meta-selinux issues. Depending on what I put in my local.conf, I get boot loops or can't log in.


Brian Hutchinson <b.hutchman@...>
 

Hi,

Pretty new to selinux.  I've worked through a lot of issues to get this far but am stumped at the moment so any pointers, clues are appreciated.

I'm trying to add selinux to my custom image.  After running into problems, I decided it was best to start with building core-image-selinux for my NXP imx8mm-evk board as a reference for getting my custom image to work.

I'm using fscl-community-bsp meta-freescale Dunfell release which is building a 5.4.114 kernel.

My first issues were getting kernel config options right (.config attached).  I kept booting my rootfs and sestatus would result in selinux not being enabled.

After getting kernel config somewhat worked out, then I started getting either boot loops or locked out.

I'll stay focused on my core-image-selinux image as hopefully if I can get it working it will help me get my custom image working too.

Here is my last iteration of my local.conf that results in me not being able to log in.  With core-image-selinux image, it freezes before it gets to login prompt.  On my custom image, I get log in prompt but when I try to log in a root I get audit messages and dropped back to login prompt.

local.conf for core-image-selinux:

MACHINE ??= 'imx8mmevk'
DISTRO ?= 'poky'
PACKAGE_CLASSES ?= 'package_rpm'
EXTRA_IMAGE_FEATURES ?= "debug-tweaks"
DISTRO_FEATURES_remove = " sysvinit"
DISTRO_FEATURES_append += " acl xattr pam selinux systemd"
VIRTUAL-RUNTIME_init_manager = "systemd"
DISTRO_FEATURES_BACKFILL_CONSIDERED = ""
PREFERRED_PROVIDER_virtual/refpolicy ?= "refpolicy-mls"
USER_CLASSES ?= "buildstats image-mklibs image-prelink"
IMAGE_FSTYPES += " tar.bz2 ext4 wic.bz2 wic.bmap"
PATCHRESOLVE = "noop"
BB_DISKMON_DIRS ??= "\
   STOPTASKS,${TMPDIR},1G,100K \
   STOPTASKS,${DL_DIR},1G,100K \
   STOPTASKS,${SSTATE_DIR},1G,100K \
   STOPTASKS,/tmp,100M,100K \
   ABORT,${TMPDIR},100M,1K \
   ABORT,${DL_DIR},100M,1K \
   ABORT,${SSTATE_DIR},100M,1K \
   ABORT,/tmp,10M,1K"
PACKAGECONFIG_append_pn-qemu-system-native = " sdl"
CONF_VERSION = "1"

DL_DIR ?= "${BSPDIR}/downloads/"
ACCEPT_FSL_EULA = "1"

At first I did not have DISTRO_FEATURES_remove = " sysvinit" or any systemd settings.  This is when I started getting boot loops as described here:

The board would boot and I'd get tons of these "/sbin/restorecon: Could not set context for " bla, bla, bla "Read-only file system" messages ... but then I'd get a login prompt and I'd be able to log in as root and run sestatus:

Poky (Yocto Project Reference Distro) 3.1.7 imx8mmevk ttymxc1

imx8mmevk login: root
root@imx8mmevk:~# sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             mcs
Current mode:                   permissive
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Memory protection checking:     requested (insecure)
Max kernel policy version:      31

This is when I paid more attention to the meta-selinux README https://git.yoctoproject.org/cgit/cgit.cgi/meta-selinux/tree/README

... and added the DISTRO_FEATURES_remove = " sysvinit" and other systemd commands to my local.conf above since the "boot loop" link above talked about issues with sysvinit etc.

This left me with a boot that looks like this for my core-image-selinux build ... which locks up:

[    0.000000] Dentry cache hash table entries: 262144 (order: 9, 2097152 bytes, linear)
[    0.000000] Inode-cache hash table entries: 131072 (order: 8, 1048576 bytes, linear)
[    0.000000] mem auto-init: stack:off, heap alloc:off, heap free:off
[    0.000000] Memory: 1336216K/2064384K available (16508K kernel code, 1234K rwdata, 6480K rodata, 2880K init, 1038K bss, 72808K reserved, 655360K cma-reserved)
[    0.000000] SLUB: HWalign=64, Order=0-3, MinObjects=0, CPUs=4, Nodes=1
[    0.000000] rcu: Preemptible hierarchical RCU implementation.
[    0.000000] rcu:     RCU restricting CPUs from NR_CPUS=256 to nr_cpu_ids=4.
[    0.000000]  Tasks RCU enabled.
[    0.000000] rcu: RCU calculated value of scheduler-enlistment delay is 25 jiffies.
[    0.000000] rcu: Adjusting geometry for rcu_fanout_leaf=16, nr_cpu_ids=4
[    0.000000] NR_IRQS: 64, nr_irqs: 64, preallocated irqs: 0
[    0.000000] GICv3: GIC: Using split EOI/Deactivate mode
[    0.000000] GICv3: 128 SPIs implemented
[    0.000000] GICv3: 0 Extended SPIs implemented
[    0.000000] GICv3: Distributor has no Range Selector support
[    0.000000] GICv3: 16 PPIs implemented
[    0.000000] GICv3: no VLPI support, no direct LPI support
[    0.000000] GICv3: CPU0: found redistributor 0 region 0:0x0000000038880000
[    0.000000] ITS: No ITS available, not enabling LPIs
[    0.000000] random: get_random_bytes called from start_kernel+0x2b8/0x43c with crng_init=0
[    0.000000] arch_timer: cp15 timer(s) running at 8.00MHz (phys).
[    0.000000] clocksource: arch_sys_counter: mask: 0xffffffffffffff max_cycles: 0x1d854df40, max_idle_ns: 440795202120 ns
[    0.000003] sched_clock: 56 bits at 8MHz, resolution 125ns, wraps every 2199023255500ns
[    0.008459] Console: colour dummy device 80x25
[    0.012580] Calibrating delay loop (skipped), value calculated using timer frequency.. 16.00 BogoMIPS (lpj=32000)
[    0.022844] pid_max: default: 32768 minimum: 301
[    0.027543] LSM: Security Framework initializing
[    0.032140] SELinux:  Initializing.
[    0.035681] Mount-cache hash table entries: 4096 (order: 3, 32768 bytes, linear)
[    0.043062] Mountpoint-cache hash table entries: 4096 (order: 3, 32768 bytes, linear)
[    0.052070] ASID allocator initialised with 32768 entries
[    0.056440] rcu: Hierarchical SRCU implementation.
[    0.062118] EFI services will not be available.
[    0.065893] smp: Bringing up secondary CPUs ...
[    0.070649] Detected VIPT I-cache on CPU1
[    0.070672] GICv3: CPU1: found redistributor 1 region 0:0x00000000388a0000
[    0.070703] CPU1: Booted secondary processor 0x0000000001 [0x410fd034]
[    0.071102] Detected VIPT I-cache on CPU2
[    0.071119] GICv3: CPU2: found redistributor 2 region 0:0x00000000388c0000
[    0.071137] CPU2: Booted secondary processor 0x0000000002 [0x410fd034]
[    0.071503] Detected VIPT I-cache on CPU3
[    0.071518] GICv3: CPU3: found redistributor 3 region 0:0x00000000388e0000
[    0.071533] CPU3: Booted secondary processor 0x0000000003 [0x410fd034]
[    0.071584] smp: Brought up 1 node, 4 CPUs
[    0.126889] SMP: Total of 4 processors activated.
[    0.131608] CPU features: detected: 32-bit EL0 Support
[    0.136780] CPU features: detected: CRC32 instructions
[    0.148803] CPU: All CPU(s) started at EL2
[    0.150075] alternatives: patching kernel code
[    0.155994] devtmpfs: initialized
[    0.163617] clocksource: jiffies: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 7645041785100000 ns
[    0.170570] futex hash table entries: 1024 (order: 4, 65536 bytes, linear)
[    0.194282] pinctrl core: initialized pinctrl subsystem
[    0.197368] DMI not present or invalid.
[    0.200798] NET: Registered protocol family 16
[    0.212024] DMA: preallocated 256 KiB pool for atomic allocations
[    0.215321] audit: initializing netlink subsys (disabled)
[    0.220974] audit: type=2000 audit(0.160:1): state=initialized audit_enabled=0 res=1
[    0.228526] cpuidle: using governor menu
[    0.232929] hw-breakpoint: found 6 breakpoint and 4 watchpoint registers.
[    0.240041] Serial: AMBA PL011 UART driver
[    0.243431] imx mu driver is registered.
[    0.247320] imx rpmsg driver is registered.
[    0.256460] imx8mm-pinctrl 30330000.pinctrl: initialized IMX pinctrl driver
[    0.277607] HugeTLB registered 1.00 GiB page size, pre-allocated 0 pages
[    0.281501] HugeTLB registered 32.0 MiB page size, pre-allocated 0 pages
[    0.288221] HugeTLB registered 2.00 MiB page size, pre-allocated 0 pages
[    0.294958] HugeTLB registered 64.0 KiB page size, pre-allocated 0 pages
[    0.302578] cryptd: max_cpu_qlen set to 1000
[    0.308925] ACPI: Interpreter disabled.
[    0.310647] iommu: Default domain type: Translated  
[    0.314984] vgaarb: loaded
[    0.317796] SCSI subsystem initialized
[    0.321638] usbcore: registered new interface driver usbfs
[    0.326821] usbcore: registered new interface driver hub
[    0.332166] usbcore: registered new device driver usb
[    0.338386] mc: Linux media interface: v0.10
[    0.341521] videodev: Linux video capture interface: v2.00
[    0.347069] pps_core: LinuxPPS API ver. 1 registered
[    0.351999] pps_core: Software ver. 5.3.6 - Copyright 2005-2007 Rodolfo Giometti <giometti@...>
[    0.361194] PTP clock support registered
[    0.365250] EDAC MC: Ver: 3.0.0
[    0.369031] No BMan portals available!
[    0.372241] QMan: Allocated lookup table at (____ptrval____), entry count 65537
[    0.379650] No QMan portals available!
[    0.383528] No USDPAA memory, no 'fsl,usdpaa-mem' in device-tree
[    0.389580] FPGA manager framework
[    0.392665] Advanced Linux Sound Architecture Driver Initialized.
[    0.399103] Bluetooth: Core ver 2.22
[    0.402325] NET: Registered protocol family 31
[    0.406776] Bluetooth: HCI device and connection manager initialized
[    0.413165] Bluetooth: HCI socket layer initialized
[    0.418063] Bluetooth: L2CAP socket layer initialized
[    0.423145] Bluetooth: SCO socket layer initialized
[    0.428729] clocksource: Switched to clocksource arch_sys_counter
[    0.434318] VFS: Disk quotas dquot_6.6.0
[    0.438147] VFS: Dquot-cache hash table entries: 512 (order 0, 4096 bytes)
[    0.445173] pnp: PnP ACPI: disabled
[    0.454071] thermal_sys: Registered thermal governor 'step_wise'
[    0.454075] thermal_sys: Registered thermal governor 'power_allocator'
[    0.457567] NET: Registered protocol family 2
[    0.468500] tcp_listen_portaddr_hash hash table entries: 1024 (order: 2, 16384 bytes, linear)
[    0.476800] TCP established hash table entries: 16384 (order: 5, 131072 bytes, linear)
[    0.484830] TCP bind hash table entries: 16384 (order: 6, 262144 bytes, linear)
[    0.492297] TCP: Hash tables configured (established 16384 bind 16384)
[    0.498720] UDP hash table entries: 1024 (order: 3, 32768 bytes, linear)
[    0.505415] UDP-Lite hash table entries: 1024 (order: 3, 32768 bytes, linear)
[    0.512695] NET: Registered protocol family 1
[    0.517249] RPC: Registered named UNIX socket transport module.
[    0.522882] RPC: Registered udp transport module.
[    0.527598] RPC: Registered tcp transport module.
[    0.532323] RPC: Registered tcp NFSv4.1 backchannel transport module.
[    0.539172] PCI: CLS 0 bytes, default 64
[    0.543460] hw perfevents: enabled with armv8_pmuv3 PMU driver, 7 counters available
[    0.550860] kvm [1]: IPA Size Limit: 40 bits
[    0.555419] kvm [1]: GICv3: no GICV resource entry
[    0.559628] kvm [1]: disabling GICv2 emulation
[    0.564099] kvm [1]: GIC system register CPU interface enabled
[    0.570004] kvm [1]: vgic interrupt IRQ1
[    0.573975] kvm [1]: Hyp mode initialized successfully
[    0.581824] Initialise system trusted keyrings
[    0.583614] workingset: timestamp_bits=44 max_order=19 bucket_order=0
[    0.595759] squashfs: version 4.0 (2009/01/31) Phillip Lougher
[    0.599368] NFS: Registering the id_resolver key type
[    0.603857] Key type id_resolver registered
[    0.608041] Key type id_legacy registered
[    0.612067] nfs4filelayout_init: NFSv4 File Layout Driver Registering...
[    0.618796] nfs4flexfilelayout_init: NFSv4 Flexfile Layout Driver Registering...
[    0.626246] jffs2: version 2.2. (NAND) �© 2001-2006 Red Hat, Inc.
[    0.632759] 9p: Installing v9fs 9p2000 file system support
[    0.650797] Key type asymmetric registered
[    0.652038] Asymmetric key parser 'x509' registered
[    0.656972] Block layer SCSI generic (bsg) driver version 0.4 loaded (major 244)
[    0.664383] io scheduler mq-deadline registered
[    0.668932] io scheduler kyber registered
[    0.677135] EINJ: ACPI disabled.
[    0.685891] imx-sdma 302c0000.dma-controller: Direct firmware load for imx/sdma/sdma-imx7d.bin failed with error -2
[    0.693543] imx-sdma 302c0000.dma-controller: Falling back to sysfs fallback for: imx/sdma/sdma-imx7d.bin
[    0.710746] mxs-dma 33000000.dma-controller: initialized
[    0.714250] Bus freq driver module loaded
[    0.722266] Serial: 8250/16550 driver, 4 ports, IRQ sharing enabled
[    0.727674] 30890000.serial: ttymxc1 at MMIO 0x30890000 (irq = 34, base_baud = 1500000) is a IMX
[    0.734595] printk: console [ttymxc1] enabled
[    0.734595] printk: console [ttymxc1] enabled
[    0.743235] printk: bootconsole [ec_imx6q0] disabled
[    0.743235] printk: bootconsole [ec_imx6q0] disabled
[    0.755182] imx-drm soc@0:bus@32c00000:display-subsystem: no available port
[    0.773488] loop: module loaded
[    0.778553] imx ahci driver is registered.
[    0.785346] spi_imx 30830000.spi: probed
[    0.790183] spi-nor spi3.0: n25q256ax1 (32768 Kbytes)
[    0.795277] 7 fixed-partitions partitions found on MTD device 30bb0000.spi
[    0.802157] Creating 7 MTD partitions on "30bb0000.spi":
[    0.807477] 0x000000000000-0x000000200000 : "U-Boot"
[    0.817371] 0x000000200000-0x000000202000 : "U-Boot Env"
[    0.822696] mtd: partition "U-Boot Env" doesn't end on an erase/write block -- force read-only
[    0.833323] 0x000000202000-0x000000204000 : "U-Boot Env 2"
[    0.838819] mtd: partition "U-Boot Env 2" doesn't start on an erase/write block boundary -- force read-only
[    0.853314] 0x000000204000-0x000000205000 : "boot.scr"
[    0.858463] mtd: partition "boot.scr" doesn't start on an erase/write block boundary -- force read-only
[    0.869306] 0x000000205000-0x000000210000 : "Device Tree Blob"
[    0.875150] mtd: partition "Device Tree Blob" doesn't start on an erase/write block boundary -- force read-only
[    0.889320] 0x000000210000-0x000000e10000 : "Compressed Kernel"
[    0.897335] 0x000000e10000-0x000002000000 : "SquashFS"
[    0.906575] libphy: Fixed MDIO Bus: probed
[    0.911375] tun: Universal TUN/TAP device driver, 1.6
[    0.917133] thunder_xcv, ver 1.0
[    0.920386] thunder_bgx, ver 1.0
[    0.923649] nicpf, ver 1.0
[    0.927576] pps pps0: new PPS source ptp0
[    0.944110] libphy: fec_enet_mii_bus: probed
[    0.948923] fec 30be0000.ethernet eth0: registered PHC device 0
[    0.955395] Freescale FM module, FMD API version 21.1.0
[    0.960856] Freescale FM Ports module
[    0.964517] fsl_mac: fsl_mac: FSL FMan MAC API based driver
[    0.970260] fsl_dpa: FSL DPAA Ethernet driver
[    0.974714] fsl_advanced: FSL DPAA Advanced drivers:
[    0.979684] fsl_proxy: FSL DPAA Proxy initialization driver
[    0.985344] fsl_oh: FSL FMan Offline Parsing port driver
[    0.991426] hclge is initializing
[    0.994751] hns3: Hisilicon Ethernet Network Driver for Hip08 Family - version
[    1.001977] hns3: Copyright (c) 2017 Huawei Corporation.
[    1.007347] e1000: Intel(R) PRO/1000 Network Driver - version 7.3.21-k8-NAPI
[    1.014400] e1000: Copyright (c) 1999-2006 Intel Corporation.
[    1.020176] e1000e: Intel(R) PRO/1000 Network Driver - 3.2.6-k
[    1.026012] e1000e: Copyright(c) 1999 - 2015 Intel Corporation.
[    1.031967] igb: Intel(R) Gigabit Ethernet Network Driver - version 5.6.0-k
[    1.038938] igb: Copyright (c) 2007-2014 Intel Corporation.
[    1.044545] igbvf: Intel(R) Gigabit Virtual Function Network Driver - version 2.4.0-k
[    1.052378] igbvf: Copyright (c) 2009 - 2012 Intel Corporation.
[    1.058433] sky2: driver version 1.30
[    1.062933] VFIO - User Level meta-driver version: 0.3
[    1.069701] ehci_hcd: USB 2.0 'Enhanced' Host Controller (EHCI) Driver
[    1.076239] ehci-pci: EHCI PCI platform driver
[    1.080767] ehci-platform: EHCI generic platform driver
[    1.086146] ohci_hcd: USB 1.1 'Open' Host Controller (OHCI) Driver
[    1.092348] ohci-pci: OHCI PCI platform driver
[    1.096826] ohci-platform: OHCI generic platform driver
[    1.102542] usbcore: registered new interface driver usb-storage
[    1.108613] usbcore: registered new interface driver usbserial_generic
[    1.115159] usbserial: USB Serial support registered for generic
[    1.121191] usbcore: registered new interface driver ftdi_sio
[    1.126952] usbserial: USB Serial support registered for FTDI USB Serial Device
[    1.134291] usbcore: registered new interface driver usb_serial_simple
[    1.140836] usbserial: USB Serial support registered for carelink
[    1.146944] usbserial: USB Serial support registered for zio
[    1.152619] usbserial: USB Serial support registered for funsoft
[    1.158641] usbserial: USB Serial support registered for flashloader
[    1.165010] usbserial: USB Serial support registered for google
[    1.170946] usbserial: USB Serial support registered for libtransistor
[    1.177489] usbserial: USB Serial support registered for vivopay
[    1.183513] usbserial: USB Serial support registered for moto_modem
[    1.189801] usbserial: USB Serial support registered for motorola_tetra
[    1.196438] usbserial: USB Serial support registered for novatel_gps
[    1.202809] usbserial: USB Serial support registered for hp4x
[    1.208572] usbserial: USB Serial support registered for suunto
[    1.214508] usbserial: USB Serial support registered for siemens_mpi
[    1.223211] input: 30370000.snvs:snvs-powerkey as /devices/platform/soc@0/soc@0:bus@30000000/30370000.snvs/30370000.snvs:snvs-powerkey/input/input0
[    1.238238] snvs_rtc 30370000.snvs:snvs-rtc-lp: registered as rtc0
[    1.244505] i2c /dev entries driver
[    1.252447] imx2-wdt 30280000.watchdog: timeout 60 sec (nowayout=0)
[    1.258987] Bluetooth: HCI UART driver ver 2.3
[    1.263444] Bluetooth: HCI UART protocol H4 registered
[    1.268589] Bluetooth: HCI UART protocol BCSP registered
[    1.273925] Bluetooth: HCI UART protocol LL registered
[    1.279069] Bluetooth: HCI UART protocol ATH3K registered
[    1.284486] Bluetooth: HCI UART protocol Three-wire (H5) registered
[    1.290836] Bluetooth: HCI UART protocol Broadcom registered
[    1.296520] Bluetooth: HCI UART protocol QCA registered
[    1.303494] sdhci: Secure Digital Host Controller Interface driver
[    1.309687] sdhci: Copyright(c) Pierre Ossman
[    1.314212] Synopsys Designware Multimedia Card Interface Driver
[    1.320736] sdhci-pltfm: SDHCI platform and OF driver helper
[    1.327135] mmc1: CQHCI version 5.10
[    1.331200] mmc2: CQHCI version 5.10
[    1.366866] mmc2: SDHCI controller on 30b60000.mmc [30b60000.mmc] using ADMA
[    1.376165] ledtrig-cpu: registered to indicate activity on CPUs
[    1.383297] caam 30900000.crypto: device ID = 0x0a16040100000000 (Era 9)
[    1.390069] caam 30900000.crypto: job rings = 3, qi = 0
[    1.404678] caam algorithms registered in /proc/crypto
[    1.410556] caam 30900000.crypto: caam pkc algorithms registered in /proc/crypto
[    1.420079] caam_jr 30901000.jr: registering rng-caam
[    1.429895] caam-snvs 30370000.caam-snvs: can't get snvs clock
[    1.435783] caam-snvs 30370000.caam-snvs: violation handlers armed - non-secure state
[    1.444200] usbcore: registered new interface driver usbhid
[    1.449780] usbhid: USB HID core driver
[    1.455330] No fsl,qman node
[    1.458228] Freescale USDPAA process driver
[    1.462416] fsl-usdpaa: no region found
[    1.466254] Freescale USDPAA process IRQ driver
[    1.474284] optee: probing for conduit method from DT.
[    1.479448] optee: revision 3.2 (6a22e6e8)
[    1.480265] optee: dynamic shared memory is enabled
[    1.489481] optee: initialized driver
[    1.495289] mmc2: Command Queue Engine enabled
[    1.496837] wm8524-codec audio-codec: Failed to get mute line: -517
[    1.499792] mmc2: new HS400 Enhanced strobe MMC card at address 0001
[    1.506505] OF: /sound-bt-sco/simple-audio-card,cpu: could not get #sound-dai-cells for /soc@0/bus@30000000/sai@30020000
[    1.513508] mmcblk2: mmc2:0001 DG4016 7.49 GiB  
[    1.523248] asoc-simple-card sound-bt-sco: parse error -22
[    1.523265] asoc-simple-card: probe of sound-bt-sco failed with error -22
[    1.527908] mmcblk2boot0: mmc2:0001 DG4016 partition 1 4.00 MiB
[    1.546163] mmcblk2boot1: mmc2:0001 DG4016 partition 2 4.00 MiB
[    1.547285] pktgen: Packet Generator for packet performance testing. Version: 2.75
[    1.552232] mmcblk2gp0: mmc2:0001 DG4016 partition 4 3.52 GiB
[    1.565904] mmcblk2rpmb: mmc2:0001 DG4016 partition 3 4.00 MiB, chardev (237:0)
[    1.566798] NET: Registered protocol family 26
[    1.578184] NET: Registered protocol family 10
[    1.582998]  mmcblk2: p1 p2
[    1.583960] Segment Routing with IPv6
[    1.589559] NET: Registered protocol family 17
[    1.594201]  mmcblk2gp0: p1 p2
[    1.594430] Bluetooth: RFCOMM TTY layer initialized
[    1.602179] Bluetooth: RFCOMM socket layer initialized
[    1.607335] Bluetooth: RFCOMM ver 1.11
[    1.611099] Bluetooth: BNEP (Ethernet Emulation) ver 1.3
[    1.616414] Bluetooth: BNEP filters: protocol multicast
[    1.621653] Bluetooth: BNEP socket layer initialized
[    1.626623] Bluetooth: HIDP (Human Interface Emulation) ver 1.2
[    1.632549] Bluetooth: HIDP socket layer initialized
[    1.637554] 8021q: 802.1Q VLAN Support v1.8
[    1.641764] lib80211: common routines for IEEE802.11 drivers
[    1.647544] 9pnet: Installing 9P2000 support
[    1.651845] tsn generic netlink module v1 init...
[    1.656632] Key type dns_resolver registered
[    1.661668] registered taskstats version 1
[    1.665794] Loading compiled-in X.509 certificates
[    1.692510] usb_phy_generic usbphynop1: usbphynop1 supply vcc not found, using dummy regulator
[    1.701297] usb_phy_generic usbphynop2: usbphynop2 supply vcc not found, using dummy regulator
[    1.733590] random: fast init done
[    1.738992] LDO6: supplied by regulator-dummy
[    1.743499] i2c i2c-0: IMX I2C adapter registered
[    1.749209] i2c i2c-1: IMX I2C adapter registered
[    1.754765] i2c i2c-2: IMX I2C adapter registered
[    1.760259] i2c i2c-3: IMX I2C adapter registered
[    1.765281] imx-cpufreq-dt imx-cpufreq-dt: cpu speed grade 2 mkt segment 2 supported-hw 0x4 0x4
[    1.777862] mmc1: CQHCI version 5.10
[    1.781506] sdhci-esdhc-imx 30b50000.mmc: Got CD GPIO
[    1.817451] mmc1: SDHCI controller on 30b50000.mmc [30b50000.mmc] using ADMA
[    1.826135] imx8mm-pinctrl 30330000.pinctrl: pin MX8MM_IOMUXC_I2C4_SDA already requested by 30a50000.i2c; cannot claim for audio-codec
[    1.838253] imx8mm-pinctrl 30330000.pinctrl: pin-140 (audio-codec) status -22
[    1.845397] imx8mm-pinctrl 30330000.pinctrl: could not request pin 140 (MX8MM_IOMUXC_I2C4_SDA) from group gpiowlfgrp  on device 30330000.pinctrl
[    1.858357] wm8524-codec audio-codec: Error applying setting, reverse things back
[    1.865856] wm8524-codec: probe of audio-codec failed with error -22
[    1.876549] input: bd718xx-pwrkey as /devices/platform/soc@0/soc@0:bus@30800000/30a20000.i2c/i2c-0/0-004b/gpio-keys.1.auto/input/input1
[    1.890300] snvs_rtc 30370000.snvs:snvs-rtc-lp: setting system clock to 1970-01-01T00:00:00 UTC (0)
[    1.899718] cfg80211: Loading compiled-in X.509 certificates for regulatory database
[    1.911354] cfg80211: Loaded X.509 cert 'sforshee: 00b28ddf47aef9cea7'
[    1.917963] platform regulatory.0: Direct firmware load for regulatory.db failed with error -2
[    1.923612] ALSA device list:
[    1.926586] platform regulatory.0: Falling back to sysfs fallback for: regulatory.db
[    1.929550]   No soundcards found.
[    1.947317] EXT4-fs (mmcblk2p2): mounted filesystem with ordered data mode. Opts: (null)
[    1.955496] VFS: Mounted root (ext4 filesystem) readonly on device 179:2.
[    1.963119] devtmpfs: mounted
[    1.966900] Freeing unused kernel memory: 2880K
[    1.989378] Run /sbin/init as init process
[    2.059403] audit: type=1404 audit(1.969:2): enforcing=1 old_enforcing=0 auid=4294967295 ses=4294967295 enabled=1 old-enabled=1 lsm=selinux res=1
[    2.199361] SELinux:  Permission watch in class filesystem not defined in policy.
[    2.206919] SELinux:  Permission watch in class file not defined in policy.
[    2.213885] SELinux:  Permission watch_mount in class file not defined in policy.
[    2.221377] SELinux:  Permission watch_sb in class file not defined in policy.
[    2.228601] SELinux:  Permission watch_with_perm in class file not defined in policy.
[    2.236441] SELinux:  Permission watch_reads in class file not defined in policy.
[    2.243935] SELinux:  Permission watch in class dir not defined in policy.
[    2.250819] SELinux:  Permission watch_mount in class dir not defined in policy.
[    2.258216] SELinux:  Permission watch_sb in class dir not defined in policy.
[    2.265361] SELinux:  Permission watch_with_perm in class dir not defined in policy.
[    2.273105] SELinux:  Permission watch_reads in class dir not defined in policy.
[    2.280520] SELinux:  Permission watch in class lnk_file not defined in policy.
[    2.287830] SELinux:  Permission watch_mount in class lnk_file not defined in policy.
[    2.295669] SELinux:  Permission watch_sb in class lnk_file not defined in policy.
[    2.303239] SELinux:  Permission watch_with_perm in class lnk_file not defined in policy.
[    2.311429] SELinux:  Permission watch_reads in class lnk_file not defined in policy.
[    2.319266] SELinux:  Permission watch in class chr_file not defined in policy.
[    2.326585] SELinux:  Permission watch_mount in class chr_file not defined in policy.
[    2.334416] SELinux:  Permission watch_sb in class chr_file not defined in policy.
[    2.341994] SELinux:  Permission watch_with_perm in class chr_file not defined in policy.
[    2.350172] SELinux:  Permission watch_reads in class chr_file not defined in policy.
[    2.358021] SELinux:  Permission watch in class blk_file not defined in policy.
[    2.365332] SELinux:  Permission watch_mount in class blk_file not defined in policy.
[    2.373171] SELinux:  Permission watch_sb in class blk_file not defined in policy.
[    2.380742] SELinux:  Permission watch_with_perm in class blk_file not defined in policy.
[    2.388927] SELinux:  Permission watch_reads in class blk_file not defined in policy.
[    2.396765] SELinux:  Permission watch in class sock_file not defined in policy.
[    2.404171] SELinux:  Permission watch_mount in class sock_file not defined in policy.
[    2.412088] SELinux:  Permission watch_sb in class sock_file not defined in policy.
[    2.419757] SELinux:  Permission watch_with_perm in class sock_file not defined in policy.
[    2.428022] SELinux:  Permission watch_reads in class sock_file not defined in policy.
[    2.435953] SELinux:  Permission watch in class fifo_file not defined in policy.
[    2.443350] SELinux:  Permission watch_mount in class fifo_file not defined in policy.
[    2.451275] SELinux:  Permission watch_sb in class fifo_file not defined in policy.
[    2.458933] SELinux:  Permission watch_with_perm in class fifo_file not defined in policy.
[    2.467206] SELinux:  Permission watch_reads in class fifo_file not defined in policy.
[    2.475450] SELinux: the above unknown classes and permissions will be allowed
[    2.482716] SELinux:  policy capability network_peer_controls=1
[    2.488638] SELinux:  policy capability open_perms=1
[    2.493612] SELinux:  policy capability extended_socket_class=1
[    2.499534] SELinux:  policy capability always_check_network=0
[    2.505375] SELinux:  policy capability cgroup_seclabel=1
[    2.510776] SELinux:  policy capability nnp_nosuid_transition=1
[    2.551944] audit: type=1403 audit(2.461:3): auid=4294967295 ses=4294967295 lsm=selinux res=1
[    2.560140] systemd[1]: Successfully loaded SELinux policy in 501.858ms.
[    2.585453] systemd[1]: System time before build time, advancing clock.
[    2.596311] systemd[1]: Unable to fix SELinux security context of /dev: Operation not permitted
[    2.596451] audit: type=1401 audit(1600598638.004:4): op=security_validate_transition seresult=denied oldcontext=system_u:object_r:device_t:s15:c0.c1023 newcontext=system_u:object_r:device_t:s0 taskcontext=system_u:system_r:kernel_t:s15:c0.c1023 tclassr
[    2.606247] systemd[1]: Failed to mount tmpfs at /dev/shm: No such file or directory
[    2.627743] audit: type=1400 audit(1600598638.016:5): avc:  denied  { create } for  pid=1 comm="systemd" name="shm" scontext=system_u:system_r:kernel_t:s15:c0.c1023 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir permissive=0
[    2.637910] systemd[1]: Unable to fix SELinux security context of /run: Operation not permitted
[    2.655581] audit: type=1400 audit(1600598638.044:6): avc:  denied  { create } for  pid=1 comm="systemd" name="pts" scontext=system_u:system_r:kernel_t:s15:c0.c1023 tcontext=system_u:object_r:devpts_t:s0-s15:c0.c1023 tclass=dir permissive=0
[    2.665724] systemd[1]: Unable to fix SELinux security context of /sys/fs/cgroup: Operation not permitted
[    2.685536] audit: type=1401 audit(1600598638.048:7): op=security_validate_transition seresult=denied oldcontext=system_u:object_r:tmpfs_t:s15:c0.c1023 newcontext=system_u:object_r:var_run_t:s0-s15:c0.c1023 taskcontext=system_u:system_r:kernel_t:s15:c0r
[    2.719230] audit: type=1401 audit(1600598638.076:8): op=security_validate_transition seresult=denied oldcontext=system_u:object_r:tmpfs_t:s15:c0.c1023 newcontext=system_u:object_r:cgroup_t:s0 taskcontext=system_u:system_r:kernel_t:s15:c0.c1023 tclass=r
[    2.741846] audit: type=1400 audit(1600598638.108:9): avc:  denied  { create } for  pid=1 comm="systemd" name="bpf" scontext=system_u:system_r:kernel_t:s15:c0.c1023 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir permissive=0
[!!!!!!] Failed to mount API filesystems.
[    2.780814] systemd[1]: Freezing execution.


Yi Zhao
 


On 5/14/21 9:40 AM, Brian Hutchinson wrote:
Hi,

Pretty new to selinux.  I've worked through a lot of issues to get this far but am stumped at the moment so any pointers, clues are appreciated.

I'm trying to add selinux to my custom image.  After running into problems, I decided it was best to start with building core-image-selinux for my NXP imx8mm-evk board as a reference for getting my custom image to work.

I'm using fscl-community-bsp meta-freescale Dunfell release which is building a 5.4.114 kernel.

My first issues were getting kernel config options right (.config attached).  I kept booting my rootfs and sestatus would result in selinux not being enabled.

After getting kernel config somewhat worked out, then I started getting either boot loops or locked out.

I'll stay focused on my core-image-selinux image as hopefully if I can get it working it will help me get my custom image working too.

Here is my last iteration of my local.conf that results in me not being able to log in.  With core-image-selinux image, it freezes before it gets to login prompt.  On my custom image, I get log in prompt but when I try to log in a root I get audit messages and dropped back to login prompt.

local.conf for core-image-selinux:

MACHINE ??= 'imx8mmevk'
DISTRO ?= 'poky'
PACKAGE_CLASSES ?= 'package_rpm'
EXTRA_IMAGE_FEATURES ?= "debug-tweaks"
DISTRO_FEATURES_remove = " sysvinit"
DISTRO_FEATURES_append += " acl xattr pam selinux systemd"
VIRTUAL-RUNTIME_init_manager = "systemd"
DISTRO_FEATURES_BACKFILL_CONSIDERED = ""
PREFERRED_PROVIDER_virtual/refpolicy ?= "refpolicy-mls"


You can try refpolicy-mcs or refpolicy-targeted. The mls policy doesn't work for systemed on dunfell.

//Yi

USER_CLASSES ?= "buildstats image-mklibs image-prelink"
IMAGE_FSTYPES += " tar.bz2 ext4 wic.bz2 wic.bmap"
PATCHRESOLVE = "noop"
BB_DISKMON_DIRS ??= "\
   STOPTASKS,${TMPDIR},1G,100K \
   STOPTASKS,${DL_DIR},1G,100K \
   STOPTASKS,${SSTATE_DIR},1G,100K \
   STOPTASKS,/tmp,100M,100K \
   ABORT,${TMPDIR},100M,1K \
   ABORT,${DL_DIR},100M,1K \
   ABORT,${SSTATE_DIR},100M,1K \
   ABORT,/tmp,10M,1K"
PACKAGECONFIG_append_pn-qemu-system-native = " sdl"
CONF_VERSION = "1"

DL_DIR ?= "${BSPDIR}/downloads/"
ACCEPT_FSL_EULA = "1"

At first I did not have DISTRO_FEATURES_remove = " sysvinit" or any systemd settings.  This is when I started getting boot loops as described here:

The board would boot and I'd get tons of these "/sbin/restorecon: Could not set context for " bla, bla, bla "Read-only file system" messages ... but then I'd get a login prompt and I'd be able to log in as root and run sestatus:

Poky (Yocto Project Reference Distro) 3.1.7 imx8mmevk ttymxc1

imx8mmevk login: root
root@imx8mmevk:~# sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             mcs
Current mode:                   permissive
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Memory protection checking:     requested (insecure)
Max kernel policy version:      31

This is when I paid more attention to the meta-selinux README https://git.yoctoproject.org/cgit/cgit.cgi/meta-selinux/tree/README

... and added the DISTRO_FEATURES_remove = " sysvinit" and other systemd commands to my local.conf above since the "boot loop" link above talked about issues with sysvinit etc.

This left me with a boot that looks like this for my core-image-selinux build ... which locks up:

[    0.000000] Dentry cache hash table entries: 262144 (order: 9, 2097152 bytes, linear)
[    0.000000] Inode-cache hash table entries: 131072 (order: 8, 1048576 bytes, linear)
[    0.000000] mem auto-init: stack:off, heap alloc:off, heap free:off
[    0.000000] Memory: 1336216K/2064384K available (16508K kernel code, 1234K rwdata, 6480K rodata, 2880K init, 1038K bss, 72808K reserved, 655360K cma-reserved)
[    0.000000] SLUB: HWalign=64, Order=0-3, MinObjects=0, CPUs=4, Nodes=1
[    0.000000] rcu: Preemptible hierarchical RCU implementation.
[    0.000000] rcu:     RCU restricting CPUs from NR_CPUS=256 to nr_cpu_ids=4.
[    0.000000]  Tasks RCU enabled.
[    0.000000] rcu: RCU calculated value of scheduler-enlistment delay is 25 jiffies.
[    0.000000] rcu: Adjusting geometry for rcu_fanout_leaf=16, nr_cpu_ids=4
[    0.000000] NR_IRQS: 64, nr_irqs: 64, preallocated irqs: 0
[    0.000000] GICv3: GIC: Using split EOI/Deactivate mode
[    0.000000] GICv3: 128 SPIs implemented
[    0.000000] GICv3: 0 Extended SPIs implemented
[    0.000000] GICv3: Distributor has no Range Selector support
[    0.000000] GICv3: 16 PPIs implemented
[    0.000000] GICv3: no VLPI support, no direct LPI support
[    0.000000] GICv3: CPU0: found redistributor 0 region 0:0x0000000038880000
[    0.000000] ITS: No ITS available, not enabling LPIs
[    0.000000] random: get_random_bytes called from start_kernel+0x2b8/0x43c with crng_init=0
[    0.000000] arch_timer: cp15 timer(s) running at 8.00MHz (phys).
[    0.000000] clocksource: arch_sys_counter: mask: 0xffffffffffffff max_cycles: 0x1d854df40, max_idle_ns: 440795202120 ns
[    0.000003] sched_clock: 56 bits at 8MHz, resolution 125ns, wraps every 2199023255500ns
[    0.008459] Console: colour dummy device 80x25
[    0.012580] Calibrating delay loop (skipped), value calculated using timer frequency.. 16.00 BogoMIPS (lpj=32000)
[    0.022844] pid_max: default: 32768 minimum: 301
[    0.027543] LSM: Security Framework initializing
[    0.032140] SELinux:  Initializing.
[    0.035681] Mount-cache hash table entries: 4096 (order: 3, 32768 bytes, linear)
[    0.043062] Mountpoint-cache hash table entries: 4096 (order: 3, 32768 bytes, linear)
[    0.052070] ASID allocator initialised with 32768 entries
[    0.056440] rcu: Hierarchical SRCU implementation.
[    0.062118] EFI services will not be available.
[    0.065893] smp: Bringing up secondary CPUs ...
[    0.070649] Detected VIPT I-cache on CPU1
[    0.070672] GICv3: CPU1: found redistributor 1 region 0:0x00000000388a0000
[    0.070703] CPU1: Booted secondary processor 0x0000000001 [0x410fd034]
[    0.071102] Detected VIPT I-cache on CPU2
[    0.071119] GICv3: CPU2: found redistributor 2 region 0:0x00000000388c0000
[    0.071137] CPU2: Booted secondary processor 0x0000000002 [0x410fd034]
[    0.071503] Detected VIPT I-cache on CPU3
[    0.071518] GICv3: CPU3: found redistributor 3 region 0:0x00000000388e0000
[    0.071533] CPU3: Booted secondary processor 0x0000000003 [0x410fd034]
[    0.071584] smp: Brought up 1 node, 4 CPUs
[    0.126889] SMP: Total of 4 processors activated.
[    0.131608] CPU features: detected: 32-bit EL0 Support
[    0.136780] CPU features: detected: CRC32 instructions
[    0.148803] CPU: All CPU(s) started at EL2
[    0.150075] alternatives: patching kernel code
[    0.155994] devtmpfs: initialized
[    0.163617] clocksource: jiffies: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 7645041785100000 ns
[    0.170570] futex hash table entries: 1024 (order: 4, 65536 bytes, linear)
[    0.194282] pinctrl core: initialized pinctrl subsystem
[    0.197368] DMI not present or invalid.
[    0.200798] NET: Registered protocol family 16
[    0.212024] DMA: preallocated 256 KiB pool for atomic allocations
[    0.215321] audit: initializing netlink subsys (disabled)
[    0.220974] audit: type=2000 audit(0.160:1): state=initialized audit_enabled=0 res=1
[    0.228526] cpuidle: using governor menu
[    0.232929] hw-breakpoint: found 6 breakpoint and 4 watchpoint registers.
[    0.240041] Serial: AMBA PL011 UART driver
[    0.243431] imx mu driver is registered.
[    0.247320] imx rpmsg driver is registered.
[    0.256460] imx8mm-pinctrl 30330000.pinctrl: initialized IMX pinctrl driver
[    0.277607] HugeTLB registered 1.00 GiB page size, pre-allocated 0 pages
[    0.281501] HugeTLB registered 32.0 MiB page size, pre-allocated 0 pages
[    0.288221] HugeTLB registered 2.00 MiB page size, pre-allocated 0 pages
[    0.294958] HugeTLB registered 64.0 KiB page size, pre-allocated 0 pages
[    0.302578] cryptd: max_cpu_qlen set to 1000
[    0.308925] ACPI: Interpreter disabled.
[    0.310647] iommu: Default domain type: Translated  
[    0.314984] vgaarb: loaded
[    0.317796] SCSI subsystem initialized
[    0.321638] usbcore: registered new interface driver usbfs
[    0.326821] usbcore: registered new interface driver hub
[    0.332166] usbcore: registered new device driver usb
[    0.338386] mc: Linux media interface: v0.10
[    0.341521] videodev: Linux video capture interface: v2.00
[    0.347069] pps_core: LinuxPPS API ver. 1 registered
[    0.351999] pps_core: Software ver. 5.3.6 - Copyright 2005-2007 Rodolfo Giometti <giometti@...>
[    0.361194] PTP clock support registered
[    0.365250] EDAC MC: Ver: 3.0.0
[    0.369031] No BMan portals available!
[    0.372241] QMan: Allocated lookup table at (____ptrval____), entry count 65537
[    0.379650] No QMan portals available!
[    0.383528] No USDPAA memory, no 'fsl,usdpaa-mem' in device-tree
[    0.389580] FPGA manager framework
[    0.392665] Advanced Linux Sound Architecture Driver Initialized.
[    0.399103] Bluetooth: Core ver 2.22
[    0.402325] NET: Registered protocol family 31
[    0.406776] Bluetooth: HCI device and connection manager initialized
[    0.413165] Bluetooth: HCI socket layer initialized
[    0.418063] Bluetooth: L2CAP socket layer initialized
[    0.423145] Bluetooth: SCO socket layer initialized
[    0.428729] clocksource: Switched to clocksource arch_sys_counter
[    0.434318] VFS: Disk quotas dquot_6.6.0
[    0.438147] VFS: Dquot-cache hash table entries: 512 (order 0, 4096 bytes)
[    0.445173] pnp: PnP ACPI: disabled
[    0.454071] thermal_sys: Registered thermal governor 'step_wise'
[    0.454075] thermal_sys: Registered thermal governor 'power_allocator'
[    0.457567] NET: Registered protocol family 2
[    0.468500] tcp_listen_portaddr_hash hash table entries: 1024 (order: 2, 16384 bytes, linear)
[    0.476800] TCP established hash table entries: 16384 (order: 5, 131072 bytes, linear)
[    0.484830] TCP bind hash table entries: 16384 (order: 6, 262144 bytes, linear)
[    0.492297] TCP: Hash tables configured (established 16384 bind 16384)
[    0.498720] UDP hash table entries: 1024 (order: 3, 32768 bytes, linear)
[    0.505415] UDP-Lite hash table entries: 1024 (order: 3, 32768 bytes, linear)
[    0.512695] NET: Registered protocol family 1
[    0.517249] RPC: Registered named UNIX socket transport module.
[    0.522882] RPC: Registered udp transport module.
[    0.527598] RPC: Registered tcp transport module.
[    0.532323] RPC: Registered tcp NFSv4.1 backchannel transport module.
[    0.539172] PCI: CLS 0 bytes, default 64
[    0.543460] hw perfevents: enabled with armv8_pmuv3 PMU driver, 7 counters available
[    0.550860] kvm [1]: IPA Size Limit: 40 bits
[    0.555419] kvm [1]: GICv3: no GICV resource entry
[    0.559628] kvm [1]: disabling GICv2 emulation
[    0.564099] kvm [1]: GIC system register CPU interface enabled
[    0.570004] kvm [1]: vgic interrupt IRQ1
[    0.573975] kvm [1]: Hyp mode initialized successfully
[    0.581824] Initialise system trusted keyrings
[    0.583614] workingset: timestamp_bits=44 max_order=19 bucket_order=0
[    0.595759] squashfs: version 4.0 (2009/01/31) Phillip Lougher
[    0.599368] NFS: Registering the id_resolver key type
[    0.603857] Key type id_resolver registered
[    0.608041] Key type id_legacy registered
[    0.612067] nfs4filelayout_init: NFSv4 File Layout Driver Registering...
[    0.618796] nfs4flexfilelayout_init: NFSv4 Flexfile Layout Driver Registering...
[    0.626246] jffs2: version 2.2. (NAND) �© 2001-2006 Red Hat, Inc.
[    0.632759] 9p: Installing v9fs 9p2000 file system support
[    0.650797] Key type asymmetric registered
[    0.652038] Asymmetric key parser 'x509' registered
[    0.656972] Block layer SCSI generic (bsg) driver version 0.4 loaded (major 244)
[    0.664383] io scheduler mq-deadline registered
[    0.668932] io scheduler kyber registered
[    0.677135] EINJ: ACPI disabled.
[    0.685891] imx-sdma 302c0000.dma-controller: Direct firmware load for imx/sdma/sdma-imx7d.bin failed with error -2
[    0.693543] imx-sdma 302c0000.dma-controller: Falling back to sysfs fallback for: imx/sdma/sdma-imx7d.bin
[    0.710746] mxs-dma 33000000.dma-controller: initialized
[    0.714250] Bus freq driver module loaded
[    0.722266] Serial: 8250/16550 driver, 4 ports, IRQ sharing enabled
[    0.727674] 30890000.serial: ttymxc1 at MMIO 0x30890000 (irq = 34, base_baud = 1500000) is a IMX
[    0.734595] printk: console [ttymxc1] enabled
[    0.734595] printk: console [ttymxc1] enabled
[    0.743235] printk: bootconsole [ec_imx6q0] disabled
[    0.743235] printk: bootconsole [ec_imx6q0] disabled
[    0.755182] imx-drm soc@0:bus@32c00000:display-subsystem: no available port
[    0.773488] loop: module loaded
[    0.778553] imx ahci driver is registered.
[    0.785346] spi_imx 30830000.spi: probed
[    0.790183] spi-nor spi3.0: n25q256ax1 (32768 Kbytes)
[    0.795277] 7 fixed-partitions partitions found on MTD device 30bb0000.spi
[    0.802157] Creating 7 MTD partitions on "30bb0000.spi":
[    0.807477] 0x000000000000-0x000000200000 : "U-Boot"
[    0.817371] 0x000000200000-0x000000202000 : "U-Boot Env"
[    0.822696] mtd: partition "U-Boot Env" doesn't end on an erase/write block -- force read-only
[    0.833323] 0x000000202000-0x000000204000 : "U-Boot Env 2"
[    0.838819] mtd: partition "U-Boot Env 2" doesn't start on an erase/write block boundary -- force read-only
[    0.853314] 0x000000204000-0x000000205000 : "boot.scr"
[    0.858463] mtd: partition "boot.scr" doesn't start on an erase/write block boundary -- force read-only
[    0.869306] 0x000000205000-0x000000210000 : "Device Tree Blob"
[    0.875150] mtd: partition "Device Tree Blob" doesn't start on an erase/write block boundary -- force read-only
[    0.889320] 0x000000210000-0x000000e10000 : "Compressed Kernel"
[    0.897335] 0x000000e10000-0x000002000000 : "SquashFS"
[    0.906575] libphy: Fixed MDIO Bus: probed
[    0.911375] tun: Universal TUN/TAP device driver, 1.6
[    0.917133] thunder_xcv, ver 1.0
[    0.920386] thunder_bgx, ver 1.0
[    0.923649] nicpf, ver 1.0
[    0.927576] pps pps0: new PPS source ptp0
[    0.944110] libphy: fec_enet_mii_bus: probed
[    0.948923] fec 30be0000.ethernet eth0: registered PHC device 0
[    0.955395] Freescale FM module, FMD API version 21.1.0
[    0.960856] Freescale FM Ports module
[    0.964517] fsl_mac: fsl_mac: FSL FMan MAC API based driver
[    0.970260] fsl_dpa: FSL DPAA Ethernet driver
[    0.974714] fsl_advanced: FSL DPAA Advanced drivers:
[    0.979684] fsl_proxy: FSL DPAA Proxy initialization driver
[    0.985344] fsl_oh: FSL FMan Offline Parsing port driver
[    0.991426] hclge is initializing
[    0.994751] hns3: Hisilicon Ethernet Network Driver for Hip08 Family - version
[    1.001977] hns3: Copyright (c) 2017 Huawei Corporation.
[    1.007347] e1000: Intel(R) PRO/1000 Network Driver - version 7.3.21-k8-NAPI
[    1.014400] e1000: Copyright (c) 1999-2006 Intel Corporation.
[    1.020176] e1000e: Intel(R) PRO/1000 Network Driver - 3.2.6-k
[    1.026012] e1000e: Copyright(c) 1999 - 2015 Intel Corporation.
[    1.031967] igb: Intel(R) Gigabit Ethernet Network Driver - version 5.6.0-k
[    1.038938] igb: Copyright (c) 2007-2014 Intel Corporation.
[    1.044545] igbvf: Intel(R) Gigabit Virtual Function Network Driver - version 2.4.0-k
[    1.052378] igbvf: Copyright (c) 2009 - 2012 Intel Corporation.
[    1.058433] sky2: driver version 1.30
[    1.062933] VFIO - User Level meta-driver version: 0.3
[    1.069701] ehci_hcd: USB 2.0 'Enhanced' Host Controller (EHCI) Driver
[    1.076239] ehci-pci: EHCI PCI platform driver
[    1.080767] ehci-platform: EHCI generic platform driver
[    1.086146] ohci_hcd: USB 1.1 'Open' Host Controller (OHCI) Driver
[    1.092348] ohci-pci: OHCI PCI platform driver
[    1.096826] ohci-platform: OHCI generic platform driver
[    1.102542] usbcore: registered new interface driver usb-storage
[    1.108613] usbcore: registered new interface driver usbserial_generic
[    1.115159] usbserial: USB Serial support registered for generic
[    1.121191] usbcore: registered new interface driver ftdi_sio
[    1.126952] usbserial: USB Serial support registered for FTDI USB Serial Device
[    1.134291] usbcore: registered new interface driver usb_serial_simple
[    1.140836] usbserial: USB Serial support registered for carelink
[    1.146944] usbserial: USB Serial support registered for zio
[    1.152619] usbserial: USB Serial support registered for funsoft
[    1.158641] usbserial: USB Serial support registered for flashloader
[    1.165010] usbserial: USB Serial support registered for google
[    1.170946] usbserial: USB Serial support registered for libtransistor
[    1.177489] usbserial: USB Serial support registered for vivopay
[    1.183513] usbserial: USB Serial support registered for moto_modem
[    1.189801] usbserial: USB Serial support registered for motorola_tetra
[    1.196438] usbserial: USB Serial support registered for novatel_gps
[    1.202809] usbserial: USB Serial support registered for hp4x
[    1.208572] usbserial: USB Serial support registered for suunto
[    1.214508] usbserial: USB Serial support registered for siemens_mpi
[    1.223211] input: 30370000.snvs:snvs-powerkey as /devices/platform/soc@0/soc@0:bus@30000000/30370000.snvs/30370000.snvs:snvs-powerkey/input/input0
[    1.238238] snvs_rtc 30370000.snvs:snvs-rtc-lp: registered as rtc0
[    1.244505] i2c /dev entries driver
[    1.252447] imx2-wdt 30280000.watchdog: timeout 60 sec (nowayout=0)
[    1.258987] Bluetooth: HCI UART driver ver 2.3
[    1.263444] Bluetooth: HCI UART protocol H4 registered
[    1.268589] Bluetooth: HCI UART protocol BCSP registered
[    1.273925] Bluetooth: HCI UART protocol LL registered
[    1.279069] Bluetooth: HCI UART protocol ATH3K registered
[    1.284486] Bluetooth: HCI UART protocol Three-wire (H5) registered
[    1.290836] Bluetooth: HCI UART protocol Broadcom registered
[    1.296520] Bluetooth: HCI UART protocol QCA registered
[    1.303494] sdhci: Secure Digital Host Controller Interface driver
[    1.309687] sdhci: Copyright(c) Pierre Ossman
[    1.314212] Synopsys Designware Multimedia Card Interface Driver
[    1.320736] sdhci-pltfm: SDHCI platform and OF driver helper
[    1.327135] mmc1: CQHCI version 5.10
[    1.331200] mmc2: CQHCI version 5.10
[    1.366866] mmc2: SDHCI controller on 30b60000.mmc [30b60000.mmc] using ADMA
[    1.376165] ledtrig-cpu: registered to indicate activity on CPUs
[    1.383297] caam 30900000.crypto: device ID = 0x0a16040100000000 (Era 9)
[    1.390069] caam 30900000.crypto: job rings = 3, qi = 0
[    1.404678] caam algorithms registered in /proc/crypto
[    1.410556] caam 30900000.crypto: caam pkc algorithms registered in /proc/crypto
[    1.420079] caam_jr 30901000.jr: registering rng-caam
[    1.429895] caam-snvs 30370000.caam-snvs: can't get snvs clock
[    1.435783] caam-snvs 30370000.caam-snvs: violation handlers armed - non-secure state
[    1.444200] usbcore: registered new interface driver usbhid
[    1.449780] usbhid: USB HID core driver
[    1.455330] No fsl,qman node
[    1.458228] Freescale USDPAA process driver
[    1.462416] fsl-usdpaa: no region found
[    1.466254] Freescale USDPAA process IRQ driver
[    1.474284] optee: probing for conduit method from DT.
[    1.479448] optee: revision 3.2 (6a22e6e8)
[    1.480265] optee: dynamic shared memory is enabled
[    1.489481] optee: initialized driver
[    1.495289] mmc2: Command Queue Engine enabled
[    1.496837] wm8524-codec audio-codec: Failed to get mute line: -517
[    1.499792] mmc2: new HS400 Enhanced strobe MMC card at address 0001
[    1.506505] OF: /sound-bt-sco/simple-audio-card,cpu: could not get #sound-dai-cells for /soc@0/bus@30000000/sai@30020000
[    1.513508] mmcblk2: mmc2:0001 DG4016 7.49 GiB  
[    1.523248] asoc-simple-card sound-bt-sco: parse error -22
[    1.523265] asoc-simple-card: probe of sound-bt-sco failed with error -22
[    1.527908] mmcblk2boot0: mmc2:0001 DG4016 partition 1 4.00 MiB
[    1.546163] mmcblk2boot1: mmc2:0001 DG4016 partition 2 4.00 MiB
[    1.547285] pktgen: Packet Generator for packet performance testing. Version: 2.75
[    1.552232] mmcblk2gp0: mmc2:0001 DG4016 partition 4 3.52 GiB
[    1.565904] mmcblk2rpmb: mmc2:0001 DG4016 partition 3 4.00 MiB, chardev (237:0)
[    1.566798] NET: Registered protocol family 26
[    1.578184] NET: Registered protocol family 10
[    1.582998]  mmcblk2: p1 p2
[    1.583960] Segment Routing with IPv6
[    1.589559] NET: Registered protocol family 17
[    1.594201]  mmcblk2gp0: p1 p2
[    1.594430] Bluetooth: RFCOMM TTY layer initialized
[    1.602179] Bluetooth: RFCOMM socket layer initialized
[    1.607335] Bluetooth: RFCOMM ver 1.11
[    1.611099] Bluetooth: BNEP (Ethernet Emulation) ver 1.3
[    1.616414] Bluetooth: BNEP filters: protocol multicast
[    1.621653] Bluetooth: BNEP socket layer initialized
[    1.626623] Bluetooth: HIDP (Human Interface Emulation) ver 1.2
[    1.632549] Bluetooth: HIDP socket layer initialized
[    1.637554] 8021q: 802.1Q VLAN Support v1.8
[    1.641764] lib80211: common routines for IEEE802.11 drivers
[    1.647544] 9pnet: Installing 9P2000 support
[    1.651845] tsn generic netlink module v1 init...
[    1.656632] Key type dns_resolver registered
[    1.661668] registered taskstats version 1
[    1.665794] Loading compiled-in X.509 certificates
[    1.692510] usb_phy_generic usbphynop1: usbphynop1 supply vcc not found, using dummy regulator
[    1.701297] usb_phy_generic usbphynop2: usbphynop2 supply vcc not found, using dummy regulator
[    1.733590] random: fast init done
[    1.738992] LDO6: supplied by regulator-dummy
[    1.743499] i2c i2c-0: IMX I2C adapter registered
[    1.749209] i2c i2c-1: IMX I2C adapter registered
[    1.754765] i2c i2c-2: IMX I2C adapter registered
[    1.760259] i2c i2c-3: IMX I2C adapter registered
[    1.765281] imx-cpufreq-dt imx-cpufreq-dt: cpu speed grade 2 mkt segment 2 supported-hw 0x4 0x4
[    1.777862] mmc1: CQHCI version 5.10
[    1.781506] sdhci-esdhc-imx 30b50000.mmc: Got CD GPIO
[    1.817451] mmc1: SDHCI controller on 30b50000.mmc [30b50000.mmc] using ADMA
[    1.826135] imx8mm-pinctrl 30330000.pinctrl: pin MX8MM_IOMUXC_I2C4_SDA already requested by 30a50000.i2c; cannot claim for audio-codec
[    1.838253] imx8mm-pinctrl 30330000.pinctrl: pin-140 (audio-codec) status -22
[    1.845397] imx8mm-pinctrl 30330000.pinctrl: could not request pin 140 (MX8MM_IOMUXC_I2C4_SDA) from group gpiowlfgrp  on device 30330000.pinctrl
[    1.858357] wm8524-codec audio-codec: Error applying setting, reverse things back
[    1.865856] wm8524-codec: probe of audio-codec failed with error -22
[    1.876549] input: bd718xx-pwrkey as /devices/platform/soc@0/soc@0:bus@30800000/30a20000.i2c/i2c-0/0-004b/gpio-keys.1.auto/input/input1
[    1.890300] snvs_rtc 30370000.snvs:snvs-rtc-lp: setting system clock to 1970-01-01T00:00:00 UTC (0)
[    1.899718] cfg80211: Loading compiled-in X.509 certificates for regulatory database
[    1.911354] cfg80211: Loaded X.509 cert 'sforshee: 00b28ddf47aef9cea7'
[    1.917963] platform regulatory.0: Direct firmware load for regulatory.db failed with error -2
[    1.923612] ALSA device list:
[    1.926586] platform regulatory.0: Falling back to sysfs fallback for: regulatory.db
[    1.929550]   No soundcards found.
[    1.947317] EXT4-fs (mmcblk2p2): mounted filesystem with ordered data mode. Opts: (null)
[    1.955496] VFS: Mounted root (ext4 filesystem) readonly on device 179:2.
[    1.963119] devtmpfs: mounted
[    1.966900] Freeing unused kernel memory: 2880K
[    1.989378] Run /sbin/init as init process
[    2.059403] audit: type=1404 audit(1.969:2): enforcing=1 old_enforcing=0 auid=4294967295 ses=4294967295 enabled=1 old-enabled=1 lsm=selinux res=1
[    2.199361] SELinux:  Permission watch in class filesystem not defined in policy.
[    2.206919] SELinux:  Permission watch in class file not defined in policy.
[    2.213885] SELinux:  Permission watch_mount in class file not defined in policy.
[    2.221377] SELinux:  Permission watch_sb in class file not defined in policy.
[    2.228601] SELinux:  Permission watch_with_perm in class file not defined in policy.
[    2.236441] SELinux:  Permission watch_reads in class file not defined in policy.
[    2.243935] SELinux:  Permission watch in class dir not defined in policy.
[    2.250819] SELinux:  Permission watch_mount in class dir not defined in policy.
[    2.258216] SELinux:  Permission watch_sb in class dir not defined in policy.
[    2.265361] SELinux:  Permission watch_with_perm in class dir not defined in policy.
[    2.273105] SELinux:  Permission watch_reads in class dir not defined in policy.
[    2.280520] SELinux:  Permission watch in class lnk_file not defined in policy.
[    2.287830] SELinux:  Permission watch_mount in class lnk_file not defined in policy.
[    2.295669] SELinux:  Permission watch_sb in class lnk_file not defined in policy.
[    2.303239] SELinux:  Permission watch_with_perm in class lnk_file not defined in policy.
[    2.311429] SELinux:  Permission watch_reads in class lnk_file not defined in policy.
[    2.319266] SELinux:  Permission watch in class chr_file not defined in policy.
[    2.326585] SELinux:  Permission watch_mount in class chr_file not defined in policy.
[    2.334416] SELinux:  Permission watch_sb in class chr_file not defined in policy.
[    2.341994] SELinux:  Permission watch_with_perm in class chr_file not defined in policy.
[    2.350172] SELinux:  Permission watch_reads in class chr_file not defined in policy.
[    2.358021] SELinux:  Permission watch in class blk_file not defined in policy.
[    2.365332] SELinux:  Permission watch_mount in class blk_file not defined in policy.
[    2.373171] SELinux:  Permission watch_sb in class blk_file not defined in policy.
[    2.380742] SELinux:  Permission watch_with_perm in class blk_file not defined in policy.
[    2.388927] SELinux:  Permission watch_reads in class blk_file not defined in policy.
[    2.396765] SELinux:  Permission watch in class sock_file not defined in policy.
[    2.404171] SELinux:  Permission watch_mount in class sock_file not defined in policy.
[    2.412088] SELinux:  Permission watch_sb in class sock_file not defined in policy.
[    2.419757] SELinux:  Permission watch_with_perm in class sock_file not defined in policy.
[    2.428022] SELinux:  Permission watch_reads in class sock_file not defined in policy.
[    2.435953] SELinux:  Permission watch in class fifo_file not defined in policy.
[    2.443350] SELinux:  Permission watch_mount in class fifo_file not defined in policy.
[    2.451275] SELinux:  Permission watch_sb in class fifo_file not defined in policy.
[    2.458933] SELinux:  Permission watch_with_perm in class fifo_file not defined in policy.
[    2.467206] SELinux:  Permission watch_reads in class fifo_file not defined in policy.
[    2.475450] SELinux: the above unknown classes and permissions will be allowed
[    2.482716] SELinux:  policy capability network_peer_controls=1
[    2.488638] SELinux:  policy capability open_perms=1
[    2.493612] SELinux:  policy capability extended_socket_class=1
[    2.499534] SELinux:  policy capability always_check_network=0
[    2.505375] SELinux:  policy capability cgroup_seclabel=1
[    2.510776] SELinux:  policy capability nnp_nosuid_transition=1
[    2.551944] audit: type=1403 audit(2.461:3): auid=4294967295 ses=4294967295 lsm=selinux res=1
[    2.560140] systemd[1]: Successfully loaded SELinux policy in 501.858ms.
[    2.585453] systemd[1]: System time before build time, advancing clock.
[    2.596311] systemd[1]: Unable to fix SELinux security context of /dev: Operation not permitted
[    2.596451] audit: type=1401 audit(1600598638.004:4): op=security_validate_transition seresult=denied oldcontext=system_u:object_r:device_t:s15:c0.c1023 newcontext=system_u:object_r:device_t:s0 taskcontext=system_u:system_r:kernel_t:s15:c0.c1023 tclassr
[    2.606247] systemd[1]: Failed to mount tmpfs at /dev/shm: No such file or directory
[    2.627743] audit: type=1400 audit(1600598638.016:5): avc:  denied  { create } for  pid=1 comm="systemd" name="shm" scontext=system_u:system_r:kernel_t:s15:c0.c1023 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir permissive=0
[    2.637910] systemd[1]: Unable to fix SELinux security context of /run: Operation not permitted
[    2.655581] audit: type=1400 audit(1600598638.044:6): avc:  denied  { create } for  pid=1 comm="systemd" name="pts" scontext=system_u:system_r:kernel_t:s15:c0.c1023 tcontext=system_u:object_r:devpts_t:s0-s15:c0.c1023 tclass=dir permissive=0
[    2.665724] systemd[1]: Unable to fix SELinux security context of /sys/fs/cgroup: Operation not permitted
[    2.685536] audit: type=1401 audit(1600598638.048:7): op=security_validate_transition seresult=denied oldcontext=system_u:object_r:tmpfs_t:s15:c0.c1023 newcontext=system_u:object_r:var_run_t:s0-s15:c0.c1023 taskcontext=system_u:system_r:kernel_t:s15:c0r
[    2.719230] audit: type=1401 audit(1600598638.076:8): op=security_validate_transition seresult=denied oldcontext=system_u:object_r:tmpfs_t:s15:c0.c1023 newcontext=system_u:object_r:cgroup_t:s0 taskcontext=system_u:system_r:kernel_t:s15:c0.c1023 tclass=r
[    2.741846] audit: type=1400 audit(1600598638.108:9): avc:  denied  { create } for  pid=1 comm="systemd" name="bpf" scontext=system_u:system_r:kernel_t:s15:c0.c1023 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir permissive=0
[!!!!!!] Failed to mount API filesystems.
[    2.780814] systemd[1]: Freezing execution.





Brian Hutchinson <b.hutchman@...>
 



On Fri, May 14, 2021 at 12:35 AM Yi Zhao <yi.zhao@...> wrote:


On 5/14/21 9:40 AM, Brian Hutchinson wrote:
Hi,

Pretty new to selinux.  I've worked through a lot of issues to get this far but am stumped at the moment so any pointers, clues are appreciated.

I'm trying to add selinux to my custom image.  After running into problems, I decided it was best to start with building core-image-selinux for my NXP imx8mm-evk board as a reference for getting my custom image to work.

I'm using fscl-community-bsp meta-freescale Dunfell release which is building a 5.4.114 kernel.

My first issues were getting kernel config options right (.config attached).  I kept booting my rootfs and sestatus would result in selinux not being enabled.

After getting kernel config somewhat worked out, then I started getting either boot loops or locked out.

I'll stay focused on my core-image-selinux image as hopefully if I can get it working it will help me get my custom image working too.

Here is my last iteration of my local.conf that results in me not being able to log in.  With core-image-selinux image, it freezes before it gets to login prompt.  On my custom image, I get log in prompt but when I try to log in a root I get audit messages and dropped back to login prompt.

local.conf for core-image-selinux:

MACHINE ??= 'imx8mmevk'
DISTRO ?= 'poky'
PACKAGE_CLASSES ?= 'package_rpm'
EXTRA_IMAGE_FEATURES ?= "debug-tweaks"
DISTRO_FEATURES_remove = " sysvinit"
DISTRO_FEATURES_append += " acl xattr pam selinux systemd"
VIRTUAL-RUNTIME_init_manager = "systemd"
DISTRO_FEATURES_BACKFILL_CONSIDERED = ""
PREFERRED_PROVIDER_virtual/refpolicy ?= "refpolicy-mls"


You can try refpolicy-mcs or refpolicy-targeted. The mls policy doesn't work for systemed on dunfell.

//Yi

 
Thank you very much for that!  I made that change to my core-image-selinux build and it worked!  When it booted I saw a systemd process take a while to finish, I assume that was the relable process.  And when I logged in as root, there is a significant delay before being logged in, not sure what is going on there.

When I made the same change to my imx8mm-evk core-image-base image with selinux added, I saw the same systemd process run but it didn't take quite as long and it made the system reboot.  Once it rebooted I did get a login prompt but it won't let me login as root.  So something is still miss-configured and still at a loss as to what to look at next.

Will provide the startup logs below:

First, my local.conf:

MACHINE ??= 'imx8mmevk'
DISTRO ?= 'poky'
PACKAGE_CLASSES ?= 'package_rpm'
EXTRA_IMAGE_FEATURES ?= "debug-tweaks"
DISTRO_FEATURES_remove = " sysvinit"
DISTRO_FEATURES_append += " acl xattr pam selinux systemd"
#PREFERRED_PROVIDER_virtual/refpolicy ?= "refpolicy-minimum"
PREFERRED_PROVIDER_virtual/refpolicy ?= "refpolicy-mcs"
VIRTUAL-RUNTIME_init_manager = "systemd"
#DISTRO_FEATURES_BACKFILL_CONSIDERED += "sysvinit"
DISTRO_FEATURES_BACKFILL_CONSIDERED = ""
#VIRTUAL-RUNTIME_initscripts = ""
USER_CLASSES ?= "buildstats image-mklibs image-prelink"
#IMAGE_INSTALL_append = " packagegroup-core-selinux"
CORE_IMAGE_EXTRA_INSTALL += " packagegroup-core-selinux"
IMAGE_FSTYPES += " tar.bz2 ext4 wic.bz2 wic.bmap"
PATCHRESOLVE = "noop"
BB_DISKMON_DIRS ??= "\
   STOPTASKS,${TMPDIR},1G,100K \
   STOPTASKS,${DL_DIR},1G,100K \
   STOPTASKS,${SSTATE_DIR},1G,100K \
   STOPTASKS,/tmp,100M,100K \
   ABORT,${TMPDIR},100M,1K \
   ABORT,${DL_DIR},100M,1K \
   ABORT,${SSTATE_DIR},100M,1K \
   ABORT,/tmp,10M,1K"
PACKAGECONFIG_append_pn-qemu-system-native = " sdl"
CONF_VERSION = "1"

DL_DIR ?= "${BSPDIR}/downloads/"
ACCEPT_FSL_EULA = "1"

This is first boot of my core-image-base build that rebooted:

[    1.202737] usbserial: USB Serial support registered for hp4x
[    1.208499] usbserial: USB Serial support registered for suunto
[    1.214436] usbserial: USB Serial support registered for siemens_mpi
[    1.223136] input: 30370000.snvs:snvs-powerkey as /devices/platform/soc@0/soc@0:bus@30000000/30370000.snvs/30370000.snvs:snvs-powerkey/input/input0
[    1.238115] snvs_rtc 30370000.snvs:snvs-rtc-lp: registered as rtc0
[    1.244381] i2c /dev entries driver
[    1.252319] imx2-wdt 30280000.watchdog: timeout 60 sec (nowayout=0)
[    1.258858] Bluetooth: HCI UART driver ver 2.3
[    1.263316] Bluetooth: HCI UART protocol H4 registered
[    1.268461] Bluetooth: HCI UART protocol BCSP registered
[    1.273797] Bluetooth: HCI UART protocol LL registered
[    1.278941] Bluetooth: HCI UART protocol ATH3K registered
[    1.284357] Bluetooth: HCI UART protocol Three-wire (H5) registered
[    1.290707] Bluetooth: HCI UART protocol Broadcom registered
[    1.296391] Bluetooth: HCI UART protocol QCA registered
[    1.303363] sdhci: Secure Digital Host Controller Interface driver
[    1.309555] sdhci: Copyright(c) Pierre Ossman
[    1.314079] Synopsys Designware Multimedia Card Interface Driver
[    1.320593] sdhci-pltfm: SDHCI platform and OF driver helper
[    1.326995] mmc1: CQHCI version 5.10
[    1.331061] mmc2: CQHCI version 5.10
[    1.366826] mmc2: SDHCI controller on 30b60000.mmc [30b60000.mmc] using ADMA
[    1.376124] ledtrig-cpu: registered to indicate activity on CPUs
[    1.383257] caam 30900000.crypto: device ID = 0x0a16040100000000 (Era 9)
[    1.390030] caam 30900000.crypto: job rings = 3, qi = 0
[    1.404678] caam algorithms registered in /proc/crypto
[    1.410573] caam 30900000.crypto: caam pkc algorithms registered in /proc/crypto
[    1.420094] caam_jr 30901000.jr: registering rng-caam
[    1.430401] caam-snvs 30370000.caam-snvs: can't get snvs clock
[    1.436287] caam-snvs 30370000.caam-snvs: violation handlers armed - non-secure state
[    1.444721] usbcore: registered new interface driver usbhid
[    1.450298] usbhid: USB HID core driver
[    1.456169] No fsl,qman node
[    1.459065] Freescale USDPAA process driver
[    1.463252] fsl-usdpaa: no region found
[    1.467091] Freescale USDPAA process IRQ driver
[    1.475141] optee: probing for conduit method from DT.
[    1.480307] optee: revision 3.2 (6a22e6e8)
[    1.481414] optee: dynamic shared memory is enabled
[    1.490624] optee: initialized driver
[    1.496444] mmc2: Command Queue Engine enabled
[    1.497954] wm8524-codec audio-codec: Failed to get mute line: -517
[    1.500937] mmc2: new HS400 Enhanced strobe MMC card at address 0001
[    1.507662] OF: /sound-bt-sco/simple-audio-card,cpu: could not get #sound-dai-cells for /soc@0/bus@30000000/sai@30020000
[    1.514447] mmcblk2: mmc2:0001 DG4016 7.49 GiB  
[    1.524427] asoc-simple-card sound-bt-sco: parse error -22
[    1.529081] mmcblk2boot0: mmc2:0001 DG4016 partition 1 4.00 MiB
[    1.534459] asoc-simple-card: probe of sound-bt-sco failed with error -22
[    1.540491] mmcblk2boot1: mmc2:0001 DG4016 partition 2 4.00 MiB
[    1.553232] mmcblk2gp0: mmc2:0001 DG4016 partition 4 3.52 GiB
[    1.559457] mmcblk2rpmb: mmc2:0001 DG4016 partition 3 4.00 MiB, chardev (237:0)
[    1.561232] pktgen: Packet Generator for packet performance testing. Version: 2.75
[    1.568692]  mmcblk2: p1 p2
[    1.578981] NET: Registered protocol family 26
[    1.580349]  mmcblk2gp0: p1 p2
[    1.583939] NET: Registered protocol family 10
[    1.592304] Segment Routing with IPv6
[    1.596030] NET: Registered protocol family 17
[    1.601163] Bluetooth: RFCOMM TTY layer initialized
[    1.606055] Bluetooth: RFCOMM socket layer initialized
[    1.611235] Bluetooth: RFCOMM ver 1.11
[    1.614998] Bluetooth: BNEP (Ethernet Emulation) ver 1.3
[    1.620315] Bluetooth: BNEP filters: protocol multicast
[    1.625547] Bluetooth: BNEP socket layer initialized
[    1.630517] Bluetooth: HIDP (Human Interface Emulation) ver 1.2
[    1.636443] Bluetooth: HIDP socket layer initialized
[    1.641440] 8021q: 802.1Q VLAN Support v1.8
[    1.645644] lib80211: common routines for IEEE802.11 drivers
[    1.651428] 9pnet: Installing 9P2000 support
[    1.655735] tsn generic netlink module v1 init...
[    1.660501] Key type dns_resolver registered
[    1.665522] registered taskstats version 1
[    1.669630] Loading compiled-in X.509 certificates
[    1.698859] usb_phy_generic usbphynop1: usbphynop1 supply vcc not found, using dummy regulator
[    1.707660] usb_phy_generic usbphynop2: usbphynop2 supply vcc not found, using dummy regulator
[    1.780652] random: fast init done
[    1.788737] LDO6: supplied by regulator-dummy
[    1.793242] i2c i2c-0: IMX I2C adapter registered
[    1.799240] i2c i2c-1: IMX I2C adapter registered
[    1.805114] i2c i2c-2: IMX I2C adapter registered
[    1.810936] i2c i2c-3: IMX I2C adapter registered
[    1.815964] imx-cpufreq-dt imx-cpufreq-dt: cpu speed grade 2 mkt segment 2 supported-hw 0x4 0x4
[    1.828449] mmc1: CQHCI version 5.10
[    1.832108] sdhci-esdhc-imx 30b50000.mmc: Got CD GPIO
[    1.869469] mmc1: SDHCI controller on 30b50000.mmc [30b50000.mmc] using ADMA
[    1.878135] imx8mm-pinctrl 30330000.pinctrl: pin MX8MM_IOMUXC_I2C4_SDA already requested by 30a50000.i2c; cannot claim for audio-codec
[    1.890254] imx8mm-pinctrl 30330000.pinctrl: pin-140 (audio-codec) status -22
[    1.897398] imx8mm-pinctrl 30330000.pinctrl: could not request pin 140 (MX8MM_IOMUXC_I2C4_SDA) from group gpiowlfgrp  on device 30330000.pinctrl
[    1.910356] wm8524-codec audio-codec: Error applying setting, reverse things back
[    1.917856] wm8524-codec: probe of audio-codec failed with error -22
[    1.932525] input: bd718xx-pwrkey as /devices/platform/soc@0/soc@0:bus@30800000/30a20000.i2c/i2c-0/0-004b/gpio-keys.1.auto/input/input1
[    1.946584] snvs_rtc 30370000.snvs:snvs-rtc-lp: setting system clock to 1970-01-01T01:19:14 UTC (4754)
[    1.956250] cfg80211: Loading compiled-in X.509 certificates for regulatory database
[    1.967556] cfg80211: Loaded X.509 cert 'sforshee: 00b28ddf47aef9cea7'
[    1.974159] platform regulatory.0: Direct firmware load for regulatory.db failed with error -2
[    1.979590] ALSA device list:
[    1.982781] platform regulatory.0: Falling back to sysfs fallback for: regulatory.db
[    1.985744]   No soundcards found.
[    2.004502] EXT4-fs (mmcblk2p2): mounted filesystem with ordered data mode. Opts: (null)
[    2.012659] VFS: Mounted root (ext4 filesystem) readonly on device 179:2.
[    2.019978] devtmpfs: mounted
[    2.023749] Freeing unused kernel memory: 2880K
[    2.040759] Run /sbin/init as init process
[    2.114222] audit: type=1404 audit(4754.664:2): enforcing=1 old_enforcing=0 auid=4294967295 ses=4294967295 enabled=1 old-enabled=1 lsm=selinux res=1
[    2.252102] SELinux:  Permission watch in class filesystem not defined in policy.
[    2.259701] SELinux:  Permission watch in class file not defined in policy.
[    2.266668] SELinux:  Permission watch_mount in class file not defined in policy.
[    2.274162] SELinux:  Permission watch_sb in class file not defined in policy.
[    2.281386] SELinux:  Permission watch_with_perm in class file not defined in policy.
[    2.289225] SELinux:  Permission watch_reads in class file not defined in policy.
[    2.296721] SELinux:  Permission watch in class dir not defined in policy.
[    2.303606] SELinux:  Permission watch_mount in class dir not defined in policy.
[    2.311013] SELinux:  Permission watch_sb in class dir not defined in policy.
[    2.318158] SELinux:  Permission watch_with_perm in class dir not defined in policy.
[    2.325902] SELinux:  Permission watch_reads in class dir not defined in policy.
[    2.333318] SELinux:  Permission watch in class lnk_file not defined in policy.
[    2.340628] SELinux:  Permission watch_mount in class lnk_file not defined in policy.
[    2.348467] SELinux:  Permission watch_sb in class lnk_file not defined in policy.
[    2.356038] SELinux:  Permission watch_with_perm in class lnk_file not defined in policy.
[    2.364224] SELinux:  Permission watch_reads in class lnk_file not defined in policy.
[    2.372061] SELinux:  Permission watch in class chr_file not defined in policy.
[    2.379380] SELinux:  Permission watch_mount in class chr_file not defined in policy.
[    2.387211] SELinux:  Permission watch_sb in class chr_file not defined in policy.
[    2.394790] SELinux:  Permission watch_with_perm in class chr_file not defined in policy.
[    2.402968] SELinux:  Permission watch_reads in class chr_file not defined in policy.
[    2.410806] SELinux:  Permission watch in class blk_file not defined in policy.
[    2.418122] SELinux:  Permission watch_mount in class blk_file not defined in policy.
[    2.425962] SELinux:  Permission watch_sb in class blk_file not defined in policy.
[    2.433532] SELinux:  Permission watch_with_perm in class blk_file not defined in policy.
[    2.441718] SELinux:  Permission watch_reads in class blk_file not defined in policy.
[    2.449558] SELinux:  Permission watch in class sock_file not defined in policy.
[    2.456964] SELinux:  Permission watch_mount in class sock_file not defined in policy.
[    2.464881] SELinux:  Permission watch_sb in class sock_file not defined in policy.
[    2.472547] SELinux:  Permission watch_with_perm in class sock_file not defined in policy.
[    2.480811] SELinux:  Permission watch_reads in class sock_file not defined in policy.
[    2.488743] SELinux:  Permission watch in class fifo_file not defined in policy.
[    2.496140] SELinux:  Permission watch_mount in class fifo_file not defined in policy.
[    2.504066] SELinux:  Permission watch_sb in class fifo_file not defined in policy.
[    2.511724] SELinux:  Permission watch_with_perm in class fifo_file not defined in policy.
[    2.519987] SELinux:  Permission watch_reads in class fifo_file not defined in policy.
[    2.528238] SELinux: the above unknown classes and permissions will be allowed
[    2.535473] SELinux:  policy capability network_peer_controls=1
[    2.541403] SELinux:  policy capability open_perms=1
[    2.546368] SELinux:  policy capability extended_socket_class=1
[    2.552297] SELinux:  policy capability always_check_network=0
[    2.558132] SELinux:  policy capability cgroup_seclabel=1
[    2.563539] SELinux:  policy capability nnp_nosuid_transition=1
[    2.611027] audit: type=1403 audit(4755.160:3): auid=4294967295 ses=4294967295 lsm=selinux res=1
[    2.618342] systemd[1]: Successfully loaded SELinux policy in 506.080ms.
[    2.644224] systemd[1]: System time before build time, advancing clock.
[    2.729021] systemd[1]: Relabelled /dev, /dev/shm, /run, /sys/fs/cgroup in 67.016ms.
[    2.748329] systemd[1]: systemd 244.5+ running in system mode. (+PAM +AUDIT +SELINUX +IMA -APPARMOR -SMACK +SYSVINIT +UTMP -LIBCRYPTSETUP -GCRYPT -GNUTLS +ACL +XZ -LZ4 -SECCOMP +BLKID -ELFUTILS +KMOD -IDN2 -IDN -PCRE2 default-hierarchy=hybrid)
[    2.770341] systemd[1]: Detected architecture arm64.

Welcome to Poky (Yocto Project Reference Distro) 3.1.7 (dunfell)!

[    2.818431] systemd[1]: Set hostname to <imx8mmevk>.
[    2.826687] random: systemd: uninitialized urandom read (16 bytes read)
[    2.833351] systemd[1]: Initializing machine ID from random generator.
[    2.840377] systemd[1]: Installed transient /etc/machine-id file.
[    3.043231] random: systemd: uninitialized urandom read (16 bytes read)
[    3.050040] systemd[1]: system-getty.slice: unit configures an IP firewall, but the local system does not support BPF/cgroup firewalling.
[    3.062433] systemd[1]: (This warning is only shown for the first unit using IP firewalling.)
[    3.073214] systemd[1]: Created slice system-getty.slice.
[  OK  ] Created slice system-getty.slice.
[    3.092834] random: systemd: uninitialized urandom read (16 bytes read)
[    3.101077] systemd[1]: Created slice system-serial\x2dgetty.slice.
[  OK  ] Created slice system-serial\x2dgetty.slice.
[    3.121748] systemd[1]: Created slice User and Session Slice.
[  OK  ] Created slice User and Session Slice.
[    3.142242] systemd[1]: Started Dispatch Password Requests to Console Directory Watch.
[  OK  ] Started Dispatch Password ��…ts to Console Directory Watch.
[    3.169455] systemd[1]: Started Forward Password Requests to Wall Directory Watch.
[  OK  ] Started Forward Password R��…uests to Wall Directory Watch.
[    3.192930] systemd[1]: Reached target Paths.
[  OK  ] Reached target Paths.
[    3.213846] systemd[1]: Reached target Remote File Systems.
[  OK  ] Reached target Remote File Systems.
[    3.232996] systemd[1]: Reached target Slices.
[  OK  ] Reached target Slices.
[    3.252886] systemd[1]: Reached target Swap.
[  OK  ] Reached target Swap.
[    3.277486] systemd[1]: Listening on RPCbind Server Activation Socket.
[  OK  ] Listening on RPCbind Server Activation Socket.
[    3.300937] systemd[1]: Reached target RPC Port Mapper.
[  OK  ] Reached target RPC Port Mapper.
[    3.323791] systemd[1]: Listening on Syslog Socket.
[  OK  ] Listening on Syslog Socket.
[    3.345949] systemd[1]: Listening on initctl Compatibility Named Pipe.
[  OK  ] Listening on initctl Compatibility Named Pipe.
[    3.370655] systemd[1]: systemd-journald-audit.socket: Failed to create listening socket (audit 1): Operation not permitted
[    3.370910] audit: type=1400 audit(1600598638.724:4): avc:  denied  { audit_read } for  pid=1 comm="systemd" capability=37  scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=0
[    3.381893] systemd[1]: systemd-journald-audit.socket: Failed to listen on sockets: Operation not permitted
[    3.412415] systemd[1]: systemd-journald-audit.socket: Failed with result 'resources'.
[    3.420654] systemd[1]: Failed to listen on Journal Audit Socket.
[FAILED] Failed to listen on Journal Audit Socket.
See 'systemctl status systemd-journald-audit.socket' for details.
[    3.457659] systemd[1]: Listening on Journal Socket (/dev/log).
[  OK  ] Listening on Journal Socket (/dev/log).
[    3.481864] systemd[1]: Listening on Journal Socket.
[  OK  ] Listening on Journal Socket.
[    3.501997] systemd[1]: Listening on Network Service Netlink Socket.
[  OK  ] Listening on Network Service Netlink Socket.
[    3.527382] systemd[1]: Listening on udev Control Socket.
[  OK  ] Listening on udev Control Socket.
[    3.549791] systemd[1]: Listening on udev Kernel Socket.
[  OK  ] Listening on udev Kernel Socket.
[    3.573120] systemd[1]: Mounting Huge Pages File System...
        Mounting Huge Pages File System...
[    3.596907] systemd[1]: Mounting POSIX Message Queue File System...
        Mounting POSIX Message Queue File System...
[    3.621131] systemd[1]: Mounting Kernel Debug File System...
        Mounting Kernel Debug File System...
[    3.646188] systemd[1]: Mounting Temporary Directory (/tmp)...
        Mounting Temporary Directory (/tmp)...
[    3.669201] systemd[1]: Starting Create list of static device nodes for the current kernel...
        Starting Create list of st��…odes for the current kernel...
[    3.696449] systemd[1]: Starting Start psplash boot splash screen...
        Starting Start psplash boot splash screen...
[    3.728875] systemd[1]: Starting RPC Bind...
        Starting RPC Bind...
[    3.752279] systemd[1]: Starting SELinux autorelabel service loading...
        Starting SELinux autorelabel service loading...
[    3.766897] audit: type=1404 audit(1600598639.120:5): enforcing=0 old_enforcing=1 auid=4294967295 ses=4294967295 enabled=1 old-enabled=1 lsm=selinux res=1
[    3.788003] systemd[1]: Starting SELinux init for /dev service loading...
        Starting SELinux init for /dev service loading...
[    3.812966] systemd[1]: Starting File System Check on Root Device...
        Starting File System Check on Root Device...
[    3.838411] systemd[1]: Starting Journal Service...
        Starting Journal Servi[    3.845479] systemd[1]: Condition check resulted in Load Kernel Modules being skipped.
ce...
[    3.856066] systemd[1]: Condition check resulted in FUSE Control File System being skipped.
[    3.871557] systemd[1]: Mounting Kernel Configuration File System...
        Mounting Kernel Configuration File System...
[    3.889392] systemd[1]: Starting Apply Kernel Variables...
        Starting Apply Kernel Variables...
[    3.900053] systemd[1]: Starting udev Coldplug all Devices...
        Starting udev Coldplug all Devices...
[    3.911256] systemd[1]: Started RPC Bind.
[  OK  ] Started     3.916791] systemd[1]: Mounted Huge Pages File System.
;39mRPC Bind.
[  OK  ] Mounted Huge Pages File System.
[    3.953835] systemd[1]: Started Journal Service.
[  OK  ] Started Journal Service.
[  OK  ] Mounted POSIX Message Queue File System.
[  OK  ] Mounted Kernel Debug File System.
[  OK  ] Mounted Temporary Directory (/tmp).
[  OK  ] Started Create list of sta��… nodes for the current kernel.
[FAILED] Failed to start Start psplash boot splash screen.
See 'systemctl status psplash-start.service' for details.
[DEPEND] Dependency failed for Star��…progress communication helper.
[  OK  ] Started SELinux init for /dev service loading.
[  OK  ] Started File System Check on Root Device.
[  OK  ] Mounted Kernel Configuration File System.
[  OK  ] Started Apply Kernel Variables.
        Starting Remount Root and Kernel File Systems...
[    4.193492] EXT4-fs (mmcblk2p2): re-mounted. Opts: (null)
[  OK  ] Started Remount Root and Kernel File Systems.
        Starting Flush Journal to Persistent Storage...
[    4.243991] systemd-journald[321]: Received client request to flush runtime journal.
        Starting Create System Users...
[  OK  ] Started Flush Journal to Persistent Storage.
[  OK  ] Started Create System Users.
        Starting Create Static Device Nodes in /dev...
[  OK  ] Started Create Static Device Nodes in /dev.
[  OK  ] Reached target Local File Systems (Pre).
        Mounting /var/volatile...
        Starting udev Kernel Device Manager...
[  OK  ] Started udev Coldplug all Devices.
[  OK  ] Mounted /var/volatile.
        Starting Load/Save Random Seed...
[  OK  ] Reached target Local File Systems.
        Starting Rebuild Dynamic Linker Cache...
        Starting SELinux init service loading...
        Starting Commit a transient machine-id on disk...
        Starting Create Volatile Files and Directories...
[  OK  ] Started udev Kernel Device Manager.
[  OK  ] Started SELinux init service loading.
[  OK  ] Started Commit a transient machine-id on disk.
[  OK  ] Started Rebuild Dynamic Linker Cache.
        Starting Network Service...
[  OK  ] Started Create Volatile Files and Directories.
        Starting Run pending postinsts...
        Starting Rebuild Journal Catalog...
        Starting Network Time Synchronization...
        Starting Update UTMP about System Boot/Shutdown...
[  OK  ] Started Network Service.
[  OK  ] Started Rebuild Journal Catalog.
[  OK  ] Started Update UTMP about System Boot/Shutdown.
[  OK  ] Started Run pending postinsts.
        Starting Network Name Resolution...
        Starting Update is Completed...
[  OK  ] Started Update is Completed.
[  OK  ] Started Network Time Synchronization.
[  OK  ] Reached target System Time Set.
[  OK  ] Reached target System Time Synchronized.
[  OK  ] Started Network Name Resolution.
[  OK  ] Reached target Network.
[  OK  ] Reached target Host and Network Name Lookups.
[    5.399674] audit: type=1400 audit(1600598640.748:6): avc:  denied  { module_load } for  pid=648 comm="systemd-udevd" path="/lib/modules/5.4.114+gf9a9b58ef7cc/kernel/arch/arm64/crypto/crct10dif-ce.ko" dev="mmcblk2p2" ino=577 scontext=system_u:system_r:1
[    5.446185] Generic PHY fixed-0:00: attached PHY driver [Generic PHY] (mii_bus:phy_addr=fixed-0:00, irq=POLL)
[    5.461534] fec 30be0000.ethernet eth0: Link is Up - 1Gbps/Full - flow control off
[    5.474253] IPv6: ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready
[    9.012772] random: crng init done
[    9.016184] random: 7 urandom warning(s) missed due to ratelimiting
[  OK  ] Started Load/Save Random Seed.
[   ***] A start job is running for SELinux ��…l service loading (27s / no limit)
[   30.793551] audit: type=1107 audit(1621001013.725:7): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 msg='avc:  denied  { start } for auid=n/a uid=0 gid=0 path="/lib/systemd/system/reboot.target" cmdline="" scontext=syste1
[   30.793551]  exe="/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
[   30.831206] audit: type=1107 audit(1621001013.741:8): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 msg='avc:  denied  { status } for auid=n/a uid=0 gid=0 path="/lib/systemd/system/reboot.target" cmdline="" scontext=syst1
[  OK  ] Stopped target Host and Network Name Lookups.
[  OK  ] Stopped target RPC Port Mapper.
[  OK  ] Stopped target System Time Synchronized.
[  OK  ] Stopped target System Time Set.
        Stopping Load/Save Random Seed...
[  OK  ] Removed slice system-getty.slice.
[  OK  ] Removed slice system-serial\x2dgetty.slice.
[  OK  ] Stopped target Network.
[  OK  ] Stopped target Paths.
[  OK  ] Stopped Dispatch Password ��…ts to Console Directory Watch.
[  OK  ] Stopped Forward Password R��…uests to Wall Directory Watch.
[  OK  ] Stopped target Remote File Systems.
[  OK  ] Stopped target Slices.
[  OK  ] Removed slice User and Session Slice.
[  OK  ] Closed Syslog Socket.
[  OK  ] Stopped Commit a transient machine-id on disk.
        Stopping Network Name Resolution...
        Stopping Network Time Synchronization...
[  OK  ] Stopped Update is Completed.
[  OK  ] Stopped Rebuild Dynamic Linker Cache.
[  OK  ] Stopped Rebuild Journal Catalog.
        Stopping Update UTMP about System Boot/Shutdown...
[  OK  ] Stopped Network Time Synchronization.
[  OK  ] Stopped Network Name Resolution.
[  OK  ] Stopped Load/Save Random Seed.
[  OK  ] Started SELinux autorelabel service loading.
[  OK  ] Stopped Update UTMP about System Boot/Shutdown.
        Stopping Network Service...
[  OK  ] Stopped Create Volatile Files and Directories.
[  OK  ] Stopped target Local File Systems.
        Unmounting Temporary Directory (/tmp)...
        Unmounting /var/volatile...
[  OK  ] Stopped Network Service.
[  OK  ] Unmounted Temporary Directory (/tmp).
[  OK  ] Unmounted /var/volatile.
[  OK  ] Stopped target Local File Systems (Pre).
[  OK  ] Stopped target Swap.
[  OK  ] Reached target Unmount All Filesystems.
[  OK  ] Stopped Apply Kernel Variables.
[  OK  ] Stopped Create Static Device Nodes in /dev.
[  OK  ] Stopped Create System Users.
[  OK  ] Stopped Remount Root and Kernel File Systems.
[  OK  ] Stopped File System Check on Root Device.
[  OK  ] Reached target Shutdown.
[  OK  ] Reached target Final Step.
[  OK  ] Started Reboot.
[  OK  ] Reached target Reboot.
[   31.749936] watchdog: watchdog0: watchdog did not stop!
[   31.772995] systemd-shutdown[1]: Syncing filesystems and block devices.
[   31.779924] systemd-shutdown[1]: Sending SIGTERM to remaining processes...
[   31.794460] systemd-journald[321]: Received SIGTERM from PID 1 (systemd-shutdow).
[   31.815284] systemd-shutdown[1]: Sending SIGKILL to remaining processes...
[   31.828512] systemd-shutdown[1]: Hardware watchdog 'imx2+ watchdog', version 0
[   31.837401] systemd-shutdown[1]: Unmounting file systems.
[   31.844851] [872]: Remounting '/' read-only in with options 'seclabel'.
[   31.861839] EXT4-fs (mmcblk2p2): re-mounted. Opts:  
[   31.869728] systemd-shutdown[1]: All filesystems unmounted.
[   31.875392] systemd-shutdown[1]: Deactivating swaps.
[   31.880533] systemd-shutdown[1]: All swaps deactivated.
[   31.885835] systemd-shutdown[1]: Detaching loop devices.
[   31.893753] systemd-shutdown[1]: All loop devices detached.
[   31.899354] systemd-shutdown[1]: Detaching DM devices.
[   31.904814] systemd-shutdown[1]: All DM devices detached.
[   31.910272] systemd-shutdown[1]: All filesystems, swaps, loop devices and DM devices detached.
[   31.924538] systemd-shutdown[1]: Syncing filesystems and block devices.
[   31.931348] systemd-shutdown[1]: Rebooting.
[   31.935672] imx-sdma 302b0000.dma-controller: external firmware not found, using ROM firmware
[   31.935695] imx-sdma 30bd0000.dma-controller: external firmware not found, using ROM firmware
[   31.937033] kvm: exiting hardware virtualization
[   31.944226] cfg80211: failed to load regulatory.db
[   31.958656] imx-sdma 302c0000.dma-controller: loaded firmware 4.5
[   32.009904] imx2-wdt 30280000.watchdog: Device shutdown: Expect reboot!
[   32.017454] reboot: Restarting system


This is after the reboot.   I make it to login prompt but can't log in:

Thanks for any pointers as to what to look into next ... in the meantime I'm continuing to dig.

Starting kernel ...

[    0.000000] Booting Linux on physical CPU 0x0000000000 [0x410fd034]
[    0.000000] Linux version 5.4.114+gf9a9b58ef7cc (oe-user@oe-host) (gcc version 9.3.0 (GCC)) #1 SMP PREEMPT Thu Apr 22 11:48:16 UTC 2021
[    0.000000] Machine model: FSL i.MX8MM EVK board
[    0.000000] earlycon: ec_imx6q0 at MMIO 0x0000000030890000 (options '115200')
[    0.000000] printk: bootconsole [ec_imx6q0] enabled
[    0.000000] efi: Getting EFI parameters from FDT:
[    0.000000] efi: UEFI not found.
[    0.000000] Reserved memory: created CMA memory pool at 0x0000000078000000, size 640 MiB
[    0.000000] OF: reserved mem: initialized node linux,cma, compatible id shared-dma-pool
[    0.000000] NUMA: No NUMA configuration found
[    0.000000] NUMA: Faking a node at [mem 0x0000000040000000-0x00000000bdffffff]
[    0.000000] NUMA: NODE_DATA [mem 0xbdbe0500-0xbdbe1fff]
[    0.000000] Zone ranges:
[    0.000000]   DMA32    [mem 0x0000000040000000-0x00000000bdffffff]
[    0.000000]   Normal   empty
[    0.000000] Movable zone start for each node
[    0.000000] Early memory node ranges
[    0.000000]   node   0: [mem 0x0000000040000000-0x00000000b7ffffff]
[    0.000000]   node   0: [mem 0x00000000b8000000-0x00000000b83fffff]
[    0.000000]   node   0: [mem 0x00000000b8400000-0x00000000bdffffff]
[    0.000000] Initmem setup node 0 [mem 0x0000000040000000-0x00000000bdffffff]
[    0.000000] psci: probing for conduit method from DT.
[    0.000000] psci: PSCIv1.1 detected in firmware.
[    0.000000] psci: Using standard PSCI v0.2 function IDs
[    0.000000] psci: Trusted OS migration not required
[    0.000000] psci: SMC Calling Convention v1.1
[    0.000000] percpu: Embedded 24 pages/cpu s58904 r8192 d31208 u98304
[    0.000000] Detected VIPT I-cache on CPU0
[    0.000000] CPU features: detected: ARM erratum 845719
[    0.000000] CPU features: detected: GIC system register CPU interface
[    0.000000] Speculative Store Bypass Disable mitigation not required
[    0.000000] Built 1 zonelists, mobility grouping on.  Total pages: 508032
[    0.000000] Policy zone: DMA32
[    0.000000] Kernel command line: console=ttymxc1,115200 earlycon=ec_imx6q,0x30890000,115200 rootwait ro root=/dev/mmcblk2p2 rauc.slot=B
[    0.000000] Dentry cache hash table entries: 262144 (order: 9, 2097152 bytes, linear)
[    0.000000] Inode-cache hash table entries: 131072 (order: 8, 1048576 bytes, linear)
[    0.000000] mem auto-init: stack:off, heap alloc:off, heap free:off
[    0.000000] Memory: 1336216K/2064384K available (16508K kernel code, 1234K rwdata, 6480K rodata, 2880K init, 1038K bss, 72808K reserved, 655360K cma-reserved)
[    0.000000] SLUB: HWalign=64, Order=0-3, MinObjects=0, CPUs=4, Nodes=1
[    0.000000] rcu: Preemptible hierarchical RCU implementation.
[    0.000000] rcu:     RCU restricting CPUs from NR_CPUS=256 to nr_cpu_ids=4.
[    0.000000]  Tasks RCU enabled.
[    0.000000] rcu: RCU calculated value of scheduler-enlistment delay is 25 jiffies.
[    0.000000] rcu: Adjusting geometry for rcu_fanout_leaf=16, nr_cpu_ids=4
[    0.000000] NR_IRQS: 64, nr_irqs: 64, preallocated irqs: 0
[    0.000000] GICv3: GIC: Using split EOI/Deactivate mode
[    0.000000] GICv3: 128 SPIs implemented
[    0.000000] GICv3: 0 Extended SPIs implemented
[    0.000000] GICv3: Distributor has no Range Selector support
[    0.000000] GICv3: 16 PPIs implemented
[    0.000000] GICv3: no VLPI support, no direct LPI support
[    0.000000] GICv3: CPU0: found redistributor 0 region 0:0x0000000038880000
[    0.000000] ITS: No ITS available, not enabling LPIs
[    0.000000] random: get_random_bytes called from start_kernel+0x2b8/0x43c with crng_init=0
[    0.000000] arch_timer: cp15 timer(s) running at 8.00MHz (phys).
[    0.000000] clocksource: arch_sys_counter: mask: 0xffffffffffffff max_cycles: 0x1d854df40, max_idle_ns: 440795202120 ns
[    0.000003] sched_clock: 56 bits at 8MHz, resolution 125ns, wraps every 2199023255500ns
[    0.008456] Console: colour dummy device 80x25
[    0.012579] Calibrating delay loop (skipped), value calculated using timer frequency.. 16.00 BogoMIPS (lpj=32000)
[    0.022844] pid_max: default: 32768 minimum: 301
[    0.027543] LSM: Security Framework initializing
[    0.032140] SELinux:  Initializing.
[    0.035680] Mount-cache hash table entries: 4096 (order: 3, 32768 bytes, linear)
[    0.043062] Mountpoint-cache hash table entries: 4096 (order: 3, 32768 bytes, linear)
[    0.052066] ASID allocator initialised with 32768 entries
[    0.056439] rcu: Hierarchical SRCU implementation.
[    0.062122] EFI services will not be available.
[    0.065890] smp: Bringing up secondary CPUs ...
[    0.070649] Detected VIPT I-cache on CPU1
[    0.070673] GICv3: CPU1: found redistributor 1 region 0:0x00000000388a0000
[    0.070704] CPU1: Booted secondary processor 0x0000000001 [0x410fd034]
[    0.071100] Detected VIPT I-cache on CPU2
[    0.071116] GICv3: CPU2: found redistributor 2 region 0:0x00000000388c0000
[    0.071134] CPU2: Booted secondary processor 0x0000000002 [0x410fd034]
[    0.071499] Detected VIPT I-cache on CPU3
[    0.071514] GICv3: CPU3: found redistributor 3 region 0:0x00000000388e0000
[    0.071530] CPU3: Booted secondary processor 0x0000000003 [0x410fd034]
[    0.071581] smp: Brought up 1 node, 4 CPUs
[    0.126889] SMP: Total of 4 processors activated.
[    0.131607] CPU features: detected: 32-bit EL0 Support
[    0.136780] CPU features: detected: CRC32 instructions
[    0.148802] CPU: All CPU(s) started at EL2
[    0.150074] alternatives: patching kernel code
[    0.155989] devtmpfs: initialized
[    0.163606] clocksource: jiffies: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 7645041785100000 ns
[    0.170559] futex hash table entries: 1024 (order: 4, 65536 bytes, linear)
[    0.194288] pinctrl core: initialized pinctrl subsystem
[    0.197376] DMI not present or invalid.
[    0.200809] NET: Registered protocol family 16
[    0.212008] DMA: preallocated 256 KiB pool for atomic allocations
[    0.215305] audit: initializing netlink subsys (disabled)
[    0.220944] audit: type=2000 audit(0.160:1): state=initialized audit_enabled=0 res=1
[    0.228511] cpuidle: using governor menu
[    0.232941] hw-breakpoint: found 6 breakpoint and 4 watchpoint registers.
[    0.240026] Serial: AMBA PL011 UART driver
[    0.243412] imx mu driver is registered.
[    0.247304] imx rpmsg driver is registered.
[    0.256464] imx8mm-pinctrl 30330000.pinctrl: initialized IMX pinctrl driver
[    0.277600] HugeTLB registered 1.00 GiB page size, pre-allocated 0 pages
[    0.281486] HugeTLB registered 32.0 MiB page size, pre-allocated 0 pages
[    0.288213] HugeTLB registered 2.00 MiB page size, pre-allocated 0 pages
[    0.294951] HugeTLB registered 64.0 KiB page size, pre-allocated 0 pages
[    0.302495] cryptd: max_cpu_qlen set to 1000
[    0.308932] ACPI: Interpreter disabled.
[    0.310658] iommu: Default domain type: Translated  
[    0.314960] vgaarb: loaded
[    0.317804] SCSI subsystem initialized
[    0.321602] usbcore: registered new interface driver usbfs
[    0.326845] usbcore: registered new interface driver hub
[    0.332164] usbcore: registered new device driver usb
[    0.338385] mc: Linux media interface: v0.10
[    0.341527] videodev: Linux video capture interface: v2.00
[    0.347076] pps_core: LinuxPPS API ver. 1 registered
[    0.352005] pps_core: Software ver. 5.3.6 - Copyright 2005-2007 Rodolfo Giometti <giometti@...>
[    0.361200] PTP clock support registered
[    0.365247] EDAC MC: Ver: 3.0.0
[    0.368995] No BMan portals available!
[    0.372270] QMan: Allocated lookup table at (____ptrval____), entry count 65537
[    0.379649] No QMan portals available!
[    0.383534] No USDPAA memory, no 'fsl,usdpaa-mem' in device-tree
[    0.389567] FPGA manager framework
[    0.392686] Advanced Linux Sound Architecture Driver Initialized.
[    0.399111] Bluetooth: Core ver 2.22
[    0.402332] NET: Registered protocol family 31
[    0.406784] Bluetooth: HCI device and connection manager initialized
[    0.413175] Bluetooth: HCI socket layer initialized
[    0.418071] Bluetooth: L2CAP socket layer initialized
[    0.423152] Bluetooth: SCO socket layer initialized
[    0.428742] clocksource: Switched to clocksource arch_sys_counter
[    0.434312] VFS: Disk quotas dquot_6.6.0
[    0.438149] VFS: Dquot-cache hash table entries: 512 (order 0, 4096 bytes)
[    0.445171] pnp: PnP ACPI: disabled
[    0.454139] thermal_sys: Registered thermal governor 'step_wise'
[    0.454143] thermal_sys: Registered thermal governor 'power_allocator'
[    0.457634] NET: Registered protocol family 2
[    0.468576] tcp_listen_portaddr_hash hash table entries: 1024 (order: 2, 16384 bytes, linear)
[    0.476866] TCP established hash table entries: 16384 (order: 5, 131072 bytes, linear)
[    0.484900] TCP bind hash table entries: 16384 (order: 6, 262144 bytes, linear)
[    0.492368] TCP: Hash tables configured (established 16384 bind 16384)
[    0.498788] UDP hash table entries: 1024 (order: 3, 32768 bytes, linear)
[    0.505483] UDP-Lite hash table entries: 1024 (order: 3, 32768 bytes, linear)
[    0.512778] NET: Registered protocol family 1
[    0.517326] RPC: Registered named UNIX socket transport module.
[    0.522951] RPC: Registered udp transport module.
[    0.527670] RPC: Registered tcp transport module.
[    0.532392] RPC: Registered tcp NFSv4.1 backchannel transport module.
[    0.539245] PCI: CLS 0 bytes, default 64
[    0.543524] hw perfevents: enabled with armv8_pmuv3 PMU driver, 7 counters available
[    0.550924] kvm [1]: IPA Size Limit: 40 bits
[    0.555485] kvm [1]: GICv3: no GICV resource entry
[    0.559695] kvm [1]: disabling GICv2 emulation
[    0.564169] kvm [1]: GIC system register CPU interface enabled
[    0.570073] kvm [1]: vgic interrupt IRQ1
[    0.574054] kvm [1]: Hyp mode initialized successfully
[    0.581948] Initialise system trusted keyrings
[    0.583683] workingset: timestamp_bits=44 max_order=19 bucket_order=0
[    0.595831] squashfs: version 4.0 (2009/01/31) Phillip Lougher
[    0.599436] NFS: Registering the id_resolver key type
[    0.603932] Key type id_resolver registered
[    0.608108] Key type id_legacy registered
[    0.612138] nfs4filelayout_init: NFSv4 File Layout Driver Registering...
[    0.618870] nfs4flexfilelayout_init: NFSv4 Flexfile Layout Driver Registering...
[    0.626323] jffs2: version 2.2. (NAND) �© 2001-2006 Red Hat, Inc.
[    0.632803] 9p: Installing v9fs 9p2000 file system support
[    0.651737] Key type asymmetric registered
[    0.652990] Asymmetric key parser 'x509' registered
[    0.657911] Block layer SCSI generic (bsg) driver version 0.4 loaded (major 244)
[    0.665324] io scheduler mq-deadline registered
[    0.669872] io scheduler kyber registered
[    0.678050] EINJ: ACPI disabled.
[    0.686745] imx-sdma 302c0000.dma-controller: Direct firmware load for imx/sdma/sdma-imx7d.bin failed with error -2
[    0.694400] imx-sdma 302c0000.dma-controller: Falling back to sysfs fallback for: imx/sdma/sdma-imx7d.bin
[    0.711570] mxs-dma 33000000.dma-controller: initialized
[    0.715066] Bus freq driver module loaded
[    0.723136] Serial: 8250/16550 driver, 4 ports, IRQ sharing enabled
[    0.728520] 30890000.serial: ttymxc1 at MMIO 0x30890000 (irq = 34, base_baud = 1500000) is a IMX
[    0.735469] printk: console [ttymxc1] enabled
[    0.735469] printk: console [ttymxc1] enabled
[    0.744116] printk: bootconsole [ec_imx6q0] disabled
[    0.744116] printk: bootconsole [ec_imx6q0] disabled
[    0.756050] imx-drm soc@0:bus@32c00000:display-subsystem: no available port
[    0.774382] loop: module loaded
[    0.779429] imx ahci driver is registered.
[    0.786201] spi_imx 30830000.spi: probed
[    0.791041] spi-nor spi3.0: n25q256ax1 (32768 Kbytes)
[    0.796146] 7 fixed-partitions partitions found on MTD device 30bb0000.spi
[    0.803027] Creating 7 MTD partitions on "30bb0000.spi":
[    0.808347] 0x000000000000-0x000000200000 : "U-Boot"
[    0.817392] 0x000000200000-0x000000202000 : "U-Boot Env"
[    0.822719] mtd: partition "U-Boot Env" doesn't end on an erase/write block -- force read-only
[    0.833337] 0x000000202000-0x000000204000 : "U-Boot Env 2"
[    0.838833] mtd: partition "U-Boot Env 2" doesn't start on an erase/write block boundary -- force read-only
[    0.853342] 0x000000204000-0x000000205000 : "boot.scr"
[    0.858491] mtd: partition "boot.scr" doesn't start on an erase/write block boundary -- force read-only
[    0.869325] 0x000000205000-0x000000210000 : "Device Tree Blob"
[    0.875169] mtd: partition "Device Tree Blob" doesn't start on an erase/write block boundary -- force read-only
[    0.889335] 0x000000210000-0x000000e10000 : "Compressed Kernel"
[    0.897333] 0x000000e10000-0x000002000000 : "SquashFS"
[    0.906579] libphy: Fixed MDIO Bus: probed
[    0.911369] tun: Universal TUN/TAP device driver, 1.6
[    0.917120] thunder_xcv, ver 1.0
[    0.920379] thunder_bgx, ver 1.0
[    0.923645] nicpf, ver 1.0
[    0.927568] pps pps0: new PPS source ptp0
[    0.943981] libphy: fec_enet_mii_bus: probed
[    0.948772] fec 30be0000.ethernet eth0: registered PHC device 0
[    0.955242] Freescale FM module, FMD API version 21.1.0
[    0.960688] Freescale FM Ports module
[    0.964357] fsl_mac: fsl_mac: FSL FMan MAC API based driver
[    0.970062] fsl_dpa: FSL DPAA Ethernet driver
[    0.974514] fsl_advanced: FSL DPAA Advanced drivers:
[    0.979483] fsl_proxy: FSL DPAA Proxy initialization driver
[    0.985142] fsl_oh: FSL FMan Offline Parsing port driver
[    0.991222] hclge is initializing
[    0.994545] hns3: Hisilicon Ethernet Network Driver for Hip08 Family - version
[    1.001770] hns3: Copyright (c) 2017 Huawei Corporation.
[    1.007125] e1000: Intel(R) PRO/1000 Network Driver - version 7.3.21-k8-NAPI
[    1.014177] e1000: Copyright (c) 1999-2006 Intel Corporation.
[    1.019958] e1000e: Intel(R) PRO/1000 Network Driver - 3.2.6-k
[    1.025795] e1000e: Copyright(c) 1999 - 2015 Intel Corporation.
[    1.031749] igb: Intel(R) Gigabit Ethernet Network Driver - version 5.6.0-k
[    1.038714] igb: Copyright (c) 2007-2014 Intel Corporation.
[    1.044318] igbvf: Intel(R) Gigabit Virtual Function Network Driver - version 2.4.0-k
[    1.052151] igbvf: Copyright (c) 2009 - 2012 Intel Corporation.
[    1.058209] sky2: driver version 1.30
[    1.062731] VFIO - User Level meta-driver version: 0.3
[    1.069490] ehci_hcd: USB 2.0 'Enhanced' Host Controller (EHCI) Driver
[    1.076027] ehci-pci: EHCI PCI platform driver
[    1.080544] ehci-platform: EHCI generic platform driver
[    1.085925] ohci_hcd: USB 1.1 'Open' Host Controller (OHCI) Driver
[    1.092128] ohci-pci: OHCI PCI platform driver
[    1.096606] ohci-platform: OHCI generic platform driver
[    1.102319] usbcore: registered new interface driver usb-storage
[    1.108398] usbcore: registered new interface driver usbserial_generic
[    1.114949] usbserial: USB Serial support registered for generic
[    1.120980] usbcore: registered new interface driver ftdi_sio
[    1.126742] usbserial: USB Serial support registered for FTDI USB Serial Device
[    1.134076] usbcore: registered new interface driver usb_serial_simple
[    1.140618] usbserial: USB Serial support registered for carelink
[    1.146727] usbserial: USB Serial support registered for zio
[    1.152400] usbserial: USB Serial support registered for funsoft
[    1.158421] usbserial: USB Serial support registered for flashloader
[    1.164795] usbserial: USB Serial support registered for google
[    1.170734] usbserial: USB Serial support registered for libtransistor
[    1.177277] usbserial: USB Serial support registered for vivopay
[    1.183298] usbserial: USB Serial support registered for moto_modem
[    1.189581] usbserial: USB Serial support registered for motorola_tetra
[    1.196214] usbserial: USB Serial support registered for novatel_gps
[    1.202584] usbserial: USB Serial support registered for hp4x
[    1.208350] usbserial: USB Serial support registered for suunto
[    1.214287] usbserial: USB Serial support registered for siemens_mpi
[    1.223024] input: 30370000.snvs:snvs-powerkey as /devices/platform/soc@0/soc@0:bus@30000000/30370000.snvs/30370000.snvs:snvs-powerkey/input/input0
[    1.238035] snvs_rtc 30370000.snvs:snvs-rtc-lp: registered as rtc0
[    1.244303] i2c /dev entries driver
[    1.252247] imx2-wdt 30280000.watchdog: timeout 60 sec (nowayout=0)
[    1.258789] Bluetooth: HCI UART driver ver 2.3
[    1.263246] Bluetooth: HCI UART protocol H4 registered
[    1.268391] Bluetooth: HCI UART protocol BCSP registered
[    1.273732] Bluetooth: HCI UART protocol LL registered
[    1.278876] Bluetooth: HCI UART protocol ATH3K registered
[    1.284292] Bluetooth: HCI UART protocol Three-wire (H5) registered
[    1.290639] Bluetooth: HCI UART protocol Broadcom registered
[    1.296318] Bluetooth: HCI UART protocol QCA registered
[    1.303291] sdhci: Secure Digital Host Controller Interface driver
[    1.309482] sdhci: Copyright(c) Pierre Ossman
[    1.314003] Synopsys Designware Multimedia Card Interface Driver
[    1.320520] sdhci-pltfm: SDHCI platform and OF driver helper
[    1.326929] mmc1: CQHCI version 5.10
[    1.331000] mmc2: CQHCI version 5.10
[    1.366873] mmc2: SDHCI controller on 30b60000.mmc [30b60000.mmc] using ADMA
[    1.376151] ledtrig-cpu: registered to indicate activity on CPUs
[    1.383270] caam 30900000.crypto: device ID = 0x0a16040100000000 (Era 9)
[    1.390042] caam 30900000.crypto: job rings = 3, qi = 0
[    1.405942] caam algorithms registered in /proc/crypto
[    1.411819] caam 30900000.crypto: caam pkc algorithms registered in /proc/crypto
[    1.421344] caam_jr 30901000.jr: registering rng-caam
[    1.433702] caam-snvs 30370000.caam-snvs: can't get snvs clock
[    1.439583] caam-snvs 30370000.caam-snvs: violation handlers armed - non-secure state
[    1.447997] usbcore: registered new interface driver usbhid
[    1.453577] usbhid: USB HID core driver
[    1.459387] No fsl,qman node
[    1.462287] Freescale USDPAA process driver
[    1.466475] fsl-usdpaa: no region found
[    1.470316] Freescale USDPAA process IRQ driver
[    1.478310] optee: probing for conduit method from DT.
[    1.483478] optee: revision 3.2 (6a22e6e8)
[    1.484788] optee: dynamic shared memory is enabled
[    1.494072] optee: initialized driver
[    1.499857] mmc2: Command Queue Engine enabled
[    1.501704] wm8524-codec audio-codec: Failed to get mute line: -517
[    1.504346] mmc2: new HS400 Enhanced strobe MMC card at address 0001
[    1.511056] OF: /sound-bt-sco/simple-audio-card,cpu: could not get #sound-dai-cells for /soc@0/bus@30000000/sai@30020000
[    1.518006] mmcblk2: mmc2:0001 DG4016 7.49 GiB  
[    1.527812] asoc-simple-card sound-bt-sco: parse error -22
[    1.527829] asoc-simple-card: probe of sound-bt-sco failed with error -22
[    1.532474] mmcblk2boot0: mmc2:0001 DG4016 partition 1 4.00 MiB
[    1.550725] mmcblk2boot1: mmc2:0001 DG4016 partition 2 4.00 MiB
[    1.552076] pktgen: Packet Generator for packet performance testing. Version: 2.75
[    1.556808] mmcblk2gp0: mmc2:0001 DG4016 partition 4 3.52 GiB
[    1.570357] NET: Registered protocol family 26
[    1.570759] mmcblk2rpmb: mmc2:0001 DG4016 partition 3 4.00 MiB, chardev (237:0)
[    1.575300] NET: Registered protocol family 10
[    1.586931]  mmcblk2: p1 p2
[    1.587624] Segment Routing with IPv6
[    1.593504] NET: Registered protocol family 17
[    1.598166]  mmcblk2gp0: p1 p2
[    1.598390] Bluetooth: RFCOMM TTY layer initialized
[    1.606144] Bluetooth: RFCOMM socket layer initialized
[    1.611321] Bluetooth: RFCOMM ver 1.11
[    1.615088] Bluetooth: BNEP (Ethernet Emulation) ver 1.3
[    1.620404] Bluetooth: BNEP filters: protocol multicast
[    1.625636] Bluetooth: BNEP socket layer initialized
[    1.630606] Bluetooth: HIDP (Human Interface Emulation) ver 1.2
[    1.636532] Bluetooth: HIDP socket layer initialized
[    1.641540] 8021q: 802.1Q VLAN Support v1.8
[    1.645750] lib80211: common routines for IEEE802.11 drivers
[    1.651530] 9pnet: Installing 9P2000 support
[    1.655833] tsn generic netlink module v1 init...
[    1.660613] Key type dns_resolver registered
[    1.665652] registered taskstats version 1
[    1.669778] Loading compiled-in X.509 certificates
[    1.697518] usb_phy_generic usbphynop1: usbphynop1 supply vcc not found, using dummy regulator
[    1.706299] usb_phy_generic usbphynop2: usbphynop2 supply vcc not found, using dummy regulator
[    1.738543] random: fast init done
[    1.743680] LDO6: supplied by regulator-dummy
[    1.748187] i2c i2c-0: IMX I2C adapter registered
[    1.753876] i2c i2c-1: IMX I2C adapter registered
[    1.759408] i2c i2c-2: IMX I2C adapter registered
[    1.765205] i2c i2c-3: IMX I2C adapter registered
[    1.770237] imx-cpufreq-dt imx-cpufreq-dt: cpu speed grade 2 mkt segment 2 supported-hw 0x4 0x4
[    1.782784] mmc1: CQHCI version 5.10
[    1.786418] sdhci-esdhc-imx 30b50000.mmc: Got CD GPIO
[    1.821457] mmc1: SDHCI controller on 30b50000.mmc [30b50000.mmc] using ADMA
[    1.830140] imx8mm-pinctrl 30330000.pinctrl: pin MX8MM_IOMUXC_I2C4_SDA already requested by 30a50000.i2c; cannot claim for audio-codec
[    1.842264] imx8mm-pinctrl 30330000.pinctrl: pin-140 (audio-codec) status -22
[    1.849408] imx8mm-pinctrl 30330000.pinctrl: could not request pin 140 (MX8MM_IOMUXC_I2C4_SDA) from group gpiowlfgrp  on device 30330000.pinctrl
[    1.862367] wm8524-codec audio-codec: Error applying setting, reverse things back
[    1.869868] wm8524-codec: probe of audio-codec failed with error -22
[    1.880540] input: bd718xx-pwrkey as /devices/platform/soc@0/soc@0:bus@30800000/30a20000.i2c/i2c-0/0-004b/gpio-keys.1.auto/input/input1
[    1.894274] snvs_rtc 30370000.snvs:snvs-rtc-lp: setting system clock to 2021-05-14T14:03:42 UTC (1621001022)
[    1.904487] cfg80211: Loading compiled-in X.509 certificates for regulatory database
[    1.916959] cfg80211: Loaded X.509 cert 'sforshee: 00b28ddf47aef9cea7'
[    1.923554] platform regulatory.0: Direct firmware load for regulatory.db failed with error -2
[    1.927624] ALSA device list:
[    1.932172] platform regulatory.0: Falling back to sysfs fallback for: regulatory.db
[    1.942907]   No soundcards found.
[    1.956545] EXT4-fs (mmcblk2p2): mounted filesystem with ordered data mode. Opts: (null)
[    1.964702] VFS: Mounted root (ext4 filesystem) readonly on device 179:2.
[    1.972100] devtmpfs: mounted
[    1.976098] Freeing unused kernel memory: 2880K
[    1.980716] Run /sbin/init as init process
[    2.060538] audit: type=1404 audit(1621001022.660:2): enforcing=1 old_enforcing=0 auid=4294967295 ses=4294967295 enabled=1 old-enabled=1 lsm=selinux res=1
[    2.197726] SELinux:  Permission watch in class filesystem not defined in policy.
[    2.205251] SELinux:  Permission watch in class file not defined in policy.
[    2.212214] SELinux:  Permission watch_mount in class file not defined in policy.
[    2.219712] SELinux:  Permission watch_sb in class file not defined in policy.
[    2.226936] SELinux:  Permission watch_with_perm in class file not defined in policy.
[    2.234775] SELinux:  Permission watch_reads in class file not defined in policy.
[    2.242268] SELinux:  Permission watch in class dir not defined in policy.
[    2.249153] SELinux:  Permission watch_mount in class dir not defined in policy.
[    2.256550] SELinux:  Permission watch_sb in class dir not defined in policy.
[    2.263695] SELinux:  Permission watch_with_perm in class dir not defined in policy.
[    2.271439] SELinux:  Permission watch_reads in class dir not defined in policy.
[    2.278853] SELinux:  Permission watch in class lnk_file not defined in policy.
[    2.286164] SELinux:  Permission watch_mount in class lnk_file not defined in policy.
[    2.294003] SELinux:  Permission watch_sb in class lnk_file not defined in policy.
[    2.301582] SELinux:  Permission watch_with_perm in class lnk_file not defined in policy.
[    2.309769] SELinux:  Permission watch_reads in class lnk_file not defined in policy.
[    2.317607] SELinux:  Permission watch in class chr_file not defined in policy.
[    2.324925] SELinux:  Permission watch_mount in class chr_file not defined in policy.
[    2.332761] SELinux:  Permission watch_sb in class chr_file not defined in policy.
[    2.340344] SELinux:  Permission watch_with_perm in class chr_file not defined in policy.
[    2.348522] SELinux:  Permission watch_reads in class chr_file not defined in policy.
[    2.356366] SELinux:  Permission watch in class blk_file not defined in policy.
[    2.363677] SELinux:  Permission watch_mount in class blk_file not defined in policy.
[    2.371516] SELinux:  Permission watch_sb in class blk_file not defined in policy.
[    2.379086] SELinux:  Permission watch_with_perm in class blk_file not defined in policy.
[    2.387272] SELinux:  Permission watch_reads in class blk_file not defined in policy.
[    2.395110] SELinux:  Permission watch in class sock_file not defined in policy.
[    2.402506] SELinux:  Permission watch_mount in class sock_file not defined in policy.
[    2.410429] SELinux:  Permission watch_sb in class sock_file not defined in policy.
[    2.418085] SELinux:  Permission watch_with_perm in class sock_file not defined in policy.
[    2.426350] SELinux:  Permission watch_reads in class sock_file not defined in policy.
[    2.434282] SELinux:  Permission watch in class fifo_file not defined in policy.
[    2.441679] SELinux:  Permission watch_mount in class fifo_file not defined in policy.
[    2.449605] SELinux:  Permission watch_sb in class fifo_file not defined in policy.
[    2.457262] SELinux:  Permission watch_with_perm in class fifo_file not defined in policy.
[    2.465535] SELinux:  Permission watch_reads in class fifo_file not defined in policy.
[    2.473773] SELinux: the above unknown classes and permissions will be allowed
[    2.481016] SELinux:  policy capability network_peer_controls=1
[    2.486938] SELinux:  policy capability open_perms=1
[    2.491912] SELinux:  policy capability extended_socket_class=1
[    2.497833] SELinux:  policy capability always_check_network=0
[    2.503675] SELinux:  policy capability cgroup_seclabel=1
[    2.509074] SELinux:  policy capability nnp_nosuid_transition=1
[    2.551979] audit: type=1403 audit(1621001023.152:3): auid=4294967295 ses=4294967295 lsm=selinux res=1
[    2.558891] systemd[1]: Successfully loaded SELinux policy in 499.797ms.
[    2.663812] systemd[1]: Relabelled /dev, /dev/shm, /run, /sys/fs/cgroup in 67.655ms.
[    2.682911] systemd[1]: systemd 244.5+ running in system mode. (+PAM +AUDIT +SELINUX +IMA -APPARMOR -SMACK +SYSVINIT +UTMP -LIBCRYPTSETUP -GCRYPT -GNUTLS +ACL +XZ -LZ4 -SECCOMP +BLKID -ELFUTILS +KMOD -IDN2 -IDN -PCRE2 default-hierarchy=hybrid)
[    2.704939] systemd[1]: Detected architecture arm64.

Welcome to Poky (Yocto Project Reference Distro) 3.1.7 (dunfell)!

[    2.761410] systemd[1]: Set hostname to <imx8mmevk>.
[    2.963225] random: systemd: uninitialized urandom read (16 bytes read)
[    2.970024] systemd[1]: system-getty.slice: unit configures an IP firewall, but the local system does not support BPF/cgroup firewalling.
[    2.982383] systemd[1]: (This warning is only shown for the first unit using IP firewalling.)
[    2.993074] systemd[1]: Created slice system-getty.slice.
[  OK  ] Created slice system-getty.slice.
[    3.013209] random: systemd: uninitialized urandom read (16 bytes read)
[    3.021079] systemd[1]: Created slice system-serial\x2dgetty.slice.
[  OK  ] Created slice system-serial\x2dgetty.slice.
[    3.040889] random: systemd: uninitialized urandom read (16 bytes read)
[    3.049063] systemd[1]: Created slice User and Session Slice.
[  OK  ] Created slice User and Session Slice.
[    3.073555] systemd[1]: Started Dispatch Password Requests to Console Directory Watch.
[  OK  ] Started Dispatch Password �…ts to Console Directory Watch.
[    3.097478] systemd[1]: Started Forward Password Requests to Wall Directory Watch.
[  OK  ] Started Forward Password R��…uests to Wall Directory Watch.
[    3.120999] systemd[1]: Reached target Paths.
[  OK  ] Reached target Paths.
[    3.140900] systemd[1]: Reached target Remote File Systems.
[  OK  ] Reached target Remote File Systems.
[    3.165590] systemd[1]: Reached target Slices.
[  OK  ] Reached target Slices.
[    3.185866] systemd[1]: Reached target Swap.
[  OK  ] Reached target Swap.
[    3.210920] systemd[1]: Listening on RPCbind Server Activation Socket.
[  OK  ] Listening on RPCbind Server Activation Socket.
[    3.232948] systemd[1]: Reached target RPC Port Mapper.
[  OK  ] Reached target RPC Port Mapper.
[    3.257214] systemd[1]: Listening on Syslog Socket.
[  OK  ] Listening on Syslog Socket.
[    3.277824] systemd[1]: Listening on initctl Compatibility Named Pipe.
[  OK  ] Listening on initctl Compatibility Named Pipe.
[    3.303340] systemd[1]: systemd-journald-audit.socket: Failed to create listening socket (audit 1): Operation not permitted
[    3.303603] audit: type=1400 audit(1621001023.904:4): avc:  denied  { audit_read } for  pid=1 comm="systemd" capability=37  scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=0
[    3.314517] systemd[1]: systemd-journald-audit.socket: Failed to listen on sockets: Operation not permitted
[    3.314663] systemd[1]: systemd-journald-audit.socket: Failed with result 'resources'.
[    3.353186] systemd[1]: Failed to listen on Journal Audit Socket.
[FAILED] Failed to listen on Journal Audit Socket.
See 'systemctl status systemd-journald-audit.socket' for details.
[    3.389680] systemd[1]: Listening on Journal Socket (/dev/log).
[  OK  ] Listening on Journal Socket (/dev/log).
[    3.414416] systemd[1]: Listening on Journal Socket.
[  OK  ] Listening on Journal Socket.
[    3.434353] systemd[1]: Listening on Network Service Netlink Socket.
[  OK  ] Listening on Network Service Netlink Socket.
[    3.459379] systemd[1]: Listening on udev Control Socket.
[  OK  ] Listening on udev Control Socket.
[    3.481748] systemd[1]: Listening on udev Kernel Socket.
[  OK  ] Listening on udev Kernel Socket.
[    3.509857] systemd[1]: Mounting Huge Pages File System...
        Mounting Huge Pages File System...
[    3.533188] systemd[1]: Mounting POSIX Message Queue File System...
        Mounting POSIX Message Queue File System...
[    3.557152] systemd[1]: Mounting Kernel Debug File System...
        Mounting Kernel Debug File System...
[    3.581924] systemd[1]: Mounting Temporary Directory (/tmp)...
        Mounting Temporary Directory (/tmp)...
[    3.605283] systemd[1]: Starting Create list of static device nodes for the current kernel...
        Starting Create list of st��…odes for the current kernel...
[    3.636385] systemd[1]: Starting Start psplash boot splash screen...
        Starting Start psplash boot splash screen...
[    3.660189] systemd[1]: Starting RPC Bind...
        Starting RPC Bind...
[    3.684232] systemd[1]: Starting SELinux autorelabel service loading...
        Starting SELinux autorelabel service loading...
[    3.708354] systemd[1]: Starting SELinux init for /dev service loading...
        Starting SELinux init for /dev service loading...
[    3.740312] systemd[1]: Starting File System Check on Root Device...
        Starting File System Check on Root Device...
[    3.770209] systemd[1]: Starting Journal Service...
        Starting Journal Servi[    3.777145] systemd[1]: Condition check resulted in Load Kernel Modules being skipped.
ce...
[    3.787527] systemd[1]: Condition check resulted in FUSE Control File System being skipped.
[    3.801674] systemd[1]: Mounting Kernel Configuration File System...
        Mounting Kernel Configuration File System...
[    3.813958] systemd[1]: Starting Apply Kernel Variables...
        Starting Apply Kernel Variables...
[    3.824163] systemd[1]: Starting udev Coldplug all Devices...
        Starting udev Coldplug all Devices...
[    3.842788] systemd[1]: Started RPC Bind.
[  OK  ] [    3.848205] systemd[1]: Mounted Huge Pages File System.
Started RPC Bind.
[    3.855211] systemd[1]: Started Journal Service.
[  OK  ] Mounted Huge Pages File System.
[  OK  ] Started Journal Service.
[  OK  ] Mounted POSIX Message Queue File System.
[  OK  ] Mounted Kernel Debug File System.
[  OK  ] Mounted Temporary Directory (/tmp).
[  OK  ] Started Create list of sta��… nodes for the current kernel.
[FAILED] Failed to start Start psplash boot splash screen.
See 'systemctl status psplash-start.service' for details.
[DEPEND] Dependency failed for Star��…progress communication helper.
[  OK  ] Started SELinux autorelabel service loading.
[  OK  ] Started SELinux init for /dev service loading.
[  OK  ] Started File System Check on Root Device.
[  OK  ] Mounted Kernel Configuration File System.
[  OK  ] Started Apply Kernel Variables.
        Starting Remount Root and Kernel File Systems...
[    4.135040] EXT4-fs (mmcblk2p2): re-mounted. Opts: (null)
[  OK  ] Started Remount Root and Kernel File Systems.
        Starting Flush Journal to Persistent Storage...
[    4.176222] systemd-journald[287]: Received client request to flush runtime journal.
        Starting Create Static Device Nodes in /dev...
[  OK  ] Started Flush Journal to Persistent Storage.
[  OK  ] Started Create Static Device Nodes in /dev.
[  OK  ] Reached target Local File Systems (Pre).
        Mounting /var/volatile...
        Starting udev Kernel Device Manager...
[  OK  ] Mounted /var/volatile.
[  OK  ] Started udev Coldplug all Devices.
        Starting Load/Save Random Seed...
[  OK  ] Reached target Local File Systems.
        Starting SELinux init service loading...
        Starting Create Volatile Files and Directories...
[  OK  ] Started udev Kernel Device Manager.
[  OK  ] Started SELinux init service loading.
        Starting Network Service...
[  OK  ] Started Create Volatile Files and Directories.
        Starting Network Time Synchronization...
        Starting Update UTMP about System Boot/Shutdown...
[  OK  ] Started Network Service.
        Starting Network Name Resolution...
[  OK  ] Started Update UTMP about System Boot/Shutdown.
[  OK  ] Started Network Time Synchronization.
[  OK  ] Reached target System Initialization.
[  OK  ] Started Daily Cleanup of Temporary Directories.
[  OK  ] Reached target System Time Set.
[  OK  ] Reached target System Time Synchronized.
[  OK  ] Reached target Timers.
[  OK  ] Listening on Avahi mDNS/DNS-SD Stack Activation Socket.
[  OK  ] Listening on D-Bus System Message Bus Socket.
[  OK  ] Reached target Sockets.
[  OK  ] Reached target Basic System.
[  OK  ] Started Kernel Logging Service.
[  OK  ] Started System Logging Service.
[  OK  ] Started D-Bus System Message Bus.
[    4.923342] audit: type=1400 audit(1621001025.524:5): avc:  denied  { module_load } for  pid=312 comm="systemd-udevd" path="/lib/modules/5.4.114+gf9a9b58ef7cc/kernel/arch/arm64/crypto/crct10dif-ce.ko" dev="mmcblk2p2" ino=577 scontext=system_u:system_r:0
[    4.960809] audit: type=1400 audit(1621001025.524:6): avc:  denied  { module_load } for  pid=307 comm="systemd-udevd" path="/lib/modules/5.4.114+gf9a9b58ef7cc/kernel/arch/arm64/crypto/crct10dif-ce.ko" dev="mmcblk2p2" ino=577 scontext=system_u:system_r:0
        Starting Telephony service...
[    4.996048] audit: type=1400 audit(1621001025.524:7): avc:  denied  { module_load } for  pid=318 comm="systemd-udevd" path="/lib/modules/5.4.114+gf9a9b58ef7cc/kernel/arch/arm64/crypto/crct10dif-ce.ko" dev="mmcblk2p2" ino=577 scontext=system_u:system_r:0
[    5.032350] audit: type=1400 audit(1621001025.524:8): avc:  denied  { module_load } for  pid=319 comm="systemd-udevd" path="/lib/modules/5.4.114+gf9a9b58ef7cc/kernel/arch/arm64/crypto/crct10dif-ce.ko" dev="mmcblk2p2" ino=577 scontext=system_u:system_r:0
        Starting Login Service...
[    5.072228] Generic PHY fixed-0:00: attached PHY driver [Generic PHY] (mii_bus:phy_addr=fixed-0:00, irq=POLL)
[    5.088344] fec 30be0000.ethernet eth0: Link is Up - 1Gbps/Full - flow control off
[  OK  ] Started Network Name Resolution.
[    5.109578] IPv6: ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready
[  OK  ] Started Telephony service.
[  OK  ] Started Login Service.
[  OK  ] Reached target Network.
[  OK  ] Reached target Host and Network Name Lookups.
        Starting Avahi mDNS/DNS-SD Stack...
        Starting Hostname Service...
        Starting Permit User Sessions...
[  OK  ] Started Avahi mDNS/DNS-SD Stack.
[  OK  ] Started Permit User Sessions.
[  OK  ] Started Getty on tty1.
[  OK  ] Started Serial Getty on ttymxc1.
[  OK  ] Reached target Login Prompts.
[  OK  ] Reached target Multi-User System.
        Starting Update UTMP about System Runlevel Changes...
[  OK  ] Started Hostname Service.
[    5.644863] audit: type=1107 audit(1621001026.231:9): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 msg='avc:  denied  { status } for auid=n/a uid=0 gid=0 path="/lib/systemd/system/graphical.target" cmdline="" scontext=s0
[    5.644863]  exe="/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
[FAILED] Failed to start Update UTM�…about System Runlevel Changes.
See 'systemctl status systemd-update-utmp-runlevel.service' for details.

Poky (Yocto Project Reference Distro) 3.1.7 imx8mmevk ttymxc1

imx8mmevk login: [   13.913709] random: crng init done
[   13.917116] random: 7 urandom warning(s) missed due to ratelimiting
[   34.240165] WLAN_EN: disabling
[   34.243228] VSD_3V3: disabling
[   62.907654] cfg80211: failed to load regulatory.db
[   62.907942] imx-sdma 302c0000.dma-controller: external firmware not found, using ROM firmware
[   62.910414] imx-sdma 302b0000.dma-controller: external firmware not found, using ROM firmware
[   62.933352] imx-sdma 30bd0000.dma-controller: loaded firmware 4.5

imx8mmevk login: root
[   84.724596] audit: type=1107 audit(1621001104.928:10): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 msg='avc:  denied  { start } for auid=n/a uid=0 gid=0 path="/lib/systemd/system/user@.service" cmdline="/lib/systemd/sy0
[   84.724596]  exe="/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
Cannot execute /bin/sh: No such f[   84.764677] audit: type=1107 audit(1621001104.932:11): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 msg='avc:  denied  { start } for auid=n/a uid=0 gid=0 path="/run/systemd/transient/ses0
[   84.764677]  exe="/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
[   84.808459] audit: type=1400 audit(1621001104.932:12): avc:  denied  { transition } for  pid=374 comm="login" path="/usr/lib/busybox/bin/sh" dev="mmcblk2p2" ino=1921 scontext=system_u:system_r:kernel_t:s0 tcontext=root:sysadm_r:sysadm_t:s0 tclass=proce0

Poky (Yocto Project Reference Distro) 3.1.7 imx8mmevk ttymxc1

imx8mmevk login: [   94.988451] audit: type=1107 audit(1621001115.197:13): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 msg='avc:  denied  { stop } for auid=n/a uid=0 gid=0 path="/lib/systemd/system/user@.service" cmdline=0
[   94.988451]  exe="/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'

imx8mmevk login: root
Last login: Fri May 14 14:05:04 UTC 2021 on ttymxc1
[  102.258579] audit: type=1107 audit(1621001122.465:14): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 msg='avc:  denied  { start } for auid=n/a uid=0 gid=0 path="/lib/systemd/system/user@.service" cmdline="/lib/systemd/sy0
[  102.258579]  exe="/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
Cannot execute /bin/sh: No such f[  102.298664] audit: type=1107 audit(1621001122.481:15): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 msg='avc:  denied  { start } for auid=n/a uid=0 gid=0 path="/run/systemd/transient/ses0
[  102.298664]  exe="/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
[  102.342430] audit: type=1400 audit(1621001122.485:16): avc:  denied  { transition } for  pid=379 comm="login" path="/usr/lib/busybox/bin/sh" dev="mmcblk2p2" ino=1921 scontext=system_u:system_r:kernel_t:s0 tcontext=root:sysadm_r:sysadm_t:s0 tclass=proce0

Poky (Yocto Project Reference Distro) 3.1.7 imx8mmevk ttymxc1

imx8mmevk login: [  112.488345] audit: type=1107 audit(1621001132.697:17): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 msg='avc:  denied  { stop } for auid=n/a uid=0 gid=0 path="/lib/systemd/system/user@.service" cmdline=0
[  112.488345]  exe="/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'

imx8mmevk login:


Richard Purdie
 

On Sat, 2021-05-15 at 22:15 -0400, Brian Hutchinson wrote:


On Fri, May 14, 2021 at 12:35 AM Yi Zhao <yi.zhao@windriver.com> wrote:

On 5/14/21 9:40 AM, Brian Hutchinson wrote:
 
Hi,

Pretty new to selinux.  I've worked through a lot of issues to get this far but am stumped at the moment
so any pointers, clues are appreciated.

I'm trying to add selinux to my custom image.  After running into problems, I decided it was best to
start with building core-image-selinux for my NXP imx8mm-evk board as a reference for getting my custom
image to work.

I'm using fscl-community-bsp meta-freescale Dunfell release which is building a 5.4.114 kernel.

My first issues were getting kernel config options right (.config attached).  I kept booting my rootfs
and sestatus would result in selinux not being enabled.

After getting kernel config somewhat worked out, then I started getting either boot loops or locked out.

I'll stay focused on my core-image-selinux image as hopefully if I can get it working it will help me
get my custom image working too.

Here is my last iteration of my local.conf that results in me not being able to log in.  With core-
image-selinux image, it freezes before it gets to login prompt.  On my custom image, I get log in prompt
but when I try to log in a root I get audit messages and dropped back to login prompt.

local.conf for core-image-selinux:

MACHINE ??= 'imx8mmevk'
 DISTRO ?= 'poky'
 PACKAGE_CLASSES ?= 'package_rpm'
 EXTRA_IMAGE_FEATURES ?= "debug-tweaks"
 DISTRO_FEATURES_remove = " sysvinit"
 DISTRO_FEATURES_append += " acl xattr pam selinux systemd"
 VIRTUAL-RUNTIME_init_manager = "systemd"
 DISTRO_FEATURES_BACKFILL_CONSIDERED = ""
 PREFERRED_PROVIDER_virtual/refpolicy ?= "refpolicy-mls"
You can try refpolicy-mcs or refpolicy-targeted. The mls policy doesn't work for systemed on dunfell.
 
//Yi
 Thank you very much for that!  I made that change to my core-image-selinux build and it worked!  When it
booted I saw a systemd process take a while to finish, I assume that was the relable process.  And when I
logged in as root, there is a significant delay before being logged in, not sure what is going on there.

When I made the same change to my imx8mm-evk core-image-base image with selinux added, I saw the same
systemd process run but it didn't take quite as long and it made the system reboot.  Once it rebooted I did
get a login prompt but it won't let me login as root.  So something is still miss-configured and still at a
loss as to what to look at next.
I know nothing about this but I was surprised you were using busybox login 
utilities with selinux. I'm not sure if that is well tested or not...

Cheers,

Richard


Brian Hutchinson <b.hutchman@...>
 



On Sun, May 16, 2021, 9:07 AM Richard Purdie <richard.purdie@...> wrote:
On Sat, 2021-05-15 at 22:15 -0400, Brian Hutchinson wrote:
>
>
> On Fri, May 14, 2021 at 12:35 AM Yi Zhao <yi.zhao@...> wrote:
> >
> > On 5/14/21 9:40 AM, Brian Hutchinson wrote:
> >  
> > > Hi,
> > >
> > > Pretty new to selinux.  I've worked through a lot of issues to get this far but am stumped at the moment
> > > so any pointers, clues are appreciated.
> > >
> > > I'm trying to add selinux to my custom image.  After running into problems, I decided it was best to
> > > start with building core-image-selinux for my NXP imx8mm-evk board as a reference for getting my custom
> > > image to work.
> > >
> > > I'm using fscl-community-bsp meta-freescale Dunfell release which is building a 5.4.114 kernel.
> > >
> > > My first issues were getting kernel config options right (.config attached).  I kept booting my rootfs
> > > and sestatus would result in selinux not being enabled.
> > >
> > > After getting kernel config somewhat worked out, then I started getting either boot loops or locked out.
> > >
> > > I'll stay focused on my core-image-selinux image as hopefully if I can get it working it will help me
> > > get my custom image working too.
> > >
> > > Here is my last iteration of my local.conf that results in me not being able to log in.  With core-
> > > image-selinux image, it freezes before it gets to login prompt.  On my custom image, I get log in prompt
> > > but when I try to log in a root I get audit messages and dropped back to login prompt.
> > >
> > > local.conf for core-image-selinux:
> > >
> > > MACHINE ??= 'imx8mmevk'
> > >  DISTRO ?= 'poky'
> > >  PACKAGE_CLASSES ?= 'package_rpm'
> > >  EXTRA_IMAGE_FEATURES ?= "debug-tweaks"
> > >  DISTRO_FEATURES_remove = " sysvinit"
> > >  DISTRO_FEATURES_append += " acl xattr pam selinux systemd"
> > >  VIRTUAL-RUNTIME_init_manager = "systemd"
> > >  DISTRO_FEATURES_BACKFILL_CONSIDERED = ""
> > >  PREFERRED_PROVIDER_virtual/refpolicy ?= "refpolicy-mls"
> >
> > You can try refpolicy-mcs or refpolicy-targeted. The mls policy doesn't work for systemed on dunfell.
> >  
> > //Yi
> >
>
>  Thank you very much for that!  I made that change to my core-image-selinux build and it worked!  When it
> booted I saw a systemd process take a while to finish, I assume that was the relable process.  And when I
> logged in as root, there is a significant delay before being logged in, not sure what is going on there.
>
> When I made the same change to my imx8mm-evk core-image-base image with selinux added, I saw the same
> systemd process run but it didn't take quite as long and it made the system reboot.  Once it rebooted I did
> get a login prompt but it won't let me login as root.  So something is still miss-configured and still at a
> loss as to what to look at next.

I know nothing about this but I was surprised you were using busybox login 
utilities with selinux. I'm not sure if that is well tested or not...

Cheers,

Richard

Hey Richard,  good to hear from you again (last was ELC-E).

I really didn't change anything except add selinux layer and (attempt) to follow instructions on meta-selinux README.

I guess we're the blind leading the blind.  This is my first attempt to incorporate selinux into custom image so be gentle ;).

Regards,

Brian



Brian Hutchinson <b.hutchman@...>
 


imx8mmevk login: root
Last login: Fri May 14 14:05:04 UTC 2021 on ttymxc1
[  102.258579] audit: type=1107 audit(1621001122.465:14): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 msg='avc:  denied  { start } for auid=n/a uid=0 gid=0 path="/lib/systemd/system/user@.service" cmdline="/lib/systemd/sy0
[  102.258579]  exe="/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
Cannot execute /bin/sh: No such f[  102.298664] audit: type=1107 audit(1621001122.481:15): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 msg='avc:  denied  { start } for auid=n/a uid=0 gid=0 path="/run/systemd/transient/ses0

There was an error: Cannot execute /bin/sh: No such file

Would you please check this file in your rootfs ?

You can add "selinux=1 enforcing=0" to your kernel boot cmdline to enable selinux permissive mode. Then you can easy to debug.


//Yi


Hi Yi,

I never could figure out which specific file wasn't found.

I did however pass "selinux=1 enforcing=0" to kernel and can now log in.  But of course selinux isn't in "enforcing" mode.

I do get tons of audit messages.  Does this mean I need to do "policy work" to address these messages and get back to "enforcing" mode?  I guess I still don't understand the issues here ... again new to selinux.

Will copy latest log of booting below.

Thanks,

Brian

local.conf:

MACHINE ??= 'imx8mmevk'
DISTRO ?= 'poky'
PACKAGE_CLASSES ?= 'package_rpm'
EXTRA_IMAGE_FEATURES ?= "debug-tweaks"
DISTRO_FEATURES_remove = " sysvinit"
DISTRO_FEATURES_append += " acl xattr pam selinux systemd"
#PREFERRED_PROVIDER_virtual/refpolicy ?= "refpolicy-minimum"
PREFERRED_PROVIDER_virtual/refpolicy ?= "refpolicy-mcs"
VIRTUAL-RUNTIME_init_manager = "systemd"
#DISTRO_FEATURES_BACKFILL_CONSIDERED += "sysvinit"
DISTRO_FEATURES_BACKFILL_CONSIDERED = ""
#VIRTUAL-RUNTIME_initscripts = ""
USER_CLASSES ?= "buildstats image-mklibs image-prelink"
#IMAGE_INSTALL_append = " packagegroup-core-selinux"
CORE_IMAGE_EXTRA_INSTALL += " packagegroup-core-selinux"
DISTRO_FEATURES_remove = "3g bluetooth wifi pci pcmcia wayland x11 opengl irda directfb"
IMAGE_FSTYPES += " tar.bz2 ext4 wic.bz2 wic.bmap"
PATCHRESOLVE = "noop"
BB_DISKMON_DIRS ??= "\
   STOPTASKS,${TMPDIR},1G,100K \
   STOPTASKS,${DL_DIR},1G,100K \
   STOPTASKS,${SSTATE_DIR},1G,100K \
   STOPTASKS,/tmp,100M,100K \
   ABORT,${TMPDIR},100M,1K \
   ABORT,${DL_DIR},100M,1K \
   ABORT,${SSTATE_DIR},100M,1K \
   ABORT,/tmp,10M,1K"
PACKAGECONFIG_append_pn-qemu-system-native = " sdl"
CONF_VERSION = "1"

DL_DIR ?= "${BSPDIR}/downloads/"
ACCEPT_FSL_EULA = "1"

Starting kernel ...

[    0.000000] Booting Linux on physical CPU 0x0000000000 [0x410fd034]
[    0.000000] Linux version 5.4.114+gf9a9b58ef7cc (oe-user@oe-host) (gcc version 9.3.0 (GCC)) #1 SMP PREEMPT Thu Apr 22 11:48:16 UTC 2021
[    0.000000] Machine model: FSL i.MX8MM EVK board
[    0.000000] earlycon: ec_imx6q0 at MMIO 0x0000000030890000 (options '115200')
[    0.000000] printk: bootconsole [ec_imx6q0] enabled
[    0.000000] efi: Getting EFI parameters from FDT:
[    0.000000] efi: UEFI not found.
[    0.000000] Reserved memory: created CMA memory pool at 0x0000000078000000, size 640 MiB
[    0.000000] OF: reserved mem: initialized node linux,cma, compatible id shared-dma-pool
[    0.000000] NUMA: No NUMA configuration found
[    0.000000] NUMA: Faking a node at [mem 0x0000000040000000-0x00000000bdffffff]
[    0.000000] NUMA: NODE_DATA [mem 0xbdbe0500-0xbdbe1fff]
[    0.000000] Zone ranges:
[    0.000000]   DMA32    [mem 0x0000000040000000-0x00000000bdffffff]
[    0.000000]   Normal   empty
[    0.000000] Movable zone start for each node
[    0.000000] Early memory node ranges
[    0.000000]   node   0: [mem 0x0000000040000000-0x00000000b7ffffff]
[    0.000000]   node   0: [mem 0x00000000b8000000-0x00000000b83fffff]
[    0.000000]   node   0: [mem 0x00000000b8400000-0x00000000bdffffff]
[    0.000000] Initmem setup node 0 [mem 0x0000000040000000-0x00000000bdffffff]
[    0.000000] psci: probing for conduit method from DT.
[    0.000000] psci: PSCIv1.1 detected in firmware.
[    0.000000] psci: Using standard PSCI v0.2 function IDs
[    0.000000] psci: Trusted OS migration not required
[    0.000000] psci: SMC Calling Convention v1.1
[    0.000000] percpu: Embedded 24 pages/cpu s58904 r8192 d31208 u98304
[    0.000000] Detected VIPT I-cache on CPU0
[    0.000000] CPU features: detected: ARM erratum 845719
[    0.000000] CPU features: detected: GIC system register CPU interface
[    0.000000] Speculative Store Bypass Disable mitigation not required
[    0.000000] Built 1 zonelists, mobility grouping on.  Total pages: 508032
[    0.000000] Policy zone: DMA32
[    0.000000] Kernel command line: console=ttymxc1,115200 earlycon=ec_imx6q,0x30890000,115200 selinux=1 enforcing=0 rootwait ro root=/dev/mmcblk2p2 rauc.slot=B
[    0.000000] Dentry cache hash table entries: 262144 (order: 9, 2097152 bytes, linear)
[    0.000000] Inode-cache hash table entries: 131072 (order: 8, 1048576 bytes, linear)
[    0.000000] mem auto-init: stack:off, heap alloc:off, heap free:off
[    0.000000] Memory: 1336216K/2064384K available (16508K kernel code, 1234K rwdata, 6480K rodata, 2880K init, 1038K bss, 72808K reserved, 655360K cma-reserved)
[    0.000000] SLUB: HWalign=64, Order=0-3, MinObjects=0, CPUs=4, Nodes=1
[    0.000000] rcu: Preemptible hierarchical RCU implementation.
[    0.000000] rcu:     RCU restricting CPUs from NR_CPUS=256 to nr_cpu_ids=4.
[    0.000000]  Tasks RCU enabled.
[    0.000000] rcu: RCU calculated value of scheduler-enlistment delay is 25 jiffies.
[    0.000000] rcu: Adjusting geometry for rcu_fanout_leaf=16, nr_cpu_ids=4
[    0.000000] NR_IRQS: 64, nr_irqs: 64, preallocated irqs: 0
[    0.000000] GICv3: GIC: Using split EOI/Deactivate mode
[    0.000000] GICv3: 128 SPIs implemented
[    0.000000] GICv3: 0 Extended SPIs implemented
[    0.000000] GICv3: Distributor has no Range Selector support
[    0.000000] GICv3: 16 PPIs implemented
[    0.000000] GICv3: no VLPI support, no direct LPI support
[    0.000000] GICv3: CPU0: found redistributor 0 region 0:0x0000000038880000
[    0.000000] ITS: No ITS available, not enabling LPIs
[    0.000000] random: get_random_bytes called from start_kernel+0x2b8/0x43c with crng_init=0
[    0.000000] arch_timer: cp15 timer(s) running at 8.00MHz (phys).
[    0.000000] clocksource: arch_sys_counter: mask: 0xffffffffffffff max_cycles: 0x1d854df40, max_idle_ns: 440795202120 ns
[    0.000003] sched_clock: 56 bits at 8MHz, resolution 125ns, wraps every 2199023255500ns
[    0.008456] Console: colour dummy device 80x25
[    0.012581] Calibrating delay loop (skipped), value calculated using timer frequency.. 16.00 BogoMIPS (lpj=32000)
[    0.022844] pid_max: default: 32768 minimum: 301
[    0.027542] LSM: Security Framework initializing
[    0.032140] SELinux:  Initializing.
[    0.035679] Mount-cache hash table entries: 4096 (order: 3, 32768 bytes, linear)
[    0.043062] Mountpoint-cache hash table entries: 4096 (order: 3, 32768 bytes, linear)
[    0.052065] ASID allocator initialised with 32768 entries
[    0.056439] rcu: Hierarchical SRCU implementation.
[    0.062123] EFI services will not be available.
[    0.065889] smp: Bringing up secondary CPUs ...
[    0.070645] Detected VIPT I-cache on CPU1
[    0.070669] GICv3: CPU1: found redistributor 1 region 0:0x00000000388a0000
[    0.070699] CPU1: Booted secondary processor 0x0000000001 [0x410fd034]
[    0.071094] Detected VIPT I-cache on CPU2
[    0.071111] GICv3: CPU2: found redistributor 2 region 0:0x00000000388c0000
[    0.071129] CPU2: Booted secondary processor 0x0000000002 [0x410fd034]
[    0.071498] Detected VIPT I-cache on CPU3
[    0.071512] GICv3: CPU3: found redistributor 3 region 0:0x00000000388e0000
[    0.071527] CPU3: Booted secondary processor 0x0000000003 [0x410fd034]
[    0.071579] smp: Brought up 1 node, 4 CPUs
[    0.126888] SMP: Total of 4 processors activated.
[    0.131607] CPU features: detected: 32-bit EL0 Support
[    0.136781] CPU features: detected: CRC32 instructions
[    0.148799] CPU: All CPU(s) started at EL2
[    0.150070] alternatives: patching kernel code
[    0.155972] devtmpfs: initialized
[    0.163712] clocksource: jiffies: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 7645041785100000 ns
[    0.170666] futex hash table entries: 1024 (order: 4, 65536 bytes, linear)
[    0.194350] pinctrl core: initialized pinctrl subsystem
[    0.197431] DMI not present or invalid.
[    0.200869] NET: Registered protocol family 16
[    0.212126] DMA: preallocated 256 KiB pool for atomic allocations
[    0.215425] audit: initializing netlink subsys (disabled)
[    0.221074] audit: type=2000 audit(0.160:1): state=initialized audit_enabled=0 res=1
[    0.228628] cpuidle: using governor menu
[    0.233081] hw-breakpoint: found 6 breakpoint and 4 watchpoint registers.
[    0.240148] Serial: AMBA PL011 UART driver
[    0.243532] imx mu driver is registered.
[    0.247422] imx rpmsg driver is registered.
[    0.256559] imx8mm-pinctrl 30330000.pinctrl: initialized IMX pinctrl driver
[    0.277795] HugeTLB registered 1.00 GiB page size, pre-allocated 0 pages
[    0.281689] HugeTLB registered 32.0 MiB page size, pre-allocated 0 pages
[    0.288409] HugeTLB registered 2.00 MiB page size, pre-allocated 0 pages
[    0.295145] HugeTLB registered 64.0 KiB page size, pre-allocated 0 pages
[    0.302773] cryptd: max_cpu_qlen set to 1000
[    0.309110] ACPI: Interpreter disabled.
[    0.310834] iommu: Default domain type: Translated  
[    0.315168] vgaarb: loaded
[    0.317981] SCSI subsystem initialized
[    0.321822] usbcore: registered new interface driver usbfs
[    0.327027] usbcore: registered new interface driver hub
[    0.332343] usbcore: registered new device driver usb
[    0.338578] mc: Linux media interface: v0.10
[    0.341707] videodev: Linux video capture interface: v2.00
[    0.347255] pps_core: LinuxPPS API ver. 1 registered
[    0.352184] pps_core: Software ver. 5.3.6 - Copyright 2005-2007 Rodolfo Giometti <giometti@...>
[    0.361379] PTP clock support registered
[    0.365426] EDAC MC: Ver: 3.0.0
[    0.369219] No BMan portals available!
[    0.372429] QMan: Allocated lookup table at (____ptrval____), entry count 65537
[    0.379832] No QMan portals available!
[    0.383713] No USDPAA memory, no 'fsl,usdpaa-mem' in device-tree
[    0.389771] FPGA manager framework
[    0.392851] Advanced Linux Sound Architecture Driver Initialized.
[    0.399282] Bluetooth: Core ver 2.22
[    0.402510] NET: Registered protocol family 31
[    0.406961] Bluetooth: HCI device and connection manager initialized
[    0.413350] Bluetooth: HCI socket layer initialized
[    0.418248] Bluetooth: L2CAP socket layer initialized
[    0.423330] Bluetooth: SCO socket layer initialized
[    0.428975] clocksource: Switched to clocksource arch_sys_counter
[    0.434507] VFS: Disk quotas dquot_6.6.0
[    0.438331] VFS: Dquot-cache hash table entries: 512 (order 0, 4096 bytes)
[    0.445357] pnp: PnP ACPI: disabled
[    0.454274] thermal_sys: Registered thermal governor 'step_wise'
[    0.454279] thermal_sys: Registered thermal governor 'power_allocator'
[    0.457769] NET: Registered protocol family 2
[    0.468700] tcp_listen_portaddr_hash hash table entries: 1024 (order: 2, 16384 bytes, linear)
[    0.477008] TCP established hash table entries: 16384 (order: 5, 131072 bytes, linear)
[    0.485043] TCP bind hash table entries: 16384 (order: 6, 262144 bytes, linear)
[    0.492505] TCP: Hash tables configured (established 16384 bind 16384)
[    0.498928] UDP hash table entries: 1024 (order: 3, 32768 bytes, linear)
[    0.505618] UDP-Lite hash table entries: 1024 (order: 3, 32768 bytes, linear)
[    0.512899] NET: Registered protocol family 1
[    0.517459] RPC: Registered named UNIX socket transport module.
[    0.523088] RPC: Registered udp transport module.
[    0.527803] RPC: Registered tcp transport module.
[    0.532528] RPC: Registered tcp NFSv4.1 backchannel transport module.
[    0.539385] PCI: CLS 0 bytes, default 64
[    0.543722] hw perfevents: enabled with armv8_pmuv3 PMU driver, 7 counters available
[    0.551061] kvm [1]: IPA Size Limit: 40 bits
[    0.555620] kvm [1]: GICv3: no GICV resource entry
[    0.559830] kvm [1]: disabling GICv2 emulation
[    0.564304] kvm [1]: GIC system register CPU interface enabled
[    0.570207] kvm [1]: vgic interrupt IRQ1
[    0.574184] kvm [1]: Hyp mode initialized successfully
[    0.582033] Initialise system trusted keyrings
[    0.583816] workingset: timestamp_bits=44 max_order=19 bucket_order=0
[    0.595952] squashfs: version 4.0 (2009/01/31) Phillip Lougher
[    0.599542] NFS: Registering the id_resolver key type
[    0.604059] Key type id_resolver registered
[    0.608228] Key type id_legacy registered
[    0.612258] nfs4filelayout_init: NFSv4 File Layout Driver Registering...
[    0.618989] nfs4flexfilelayout_init: NFSv4 Flexfile Layout Driver Registering...
[    0.626441] jffs2: version 2.2. (NAND) �© 2001-2006 Red Hat, Inc.
[    0.632909] 9p: Installing v9fs 9p2000 file system support
[    0.651715] Key type asymmetric registered
[    0.652956] Asymmetric key parser 'x509' registered
[    0.657891] Block layer SCSI generic (bsg) driver version 0.4 loaded (major 244)
[    0.665301] io scheduler mq-deadline registered
[    0.669849] io scheduler kyber registered
[    0.678038] EINJ: ACPI disabled.
[    0.686739] imx-sdma 302c0000.dma-controller: Direct firmware load for imx/sdma/sdma-imx7d.bin failed with error -2
[    0.694396] imx-sdma 302c0000.dma-controller: Falling back to sysfs fallback for: imx/sdma/sdma-imx7d.bin
[    0.711570] mxs-dma 33000000.dma-controller: initialized
[    0.715081] Bus freq driver module loaded
[    0.723138] Serial: 8250/16550 driver, 4 ports, IRQ sharing enabled
[    0.728538] 30890000.serial: ttymxc1 at MMIO 0x30890000 (irq = 34, base_baud = 1500000) is a IMX
[    0.735469] printk: console [ttymxc1] enabled
[    0.735469] printk: console [ttymxc1] enabled
[    0.744109] printk: bootconsole [ec_imx6q0] disabled
[    0.744109] printk: bootconsole [ec_imx6q0] disabled
[    0.756061] imx-drm soc@0:bus@32c00000:display-subsystem: no available port
[    0.774364] loop: module loaded
[    0.779430] imx ahci driver is registered.
[    0.786198] spi_imx 30830000.spi: probed
[    0.791030] spi-nor spi3.0: n25q256ax1 (32768 Kbytes)
[    0.796126] 7 fixed-partitions partitions found on MTD device 30bb0000.spi
[    0.803006] Creating 7 MTD partitions on "30bb0000.spi":
[    0.808325] 0x000000000000-0x000000200000 : "U-Boot"
[    0.817665] 0x000000200000-0x000000202000 : "U-Boot Env"
[    0.822995] mtd: partition "U-Boot Env" doesn't end on an erase/write block -- force read-only
[    0.833562] 0x000000202000-0x000000204000 : "U-Boot Env 2"
[    0.839058] mtd: partition "U-Boot Env 2" doesn't start on an erase/write block boundary -- force read-only
[    0.853558] 0x000000204000-0x000000205000 : "boot.scr"
[    0.858708] mtd: partition "boot.scr" doesn't start on an erase/write block boundary -- force read-only
[    0.869560] 0x000000205000-0x000000210000 : "Device Tree Blob"
[    0.875403] mtd: partition "Device Tree Blob" doesn't start on an erase/write block boundary -- force read-only
[    0.889564] 0x000000210000-0x000000e10000 : "Compressed Kernel"
[    0.897581] 0x000000e10000-0x000002000000 : "SquashFS"
[    0.906803] libphy: Fixed MDIO Bus: probed
[    0.911599] tun: Universal TUN/TAP device driver, 1.6
[    0.917348] thunder_xcv, ver 1.0
[    0.920605] thunder_bgx, ver 1.0
[    0.923868] nicpf, ver 1.0
[    0.927790] pps pps0: new PPS source ptp0
[    0.944179] libphy: fec_enet_mii_bus: probed
[    0.948992] fec 30be0000.ethernet eth0: registered PHC device 0
[    0.955460] Freescale FM module, FMD API version 21.1.0
[    0.960912] Freescale FM Ports module
[    0.964580] fsl_mac: fsl_mac: FSL FMan MAC API based driver
[    0.970316] fsl_dpa: FSL DPAA Ethernet driver
[    0.974768] fsl_advanced: FSL DPAA Advanced drivers:
[    0.979737] fsl_proxy: FSL DPAA Proxy initialization driver
[    0.985398] fsl_oh: FSL FMan Offline Parsing port driver
[    0.991478] hclge is initializing
[    0.994802] hns3: Hisilicon Ethernet Network Driver for Hip08 Family - version
[    1.002027] hns3: Copyright (c) 2017 Huawei Corporation.
[    1.007388] e1000: Intel(R) PRO/1000 Network Driver - version 7.3.21-k8-NAPI
[    1.014441] e1000: Copyright (c) 1999-2006 Intel Corporation.
[    1.020217] e1000e: Intel(R) PRO/1000 Network Driver - 3.2.6-k
[    1.026053] e1000e: Copyright(c) 1999 - 2015 Intel Corporation.
[    1.032008] igb: Intel(R) Gigabit Ethernet Network Driver - version 5.6.0-k
[    1.038977] igb: Copyright (c) 2007-2014 Intel Corporation.
[    1.044581] igbvf: Intel(R) Gigabit Virtual Function Network Driver - version 2.4.0-k
[    1.052413] igbvf: Copyright (c) 2009 - 2012 Intel Corporation.
[    1.058472] sky2: driver version 1.30
[    1.062994] VFIO - User Level meta-driver version: 0.3
[    1.069765] ehci_hcd: USB 2.0 'Enhanced' Host Controller (EHCI) Driver
[    1.076300] ehci-pci: EHCI PCI platform driver
[    1.080817] ehci-platform: EHCI generic platform driver
[    1.086195] ohci_hcd: USB 1.1 'Open' Host Controller (OHCI) Driver
[    1.092398] ohci-pci: OHCI PCI platform driver
[    1.096883] ohci-platform: OHCI generic platform driver
[    1.102594] usbcore: registered new interface driver usb-storage
[    1.108673] usbcore: registered new interface driver usbserial_generic
[    1.115219] usbserial: USB Serial support registered for generic
[    1.121250] usbcore: registered new interface driver ftdi_sio
[    1.127012] usbserial: USB Serial support registered for FTDI USB Serial Device
[    1.134346] usbcore: registered new interface driver usb_serial_simple
[    1.140888] usbserial: USB Serial support registered for carelink
[    1.146996] usbserial: USB Serial support registered for zio
[    1.152669] usbserial: USB Serial support registered for funsoft
[    1.158690] usbserial: USB Serial support registered for flashloader
[    1.165062] usbserial: USB Serial support registered for google
[    1.170997] usbserial: USB Serial support registered for libtransistor
[    1.177539] usbserial: USB Serial support registered for vivopay
[    1.183559] usbserial: USB Serial support registered for moto_modem
[    1.189846] usbserial: USB Serial support registered for motorola_tetra
[    1.196480] usbserial: USB Serial support registered for novatel_gps
[    1.202850] usbserial: USB Serial support registered for hp4x
[    1.208613] usbserial: USB Serial support registered for suunto
[    1.214550] usbserial: USB Serial support registered for siemens_mpi
[    1.223273] input: 30370000.snvs:snvs-powerkey as /devices/platform/soc@0/soc@0:bus@30000000/30370000.snvs/30370000.snvs:snvs-powerkey/input/input0
[    1.238261] snvs_rtc 30370000.snvs:snvs-rtc-lp: registered as rtc0
[    1.244525] i2c /dev entries driver
[    1.252482] imx2-wdt 30280000.watchdog: timeout 60 sec (nowayout=0)
[    1.259024] Bluetooth: HCI UART driver ver 2.3
[    1.263482] Bluetooth: HCI UART protocol H4 registered
[    1.268627] Bluetooth: HCI UART protocol BCSP registered
[    1.273975] Bluetooth: HCI UART protocol LL registered
[    1.279119] Bluetooth: HCI UART protocol ATH3K registered
[    1.284536] Bluetooth: HCI UART protocol Three-wire (H5) registered
[    1.290883] Bluetooth: HCI UART protocol Broadcom registered
[    1.296567] Bluetooth: HCI UART protocol QCA registered
[    1.303543] sdhci: Secure Digital Host Controller Interface driver
[    1.309736] sdhci: Copyright(c) Pierre Ossman
[    1.314266] Synopsys Designware Multimedia Card Interface Driver
[    1.320775] sdhci-pltfm: SDHCI platform and OF driver helper
[    1.327179] mmc1: CQHCI version 5.10
[    1.331244] mmc2: CQHCI version 5.10
[    1.366687] mmc2: SDHCI controller on 30b60000.mmc [30b60000.mmc] using ADMA
[    1.375998] ledtrig-cpu: registered to indicate activity on CPUs
[    1.383126] caam 30900000.crypto: device ID = 0x0a16040100000000 (Era 9)
[    1.389897] caam 30900000.crypto: job rings = 3, qi = 0
[    1.405062] caam algorithms registered in /proc/crypto
[    1.410957] caam 30900000.crypto: caam pkc algorithms registered in /proc/crypto
[    1.421068] caam_jr 30901000.jr: registering rng-caam
[    1.430101] caam-snvs 30370000.caam-snvs: can't get snvs clock
[    1.436043] caam-snvs 30370000.caam-snvs: violation handlers armed - non-secure state
[    1.444463] usbcore: registered new interface driver usbhid
[    1.450044] usbhid: USB HID core driver
[    1.455567] No fsl,qman node
[    1.458510] Freescale USDPAA process driver
[    1.462698] fsl-usdpaa: no region found
[    1.466539] Freescale USDPAA process IRQ driver
[    1.474129] optee: probing for conduit method from DT.
[    1.475305] mmc2: Command Queue Engine enabled
[    1.479321] optee: revision 3.2 (6a22e6e8)
[    1.479658] optee: dynamic shared memory is enabled
[    1.483772] mmc2: new HS400 Enhanced strobe MMC card at address 0001
[    1.488029] optee: initialized driver
[    1.493604] mmcblk2: mmc2:0001 DG4016 7.49 GiB  
[    1.501979] wm8524-codec audio-codec: Failed to get mute line: -517
[    1.502950] mmcblk2boot0: mmc2:0001 DG4016 partition 1 4.00 MiB
[    1.507807] OF: /sound-bt-sco/simple-audio-card,cpu: could not get #sound-dai-cells for /soc@0/bus@30000000/sai@30020000
[    1.513720] mmcblk2boot1: mmc2:0001 DG4016 partition 2 4.00 MiB
[    1.519517] asoc-simple-card sound-bt-sco: parse error -22
[    1.530510] mmcblk2gp0: mmc2:0001 DG4016 partition 4 3.52 GiB
[    1.536315] asoc-simple-card: probe of sound-bt-sco failed with error -22
[    1.542169] mmcblk2rpmb: mmc2:0001 DG4016 partition 3 4.00 MiB, chardev (237:0)
[    1.561481] pktgen: Packet Generator for packet performance testing. Version: 2.75
[    1.564417]  mmcblk2: p1 p2
[    1.572849] NET: Registered protocol family 26
[    1.574516]  mmcblk2gp0: p1 p2
[    1.577793] NET: Registered protocol family 10
[    1.585567] Segment Routing with IPv6
[    1.589288] NET: Registered protocol family 17
[    1.594157] Bluetooth: RFCOMM TTY layer initialized
[    1.599050] Bluetooth: RFCOMM socket layer initialized
[    1.604216] Bluetooth: RFCOMM ver 1.11
[    1.607979] Bluetooth: BNEP (Ethernet Emulation) ver 1.3
[    1.613296] Bluetooth: BNEP filters: protocol multicast
[    1.618527] Bluetooth: BNEP socket layer initialized
[    1.623496] Bluetooth: HIDP (Human Interface Emulation) ver 1.2
[    1.629422] Bluetooth: HIDP socket layer initialized
[    1.634425] 8021q: 802.1Q VLAN Support v1.8
[    1.638627] lib80211: common routines for IEEE802.11 drivers
[    1.644399] 9pnet: Installing 9P2000 support
[    1.648700] tsn generic netlink module v1 init...
[    1.653467] Key type dns_resolver registered
[    1.658548] registered taskstats version 1
[    1.662659] Loading compiled-in X.509 certificates
[    1.690319] usb_phy_generic usbphynop1: usbphynop1 supply vcc not found, using dummy regulator
[    1.699097] usb_phy_generic usbphynop2: usbphynop2 supply vcc not found, using dummy regulator
[    1.768167] random: fast init done
[    1.777959] LDO6: supplied by regulator-dummy
[    1.782459] i2c i2c-0: IMX I2C adapter registered
[    1.788173] i2c i2c-1: IMX I2C adapter registered
[    1.794032] i2c i2c-2: IMX I2C adapter registered
[    1.799548] i2c i2c-3: IMX I2C adapter registered
[    1.804568] imx-cpufreq-dt imx-cpufreq-dt: cpu speed grade 2 mkt segment 2 supported-hw 0x4 0x4
[    1.817070] mmc1: CQHCI version 5.10
[    1.820686] sdhci-esdhc-imx 30b50000.mmc: Got CD GPIO
[    1.857690] mmc1: SDHCI controller on 30b50000.mmc [30b50000.mmc] using ADMA
[    1.866383] imx8mm-pinctrl 30330000.pinctrl: pin MX8MM_IOMUXC_I2C4_SDA already requested by 30a50000.i2c; cannot claim for audio-codec
[    1.878499] imx8mm-pinctrl 30330000.pinctrl: pin-140 (audio-codec) status -22
[    1.885659] imx8mm-pinctrl 30330000.pinctrl: could not request pin 140 (MX8MM_IOMUXC_I2C4_SDA) from group gpiowlfgrp  on device 30330000.pinctrl
[    1.898619] wm8524-codec audio-codec: Error applying setting, reverse things back
[    1.906118] wm8524-codec: probe of audio-codec failed with error -22
[    1.920810] input: bd718xx-pwrkey as /devices/platform/soc@0/soc@0:bus@30800000/30a20000.i2c/i2c-0/0-004b/gpio-keys.1.auto/input/input1
[    1.934862] snvs_rtc 30370000.snvs:snvs-rtc-lp: setting system clock to 2021-05-17T19:16:30 UTC (1621278990)
[    1.945050] cfg80211: Loading compiled-in X.509 certificates for regulatory database
[    1.956079] cfg80211: Loaded X.509 cert 'sforshee: 00b28ddf47aef9cea7'
[    1.962679] platform regulatory.0: Direct firmware load for regulatory.db failed with error -2
[    1.967851] ALSA device list:
[    1.971304] platform regulatory.0: Falling back to sysfs fallback for: regulatory.db
[    1.974275]   No soundcards found.
[    1.992312] EXT4-fs (mmcblk2p2): mounted filesystem with ordered data mode. Opts: (null)
[    2.000462] VFS: Mounted root (ext4 filesystem) readonly on device 179:2.
[    2.007931] devtmpfs: mounted
[    2.011691] Freeing unused kernel memory: 2880K
[    2.029603] Run /sbin/init as init process
[    2.215985] SELinux:  Permission watch in class filesystem not defined in policy.
[    2.223579] SELinux:  Permission watch in class file not defined in policy.
[    2.230546] SELinux:  Permission watch_mount in class file not defined in policy.
[    2.238041] SELinux:  Permission watch_sb in class file not defined in policy.
[    2.245264] SELinux:  Permission watch_with_perm in class file not defined in policy.
[    2.253104] SELinux:  Permission watch_reads in class file not defined in policy.
[    2.260596] SELinux:  Permission watch in class dir not defined in policy.
[    2.267481] SELinux:  Permission watch_mount in class dir not defined in policy.
[    2.274878] SELinux:  Permission watch_sb in class dir not defined in policy.
[    2.282023] SELinux:  Permission watch_with_perm in class dir not defined in policy.
[    2.289767] SELinux:  Permission watch_reads in class dir not defined in policy.
[    2.297197] SELinux:  Permission watch in class lnk_file not defined in policy.
[    2.304506] SELinux:  Permission watch_mount in class lnk_file not defined in policy.
[    2.312346] SELinux:  Permission watch_sb in class lnk_file not defined in policy.
[    2.319917] SELinux:  Permission watch_with_perm in class lnk_file not defined in policy.
[    2.328103] SELinux:  Permission watch_reads in class lnk_file not defined in policy.
[    2.335945] SELinux:  Permission watch in class chr_file not defined in policy.
[    2.343263] SELinux:  Permission watch_mount in class chr_file not defined in policy.
[    2.351094] SELinux:  Permission watch_sb in class chr_file not defined in policy.
[    2.358673] SELinux:  Permission watch_with_perm in class chr_file not defined in policy.
[    2.366851] SELinux:  Permission watch_reads in class chr_file not defined in policy.
[    2.374700] SELinux:  Permission watch in class blk_file not defined in policy.
[    2.382010] SELinux:  Permission watch_mount in class blk_file not defined in policy.
[    2.389849] SELinux:  Permission watch_sb in class blk_file not defined in policy.
[    2.397420] SELinux:  Permission watch_with_perm in class blk_file not defined in policy.
[    2.405604] SELinux:  Permission watch_reads in class blk_file not defined in policy.
[    2.413442] SELinux:  Permission watch in class sock_file not defined in policy.
[    2.420848] SELinux:  Permission watch_mount in class sock_file not defined in policy.
[    2.428765] SELinux:  Permission watch_sb in class sock_file not defined in policy.
[    2.436432] SELinux:  Permission watch_with_perm in class sock_file not defined in policy.
[    2.444697] SELinux:  Permission watch_reads in class sock_file not defined in policy.
[    2.452629] SELinux:  Permission watch in class fifo_file not defined in policy.
[    2.460026] SELinux:  Permission watch_mount in class fifo_file not defined in policy.
[    2.467952] SELinux:  Permission watch_sb in class fifo_file not defined in policy.
[    2.475609] SELinux:  Permission watch_with_perm in class fifo_file not defined in policy.
[    2.483883] SELinux:  Permission watch_reads in class fifo_file not defined in policy.
[    2.492124] SELinux: the above unknown classes and permissions will be allowed
[    2.499365] SELinux:  policy capability network_peer_controls=1
[    2.505286] SELinux:  policy capability open_perms=1
[    2.510257] SELinux:  policy capability extended_socket_class=1
[    2.516178] SELinux:  policy capability always_check_network=0
[    2.522020] SELinux:  policy capability cgroup_seclabel=1
[    2.527419] SELinux:  policy capability nnp_nosuid_transition=1
[    2.568189] audit: type=1403 audit(1621278991.128:2): auid=4294967295 ses=4294967295 lsm=selinux res=1
[    2.575086] systemd[1]: Successfully loaded SELinux policy in 470.187ms.
[    2.679441] systemd[1]: Relabelled /dev, /dev/shm, /run, /sys/fs/cgroup in 67.430ms.
[    2.698739] systemd[1]: systemd 244.5+ running in system mode. (+PAM +AUDIT +SELINUX +IMA -APPARMOR -SMACK +SYSVINIT +UTMP -LIBCRYPTSETUP -GCRYPT -GNUTLS +ACL +XZ -LZ4 -SECCOMP +BLKID -ELFUTILS +KMOD -IDN2 -IDN -PCRE2 default-hierarchy=hybrid)
[    2.720751] systemd[1]: Detected architecture arm64.

Welcome to Poky (Yocto Project Reference Distro) 3.1.7 (dunfell)!

[    2.770395] systemd[1]: Set hostname to <imx8mmevk>.
[    2.987359] random: systemd: uninitialized urandom read (16 bytes read)
[    2.994151] systemd[1]: system-getty.slice: unit configures an IP firewall, but the local system does not support BPF/cgroup firewalling.
[    3.006508] systemd[1]: (This warning is only shown for the first unit using IP firewalling.)
[    3.017228] systemd[1]: Created slice system-getty.slice.
[  OK  ] Created slice system-getty.slice.
[    3.041142] random: systemd: uninitialized urandom read (16 bytes read)
[    3.049106] systemd[1]: Created slice system-serial\x2dgetty.slice.
[  OK  ] Created slice system-serial\x2dgetty.slice.
[    3.073967] random: systemd: uninitialized urandom read (16 bytes read)
[    3.081927] systemd[1]: Created slice User and Session Slice.
[  OK  ] Created slice User and Session Slice.
[    3.105772] systemd[1]: Started Dispatch Password Requests to Console Directory Watch.
[  OK  ] Started Dispatch Password ��…ts to Console Directory Watch.
[    3.129703] systemd[1]: Started Forward Password Requests to Wall Directory Watch.
[  OK  ] Started Forward Password R��…uests to Wall Directory Watch.
[    3.153228] systemd[1]: Reached target Paths.
[  OK  ] Reached target Paths.
[    3.173117] systemd[1]: Reached target Remote File Systems.
[  OK  ] Reached target Remote File Systems.
[    3.197804] systemd[1]: Reached target Slices.
[  OK  ] Reached target Slices.
[    3.218106] systemd[1]: Reached target Swap.
[  OK  ] Reached target Swap.
[    3.243169] systemd[1]: Listening on RPCbind Server Activation Socket.
[  OK  ] Listening on RPCbind Server Activation Socket.
[    3.265157] systemd[1]: Reached target RPC Port Mapper.
[  OK  ] Reached target RPC Port Mapper.
[    3.290401] systemd[1]: Listening on Syslog Socket.
[  OK  ] Listening on Syslog Socket.
[    3.310084] systemd[1]: Listening on initctl Compatibility Named Pipe.
[  OK  ] Listening on initctl Compatibility Named Pipe.
[    3.335182] systemd[1]: Listening on Journal Audit Socket.
[    3.335316] audit: type=1400 audit(1621278991.896:3): avc:  denied  { audit_read } for  pid=1 comm="systemd" capability=37  scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1
[  OK  ] Listening on Journal Audit Socket.
[    3.377935] systemd[1]: Listening on Journal Socket (/dev/log).
[  OK  ] Listening on Journal Socket (/dev/log).
[    3.402765] systemd[1]: Listening on Journal Socket.
[  OK  ] Listening on Journal Socket.
[    3.421967] systemd[1]: Listening on Network Service Netlink Socket.
[  OK  ] Listening on Network Service Netlink Socket.
[    3.447923] systemd[1]: Listening on udev Control Socket.
[  OK  ] Listening on udev Control Socket.
[    3.469692] systemd[1]: Listening on udev Kernel Socket.
[  OK  ] Listening on udev Kernel Socket.
[    3.497585] systemd[1]: Mounting Huge Pages File System...
        Mounting Huge Pages File System...
[    3.521067] systemd[1]: Mounting POSIX Message Queue File System...
        Mounting POSIX Message Queue File System...
[    3.549444] systemd[1]: Mounting Kernel Debug File System...
        Mounting Kernel Debug File System...
[    3.574370] systemd[1]: Mounting Temporary Directory (/tmp)...
        Mounting Temporary Directory (/tmp)...
[    3.598671] systemd[1]: Starting Create list of static device nodes for the current kernel...
        Starting Create list of st��…odes for the current kernel...
[    3.629139] systemd[1]: Starting Start psplash boot splash screen...
        Starting Start psplash boot splash screen...
[    3.657433] systemd[1]: Starting RPC Bind...
        Starting RPC Bind...
[    3.676514] systemd[1]: Starting SELinux autorelabel service loading...
        Starting SELinux autorelabel service loading...
[    3.701187] systemd[1]: Starting SELinux init for /dev service loading...
        Starting SELinux init for /dev service loading...
[    3.728480] systemd[1]: Starting File System Check on Root Device...
        Starting File System Check on Root Device...
[    3.753988] systemd[1]: Starting Journal Service...
        Starting Journa[    3.761266] systemd[1]: Condition check resulted in Load Kernel Modules being skipped.
l Service...
[    3.770534] systemd[1]: Condition check resulted in FUSE Control File System being skipped.
[    3.784068] systemd[1]: Mounting Kernel Configuration File System...
        Mounting Kernel Configuration File System...
[    3.808753] systemd[1]: Starting Apply Kernel Variables...
        Starting Apply Kernel Variables...
[    3.832946] systemd[1]: Starting udev Coldplug all Devices...
        Starting udev Coldplug all Devices...
[    3.861756] systemd[1]: Started RPC Bind.
[  OK  ] Started RPC Bind.
[    3.886210] audit: type=1130 audit(1621278992.448:4): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 msg='unit=rpcbind comm="systemd" exe="/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
[    3.886241] systemd[1]: Started Journal Service.
[  OK  ] Started Journal Service.
[    3.930060] audit: type=1130 audit(1621278992.492:5): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 msg='unit=systemd-journald comm="systemd" exe="/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
[  OK  ] Mounted Huge Pages File System.
[  OK  ] Mounted POSIX Message Queue File System.
[  OK  ] Mounted Kernel Debug File System.
[  OK  ] Mounted Temporary Directory (/tmp).
[  OK  ] Started Create list of sta��… nodes for the current kernel.
[    4.037555] audit: type=1130 audit(1621278992.600:6): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 msg='unit=kmod-static-nodes comm="systemd" exe="/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
[FAILED] Failed to start Start psplash boot splash screen.
See 'systemctl status psplash-start.service' for details.
[DEPEND] Dependency failed for Star��…progress communication helper.
[    4.110569] audit: type=1130 audit(1621278992.672:7): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 msg='unit=psplash-start comm="systemd" exe="/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed'
[  OK  ] Started SELinux autorelabel service loading.
[    4.145488] audit: type=1130 audit(1621278992.708:8): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 msg='unit=selinux-autorelabel comm="systemd" exe="/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
[    4.167276] audit: type=1131 audit(1621278992.708:9): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 msg='unit=selinux-autorelabel comm="systemd" exe="/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
[  OK  ] Started SELinux init for /dev service loading.
[    4.205515] audit: type=1130 audit(1621278992.768:10): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 msg='unit=selinux-labeldev comm="systemd" exe="/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
[  OK  ] Started File System Check on Root Device.
[  OK  ] Mounted Kernel Configuration File System.
[  OK  ] Started Apply Kernel Variables.
        Starting Remount Root and Kernel File Systems...
[    4.302025] EXT4-fs (mmcblk2p2): re-mounted. Opts: (null)
[  OK  ] Started Remount Root and Kernel File Systems.
        Starting Flush Journal to Persistent Storage...
[    4.346937] systemd-journald[288]: Received client request to flush runtime journal.
        Starting Create Static Device Nodes in /dev...
[  OK  ] Started Flush Journal to Persistent Storage.
[  OK  ] Started Create Static Device Nodes in /dev.
[  OK  ] Reached target Local File Systems (Pre).
        Mounting /var/volatile...
        Starting udev Kernel Device Manager...
[  OK  ] Mounted /var/volatile.
[  OK  ] Started udev Coldplug all Devices.
        Starting Load/Save Random Seed...
[  OK  ] Reached target Local File Systems.
        Starting SELinux init service loading...
        Starting Create Volatile Files and Directories...
[  OK  ] Started udev Kernel Device Manager.
[  OK  ] Started SELinux init service loading.
        Starting Network Service...
[  OK  ] Started Create Volatile Files and Directories.
        Starting Network Time Synchronization...
        Starting Update UTMP about System Boot/Shutdown...
[  OK  ] Started Network Service.
        Starting Network Name Resolution...
[  OK  ] Started Update UTMP about System Boot/Shutdown.
[  OK  ] Started Network Time Synchronization.
[  OK  ] Reached target System Initialization.
[  OK  ] Started Daily Cleanup of Temporary Directories.
[  OK  ] Reached target System Time Set.
[  OK  ] Reached target System Time Synchronized.
[  OK  ] Reached target Timers.
[  OK  ] Listening on Avahi mDNS/DNS-SD Stack Activation Socket.
[  OK  ] Listening on D-Bus System Message Bus Socket.
[  OK  ] Reached target Sockets.
[  OK  ] Reached target Basic System.
[  OK  ] Started Kernel Logging Service.
[  OK  ] Started System Logging Service.
[  OK  ] Started D-Bus System Message Bus.
        Starting Login Service...
[  OK  ] Started Network Name Resolution.
[    5.194342] Generic PHY fixed-0:00: attached PHY driver [Generic PHY] (mii_bus:phy_addr=fixed-0:00, irq=POLL)
[    5.205098] fec 30be0000.ethernet eth0: Link is Up - 1Gbps/Full - flow control off
[    5.225428] IPv6: ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready
[  OK  ] Reached target Network.
[  OK  ] Reached target Host and Network Name Lookups.
        Starting Avahi mDNS/DNS-SD Stack...
        Starting Permit User Sessions...
[  OK  ] Started Permit User Sessions.
[    5.418209] kauditd_printk_skb: 20 callbacks suppressed
[    5.418216] audit: type=1130 audit(1621278993.980:31): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 msg='unit=systemd-user-sessions comm="systemd" exe="/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
[  OK  ] Started Login Service.
[    5.477678] audit: type=1130 audit(1621278994.040:32): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 msg='unit=systemd-logind comm="systemd" exe="/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
[  OK  ] Started Avahi mDNS/DNS-SD Stack.
[    5.517984] audit: type=1130 audit(1621278994.080:33): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 msg='unit=avahi-daemon comm="systemd" exe="/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
[  OK  ] Started Getty on tty1.
[    5.558400] audit: type=1130 audit(1621278994.120:34): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 msg='unit=getty@tty1 comm="systemd" exe="/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
[  OK  ] Started Serial Getty on ttymxc1.
[    5.598228] audit: type=1130 audit(1621278994.160:35): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 msg='unit=serial-getty@ttymxc1 comm="systemd" exe="/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
[  OK  ] Reached target Login Prompts.
[  OK  ] Reached target Multi-User System.
        Starting Update UTMP about System Runlevel Changes...
[    5.682230] audit: type=1107 audit(1621278994.244:36): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 msg='avc:  denied  { status } for auid=n/a uid=0 gid=0 path="/lib/systemd/system/graphical.target" cmdline="" scontext=1
[    5.682230]  exe="/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
[    5.720334] audit: type=1129 audit(1621278994.244:37): pid=359 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 msg='old-level=N new-level=3 comm="systemd-update-utmp" exe="/lib/systemd/systemd-update-utmp" hostname=? addr=? term'
[  OK  ] Started Update UTMP about System Runlevel Changes.
[    5.762053] audit: type=1130 audit(1621278994.324:38): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 msg='unit=systemd-update-utmp-runlevel comm="systemd" exe="/lib/systemd/systemd" hostname=? addr=? terminal=? res=succe'
[    5.784757] audit: type=1131 audit(1621278994.324:39): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 msg='unit=systemd-update-utmp-runlevel comm="systemd" exe="/lib/systemd/systemd" hostname=? addr=? terminal=? res=succe'
        Starting Hostname Service...
[  OK  ] Started Hostname Service.
[    8.533683] audit: type=1130 audit(1621278997.096:40): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 msg='unit=systemd-hostnamed comm="systemd" exe="/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
[   10.816995] random: crng init done
[   10.820400] random: 7 urandom warning(s) missed due to ratelimiting
[   10.835345] audit: type=1130 audit(1621278999.396:41): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 msg='unit=systemd-random-seed comm="systemd" exe="/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'

Poky (Yocto Project Reference Distro) 3.1.7 imx8mmevk ttymxc1

imx8mmevk login: [   33.841713] WLAN_EN: disabling
[   33.844776] VSD_3V3: disabling
[   38.535696] audit: type=1131 audit(1621279026.463:42): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 msg='unit=systemd-hostnamed comm="systemd" exe="/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
[   62.514167] cfg80211: failed to load regulatory.db
[   62.514409] imx-sdma 302c0000.dma-controller: external firmware not found, using ROM firmware
[   62.517520] imx-sdma 302b0000.dma-controller: external firmware not found, using ROM firmware
[   62.538156] imx-sdma 30bd0000.dma-controller: loaded firmware 4.5

imx8mmevk login: root
[   80.318463] audit: type=1107 audit(1621279068.247:43): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 msg='avc:  denied  { start } for auid=n/a uid=0 gid=0 path="/lib/systemd/system/user@.service" cmdline="/lib/systemd/sy1
[   80.318463]  exe="/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
[   80.358706] audit: type=1107 audit(1621279068.267:44): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 msg='avc:  denied  { start } for auid=n/a uid=0 gid=0 path="/run/systemd/transient/session-c1.scope" cmdline="/lib/syst1
[   80.358706]  exe="/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
[   80.399667] audit: type=1130 audit(1621279068.291:45): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 msg='unit=user-runtime-dir@0 comm="systemd" exe="/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
[   80.431254] audit: type=1006 audit(1621279068.359:46): pid=377 uid=0 subj=system_u:system_r:kernel_t:s0 old-auid=4294967295 auid=0 tty=(none) old-ses=4294967295 ses=1 res=1
[   80.446730] audit: type=1400 audit(1621279068.363:47): avc:  denied  { transition } for  pid=377 comm="(systemd)" path="/lib/systemd/systemd" dev="mmcblk2p2" ino=1477 scontext=system_u:system_r:kernel_t:s0 tcontext=root:sysadm_r:sysadm_t:s0 tclass=proc1
[   80.470544] audit: type=1400 audit(1621279068.363:47): avc:  denied  { entrypoint } for  pid=377 comm="(systemd)" path="/lib/systemd/systemd" dev="mmcblk2p2" ino=1477 scontext=root:sysadm_r:sysadm_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=f1
[   80.494335] audit: type=1400 audit(1621279068.363:47): avc:  denied  { use } for  pid=377 comm="systemd" path="/dev/null" dev="devtmpfs" ino=3079 scontext=root:sysadm_r:sysadm_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=fd permissive=1
[   80.515865] audit: type=1400 audit(1621279068.363:47): avc:  denied  { read write } for  pid=377 comm="systemd" path="socket:[9797]" dev="sockfs" ino=9797 scontext=root:sysadm_r:sysadm_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_stream_sock1
[   80.539544] audit: type=1400 audit(1621279068.363:47): avc:  denied  { execute } for  pid=377 comm="systemd" path="/lib/systemd/systemd" dev="mmcblk2p2" ino=1477 scontext=root:sysadm_r:sysadm_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file p1
[   80.562865] audit: type=1400 audit(1621279068.379:48): avc:  denied  { ioctl } for  pid=377 comm="systemd" path="socket:[9797]" dev="sockfs" ino=9797 ioctlcmd=0x5401 scontext=root:sysadm_r:sysadm_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_1
~ # sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             mcs
Current mode:                   permissive
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Memory protection checking:     requested (insecure)
Max kernel policy version:      31
~ #