by adding "packagegroup-core-selinux" to my local.conf, with mls policy).

 

Booted with "selinux=1 enforing=0".

The auto-relabeling reported an error, since the root is mounted RO.

So, patched slelinux-autorelabel script to mount "/" RW before relabeling.

Booted again.

This time, selinux-init had the same issue ( / mounted RO).

Patched this one as well, but the system keeps rebooting:

It seems that the init process keeps it's kernel_t context, which forces re-labeling, reboot and so on…. (per the selinux-init script)

 

Q1: Is SELinux+busybox a valid combination, or should I switch to systemd?

SElinux+busybox should work. But there are some security label issues with busybox.

I attached a fix. You can try it.

Q2: Which context should the init process end up as?

This is because /sbin/init.sysvinit doesn't set the correct label. Please also see the attachment. I will send the formal patch later.

 

BTW – the build of "core-image-selinux" fails, with the following error

   Copying files into the device: set_inode_xattr: No data available while reading attribute "security.selinux" of "network"

I didn't encountered this issue. Please make sure the setting DISTRO_FEATURES_append = " acl xattr pam selinux" is in your conf/local.conf

//Yi

Any idea?

 

Thanks,

Yair