Hi Yair,

On 11/14/19 2:06 AM, Yair Itzhaki wrote:

Hi ,

I'm using Poky (Warrior), with busybox (aiming at a lightweight system).

Recently, added SELinux to my project (by adding "packagegroup-core-selinux" to my local.conf, with mls policy).

Booted with "selinux=1 enforing=0".

The auto-relabeling reported an error, since the root is mounted RO.

So, patched slelinux-autorelabel script to mount "/" RW before relabeling.

Booted again.

This time, selinux-init had the same issue ( / mounted RO).

Patched this one as well, but the system keeps rebooting:

It seems that the init process keeps it's kernel_t context, which forces re-labeling, reboot and so on…. (per the selinux-init script)

Q1: Is SELinux+busybox a valid combination, or should I switch to systemd?

SElinux+busybox should work. But there are some security label issues with busybox.

I attached a fix. You can try it.


Q2: Which context should the init process end up as?

This is because /sbin/init.sysvinit doesn't set the correct label. Please also see the attachment. I will send the formal patch later.


BTW – the build of "core-image-selinux" fails, with the following error

Copying files into the device: set_inode_xattr: No data available while reading attribute "security.selinux" of "network"

I didn't encountered this issue. Please make sure the setting DISTRO_FEATURES_append = " acl xattr pam selinux" is in your conf/local.conf


//Yi


Any idea?

Thanks,

Yair


diff --git a/config/file_contexts.subs_dist b/config/file_contexts.subs_dist
index 04fca3c..c720871 100644
--- a/config/file_contexts.subs_dist
+++ b/config/file_contexts.subs_dist
@@ -44,7 +44,7 @@
 
 # busybox aliases
 # quickly match up the busybox built-in tree to the base filesystem tree
-/usr/lib/busybox/bin /bin
-/usr/lib/busybox/sbin /sbin
+/usr/lib/busybox/bin /usr/bin
+/usr/lib/busybox/sbin /usr/sbin
 /usr/lib/busybox/usr /usr
 
diff --git a/policy/modules/system/getty.fc b/policy/modules/system/getty.fc
index 116ea64..d688249 100644
--- a/policy/modules/system/getty.fc
+++ b/policy/modules/system/getty.fc
@@ -4,6 +4,7 @@
 /run/agetty\.reload	--	gen_context(system_u:object_r:getty_runtime_t,s0)
 
 /usr/bin/.*getty	--	gen_context(system_u:object_r:getty_exec_t,s0)
+/usr/bin/start_getty   --  gen_context(system_u:object_r:bin_t,s0)
 
 /usr/sbin/.*getty	--	gen_context(system_u:object_r:getty_exec_t,s0)
 
diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc
index 11a6ce9..3c063b1 100644
--- a/policy/modules/system/init.fc
+++ b/policy/modules/system/init.fc
@@ -40,6 +40,7 @@ ifdef(`distro_gentoo',`
 /usr/libexec/dcc/stop-.* --	gen_context(system_u:object_r:initrc_exec_t,s0)
 
 /usr/sbin/init(ng)?	--	gen_context(system_u:object_r:init_exec_t,s0)
+/usr/sbin/init\.sysvinit	--	gen_context(system_u:object_r:init_exec_t,s0)
 /usr/sbin/open_init_pty	--	gen_context(system_u:object_r:initrc_exec_t,s0)
 /usr/sbin/upstart	--	gen_context(system_u:object_r:init_exec_t,s0)
 
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.

View/Reply Online (#47375): https://lists.yoctoproject.org/g/yocto/message/47375
Mute This Topic: https://lists.yoctoproject.org/mt/61340486/21656
Group Owner: [email protected]
Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub  
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to