Hi Yair,
On 11/14/19 2:06 AM, Yair Itzhaki wrote:
Hi ,
I'm using Poky (Warrior), with busybox (aiming at a lightweight system).
Recently, added SELinux to my project (by adding
"packagegroup-core-selinux" to my local.conf, with mls policy).
Booted with "selinux=1 enforing=0".
The auto-relabeling reported an error, since the root is mounted RO.
So, patched slelinux-autorelabel script to mount "/" RW before relabeling.
Booted again.
This time, selinux-init had the same issue ( / mounted RO).
Patched this one as well, but the system keeps rebooting:
It seems that the init process keeps it's kernel_t context, which
forces re-labeling, reboot and so on…. (per the selinux-init script)
Q1: Is SELinux+busybox a valid combination, or should I switch to systemd?
SElinux+busybox should work. But there are some security label issues
with busybox.
I attached a fix. You can try it.
Q2: Which context should the init process end up as?
This is because /sbin/init.sysvinit doesn't set the correct label.
Please also see the attachment. I will send the formal patch later.
BTW – the build of "core-image-selinux" fails, with the following error
Copying files into the device: set_inode_xattr: No data available
while reading attribute "security.selinux" of "network"
I didn't encountered this issue. Please make sure the setting
DISTRO_FEATURES_append = " acl xattr pam selinux" is in your conf/local.conf
//Yi
Any idea?
Thanks,
Yair
diff --git a/config/file_contexts.subs_dist b/config/file_contexts.subs_dist
index 04fca3c..c720871 100644
--- a/config/file_contexts.subs_dist
+++ b/config/file_contexts.subs_dist
@@ -44,7 +44,7 @@
# busybox aliases
# quickly match up the busybox built-in tree to the base filesystem tree
-/usr/lib/busybox/bin /bin
-/usr/lib/busybox/sbin /sbin
+/usr/lib/busybox/bin /usr/bin
+/usr/lib/busybox/sbin /usr/sbin
/usr/lib/busybox/usr /usr
diff --git a/policy/modules/system/getty.fc b/policy/modules/system/getty.fc
index 116ea64..d688249 100644
--- a/policy/modules/system/getty.fc
+++ b/policy/modules/system/getty.fc
@@ -4,6 +4,7 @@
/run/agetty\.reload -- gen_context(system_u:object_r:getty_runtime_t,s0)
/usr/bin/.*getty -- gen_context(system_u:object_r:getty_exec_t,s0)
+/usr/bin/start_getty -- gen_context(system_u:object_r:bin_t,s0)
/usr/sbin/.*getty -- gen_context(system_u:object_r:getty_exec_t,s0)
diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc
index 11a6ce9..3c063b1 100644
--- a/policy/modules/system/init.fc
+++ b/policy/modules/system/init.fc
@@ -40,6 +40,7 @@ ifdef(`distro_gentoo',`
/usr/libexec/dcc/stop-.* -- gen_context(system_u:object_r:initrc_exec_t,s0)
/usr/sbin/init(ng)? -- gen_context(system_u:object_r:init_exec_t,s0)
+/usr/sbin/init\.sysvinit -- gen_context(system_u:object_r:init_exec_t,s0)
/usr/sbin/open_init_pty -- gen_context(system_u:object_r:initrc_exec_t,s0)
/usr/sbin/upstart -- gen_context(system_u:object_r:init_exec_t,s0)
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#47375): https://lists.yoctoproject.org/g/yocto/message/47375
Mute This Topic: https://lists.yoctoproject.org/mt/61340486/21656
Group Owner: [email protected]
Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-
