1. Yocto
  2. Messages

Re: meta-selinux issues. Depending on what I put in my local.conf, I get boot loops or can't log in.

Richard Purdie
 

On Sat, 2021-05-15 at 22:15 -0400, Brian Hutchinson wrote:


On Fri, May 14, 2021 at 12:35 AM Yi Zhao <yi.zhao@...> wrote:

On 5/14/21 9:40 AM, Brian Hutchinson wrote:
 
Hi,

Pretty new to selinux.  I've worked through a lot of issues to get this far but am stumped at the moment
so any pointers, clues are appreciated.

I'm trying to add selinux to my custom image.  After running into problems, I decided it was best to
start with building core-image-selinux for my NXP imx8mm-evk board as a reference for getting my custom
image to work.

I'm using fscl-community-bsp meta-freescale Dunfell release which is building a 5.4.114 kernel.

My first issues were getting kernel config options right (.config attached).  I kept booting my rootfs
and sestatus would result in selinux not being enabled.

After getting kernel config somewhat worked out, then I started getting either boot loops or locked out.

I'll stay focused on my core-image-selinux image as hopefully if I can get it working it will help me
get my custom image working too.

Here is my last iteration of my local.conf that results in me not being able to log in.  With core-
image-selinux image, it freezes before it gets to login prompt.  On my custom image, I get log in prompt
but when I try to log in a root I get audit messages and dropped back to login prompt.

local.conf for core-image-selinux:

MACHINE ??= 'imx8mmevk'
 DISTRO ?= 'poky'
 PACKAGE_CLASSES ?= 'package_rpm'
 EXTRA_IMAGE_FEATURES ?= "debug-tweaks"
 DISTRO_FEATURES_remove = " sysvinit"
 DISTRO_FEATURES_append += " acl xattr pam selinux systemd"
 VIRTUAL-RUNTIME_init_manager = "systemd"
 DISTRO_FEATURES_BACKFILL_CONSIDERED = ""
 PREFERRED_PROVIDER_virtual/refpolicy ?= "refpolicy-mls"
You can try refpolicy-mcs or refpolicy-targeted. The mls policy doesn't work for systemed on dunfell.
 
//Yi
 Thank you very much for that!  I made that change to my core-image-selinux build and it worked!  When it
booted I saw a systemd process take a while to finish, I assume that was the relable process.  And when I
logged in as root, there is a significant delay before being logged in, not sure what is going on there.

When I made the same change to my imx8mm-evk core-image-base image with selinux added, I saw the same
systemd process run but it didn't take quite as long and it made the system reboot.  Once it rebooted I did
get a login prompt but it won't let me login as root.  So something is still miss-configured and still at a
loss as to what to look at next.
I know nothing about this but I was surprised you were using busybox login 
utilities with selinux. I'm not sure if that is well tested or not...

Cheers,

Richard
Join yocto@lists.yoctoproject.org to automatically receive all group messages.