cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
justinlh
Explorer
Explorer
1,690 Views
Registered: ‎02-18-2014

How to enable Selinux in Petalinux

Petalinux Version: 2016.3

Zynq-7000

I've enabled selinux via petalinux-config -c kernel command which added the following configuration changes:

#
# Security options
#
# CONFIG_KEYS is not set
# CONFIG_SECURITY_DMESG_RESTRICT is not set
CONFIG_SECURITY=y
# CONFIG_SECURITYFS is not set
CONFIG_SECURITY_NETWORK=y
# CONFIG_SECURITY_NETWORK_XFRM is not set
# CONFIG_SECURITY_PATH is not set
CONFIG_LSM_MMAP_MIN_ADDR=32768
CONFIG_SECURITY_SELINUX=y
CONFIG_SECURITY_SELINUX_BOOTPARAM=y
CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE=1
CONFIG_SECURITY_SELINUX_DISABLE=y
CONFIG_SECURITY_SELINUX_DEVELOP=y
CONFIG_SECURITY_SELINUX_AVC_STATS=y
CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=0
CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX=y
CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX_VALUE=19
CONFIG_SECURITY_SMACK=y
CONFIG_SECURITY_SMACK_BRINGUP=y
# CONFIG_SECURITY_TOMOYO is not set
# CONFIG_SECURITY_APPARMOR is not set
# CONFIG_SECURITY_YAMA is not set
CONFIG_INTEGRITY=y
CONFIG_INTEGRITY_AUDIT=y
# CONFIG_IMA is not set
# CONFIG_EVM is not set
CONFIG_DEFAULT_SECURITY_SELINUX=y
# CONFIG_DEFAULT_SECURITY_SMACK is not set
# CONFIG_DEFAULT_SECURITY_DAC is not set
CONFIG_DEFAULT_SECURITY="selinux"
CONFIG_CRYPTO=y

Everything in the project builds just fine, however when i boot the unit; there doesn't appear to be any selinux present or enabled. I've found alot of selinux stuff in the petalinux repo, but none of it appears to be incorporated in my project.

 

0 Kudos
10 Replies
justinlh
Explorer
Explorer
1,648 Views
Registered: ‎02-18-2014

Incase it might help, i've attached the build.log indicating the selinux was incorporated. I've also found under the petalinux security Documentation for selinux the following:

If you want to use SELinux, chances are you will want
to use the distro-provided policies, or install the
latest reference policy release from
        http://oss.tresys.com/projects/refpolicy

However, if you want to install a dummy policy for
testing, you can do using 'mdp' provided under
scripts/selinux.  Note that this requires the selinux
userspace to be installed - in particular you will
need checkpolicy to compile a kernel, and setfiles and
fixfiles to label the filesystem.

        1. Compile the kernel with selinux enabled.
        2. Type 'make' to compile mdp.
        3. Make sure that you are not running with
           SELinux enabled and a real policy.  If
           you are, reboot with selinux disabled
           before continuing.
        4. Run install_policy.sh:
                cd scripts/selinux
                sh install_policy.sh

Step 4 will create a new dummy policy valid for your
kernel, with a single selinux user, role, and type.
It will compile the policy, will set your SELINUXTYPE to
dummy in /etc/selinux/config, install the compiled policy
as 'dummy', and relabel your filesystem.

 

However not sure what context its refering to for most of these instructions. Do i run make on my host machine? target machine? How do i incorporate a compiled policy while also incorporating the /etc/selinux directory. None of which is appearing in my current build at run time.

0 Kudos
justinlh
Explorer
Explorer
1,628 Views
Registered: ‎02-18-2014

I got a 2019.1 petalinux build building now as well, thinking that maybe the selinux process will be more streamlined then 2016.3; however it gives me the same end results. Anyone got ideas or some documentation to send my way, for incorporating selinux into a petalinux build?

0 Kudos
justinlh
Explorer
Explorer
1,611 Views
Registered: ‎02-18-2014

So additional progress keeps being made, for the sake of recording how to solve this problem i'll keep documenting lessons learned.

So to incorporate selinux; i've not only enabled it in the kernel (above posts), but i've also had to include a new meta-layer for selinux. (Found here: https://git.yoctoproject.org/cgit/cgit.cgi/meta-selinux/)

I then copied meta-selinux to the <proj_root>/project-spec/meta-selinux. (Following UG1144 page 82). I then added the layer to the bblayers.conf file by running petalinux-config → Yocto Settings → User Layers and entering the command ${proot}/project-spec/meta-mylayer.

Then i manually added a few lines to the local.conf file found <proj_root>/build/conf/local.conf:

DISTRO_FEATURES_append = " acl xattr pam selinux"

PREFERRED_PROVIDER_virtual/refpolicy ?= "refpolicy-targeted"

 

The current bugs that i'm working against are the following:

When i include only selinux (DISTRO_FEATURES_append = "selinux"), everything builds just fine. However when i simulate my kernel (petalinux-boot --qemu --kernel), selinux is successfully in the rootfs (/etc/selinux) with the traditional selinux commands support (sestatus, getenforce, etc) however selinux is disabled and refuses to be enabled.

I wanted to include acl, xattr, and pam to my DISTRO_FEATURES_append; however when i do i get build failures of the following: ERROR: glib-2.0-native-1_2.58.0-r0 do_configure: configure failed. Which looking at the build log the root cause of that problem is: | configure: error: unrecognized option: `-Dselinux=false'. So working to figure out how to solve the unrecognized option failure.

Another warning that i get on all builds regardless of my DISTRO_FEATURES_append settings are: WARNING: No recipes available for:
/home/force/petalinux_builds/xilinx-zc702-2019.1/project-spec/meta-selinux/recipes-kernel/linux/linux-yocto_5.%.bbappend.
Which i dont know if this is causing me any real problems or not but its something i'm looking into.

A problem that i'm also going to have to solve down the road is how to label the filesystem prior to booting, which still requires investigation.

0 Kudos
stephenm
Moderator
Moderator
1,594 Views
Registered: ‎09-12-2007

Hey, I have tried this on my end and am seeing the same as you. I will post my findings here

0 Kudos
justinlh
Explorer
Explorer
1,555 Views
Registered: ‎02-18-2014

Thanks for looking into this with me.

I havn't been able to make much progress since my last post, i've double checked the revision of glib that i'm using and git claims to have supported selinux since revision 2.16 (https://github.com/GNOME/glib), and it appears that the glib that comes with 2019.1 petalinux is the latest (2.58) so not sure what the conflict could be here.

0 Kudos
amarillas
Visitor
Visitor
1,449 Views
Registered: ‎07-25-2019

Thanks for posting this. I am too am having a similar issue. So I tried this with the yocto settings, but when I exit out of the configuration tool I get:
ERROR: Unable to start bitbake server
ERROR: Last 10 lines of server log for this session (/PetalinuxProject/build/bitbake-cookerdaemon.log):
ERROR: Layer selinux is not compatible with the core layer which only supports these series: rocko (layer is compatible with warrior thud)
ERROR: Unable to start bitbake server
ERROR: Last 10 lines of server log for this session (/PetalinuxProject/build/bitbake-cookerdaemon.log):
ERROR: Layer selinux is not compatible with the core layer which only supports these series: rocko (layer is compatible with warrior thud)

Maybe I am doing something incorrectly. But I too would like to know how to correctly enable SELinux in PetaLinux. 

0 Kudos
shabbirk
Moderator
Moderator
1,403 Views
Registered: ‎12-04-2016

Hi

SELinux is not supported by Xilinx and has never tested on Xilinx devices.

 

Best Regards

Shabbir

0 Kudos
amarillas
Visitor
Visitor
1,386 Views
Registered: ‎07-25-2019

Thank you for the reply. Is there a reason why it is an option in the Petalinux configuration setup? Is there planned support for it?

0 Kudos
shabbirk
Moderator
Moderator
1,349 Views
Registered: ‎12-04-2016

Hi @amarillas 

It's just a kernel-generic config option for SELINUX. If you can see, it is disabled in petalinux

0 Kudos
1,165 Views
Registered: ‎08-06-2018

Hi shabbirk,

I was searching for support of SELinux in petalinux and found this thread.

Could you please expand on your answer as to why SELinux is not supported?  Is there a more official discussion that you can link to?  Does Xilinx consider SELinux ineffective or obsolete?  Does Xilinx have a whitepaper outlining secure software development for Petalinux that it does endorse in lieu of SELinux?

-Rich

0 Kudos