• State TI Thinks Resolved
  • Locked Locked
  • Replies 7 replies
  • Answers 2 answers
  • Subscribers 98 subscribers
  • Views 2169 views
  • Users 0 members are here
Support feedback
Options
Options
Related

This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

Linux: Beaglebone (AM335x) Enabling SELINUX

Justin Loundagin
Prodigy 40 points

Tool/software: Linux

Hi, I am currently attempting to enable SELINUX within a kernel built by the TI SDK version 1. I have gone through and enabled the SELINUX flags within the .config file.

CONFIG_SECURITY_SELINUX=y
CONFIG_SECURITY_SELINUX_BOOTPARAM=y
CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE=1
CONFIG_SECURITY_SELINUX_DISABLE=y
CONFIG_SECURITY_SELINUX_DEVELOP=y
CONFIG_SECURITY_SELINUX_AVC_STATS=y
CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=1
CONFIG_DEFAULT_SECURITY_SELINUX=y

However, when I copy that zImage to the root FS and boot up the system, I see no mention of SELINUX within any of the logs and all of the selinux binaries do not exist. My gut is telling me that I need to enable SELINUX through boot arguments and also set up the file system for SELINUX (config files and such).

If anyone has any input on this subject I'd be grateful.

  • 0
    TI__Guru**** 170625 points
    Hi Justin,

    We have info regarding SELINUX in the linux kernel documentation. For example, in latest AM335x TI PSDK 3.2, this is located in:

    linux-4.4.32/Documentation/security/SELinux.txt
    linux-4.4.32/Documentation/security/keys.txt
    linux-4.4.32/Documentation/kernel-parameters.txt

    Regards,
    Pavel
  • 0 in reply to Pavel Botev
    TI__Guru**** 170625 points
    Is SELinux enabled on my system?

    To find out if SELinux is enabled on your system you can run sestatus. If the SELinux status says enforcing you are being protected by SELinux. If it says permissive SELinux is enabled but is not protecting you, and disabled means it is completely disabled.

    How do I know if SELinux is on?

    If you use Red Hat Enterprise Linux or Fedora it is enabled by default. To see whether it is actively enforcing the policy you can run getenforce:

    [root@localhost ~]# getenforce
    Enforcing

    If it says Enforcing (as above) your system is being protected by SELinux. If it says permissive SELinux is enabled but is only logging failed accesses, not denying them. If it says Disabled then SELinux is not enabled on your system.


    selinuxproject.org/.../FAQ
    selinuxproject.org/.../NewUsers
  • 0 in reply to Pavel Botev
    Prodigy 40 points

    Thanks for the reply. I am currently building the kernel with the TI SDK (essentially Yocto). I enable the compiler flags for the kernel to support selinux, but the filesystem that is installed apart of the TI SDK does not contain any selinux binaries. Is there a way to install the selinux binaries via opkg? I also see no mention of selinux in any of the boot log messages (dmesg) or /var/log/message. Are there other steps that I need to perform than just emabling selinux support in the kernel build process?

  • 0 in reply to Justin Loundagin
    TI__Guru**** 170625 points

    Justin Loundagin said:
    but the filesystem that is installed apart of the TI SDK does not contain any selinux binaries.

    Do you mean ti-processor-sdk-linux-am335x-evm-03.02.00.05/filesystem/tisdk-rootfs-image-am335x-evm ?

  • 0 in reply to Justin Loundagin
    Prodigy 40 points

    To explain further, I have set the compiler flags, shown in post 1,  to 'y' when building the kernel. I see in the complaition process that selinux.o is successfully built along with everything else in the kernel; however, when I boot the newly built kernel, I see no sign of selinux. I don't even have the -Z option for 'ls'.

    What I think is happening is that the TI sdk provides a standard filesystem that does not have any selinux support, however I am able to run the kernel which supports selinux.

    Am I able to simple install a different filesystem which supports selinux  on my sdcard along with my TI Arago kernel?

  • 0 in reply to Justin Loundagin
    TI__Guru**** 170625 points
    You can re-build the filesystem, thus adding additional packages in it. See the below links for details:

    processors.wiki.ti.com/.../Processor_SDK_Building_The_SDK
    www.ti.com/.../spry230.pdf

    Regards,
    Pavel