Hi guys,
I am porting selinux from kernel 4.14 to 5.15. Everything works fine in kernel 4.14. keep same /etc/selinux/conf and kernel parameters to enable SELinux.
But the selinux_init() is not executed when kernel 5.15 boots because no "*SELinux: Initializing" is seen in dmesg.*
*This selinux_init() is defined in * http://tomoyo.osdn.jp/cgi-bin/lxr/source/security/selinux/hooks.c
https://tomoyo.osdn.jp/cgi-bin/lxr/source/security/selinux/hooks.c#L7287 DEFINE_LSM https://tomoyo.osdn.jp/cgi-bin/lxr/ident?i=DEFINE_LSM(selinux) = {7288 https://tomoyo.osdn.jp/cgi-bin/lxr/source/security/selinux/hooks.c#L7288 .name https://tomoyo.osdn.jp/cgi-bin/lxr/ident?i=name = *"selinux"*,7289 https://tomoyo.osdn.jp/cgi-bin/lxr/source/security/selinux/hooks.c#L7289 .flags https://tomoyo.osdn.jp/cgi-bin/lxr/ident?i=flags = LSM_FLAG_LEGACY_MAJOR https://tomoyo.osdn.jp/cgi-bin/lxr/ident?i=LSM_FLAG_LEGACY_MAJOR | LSM_FLAG_EXCLUSIVE https://tomoyo.osdn.jp/cgi-bin/lxr/ident?i=LSM_FLAG_EXCLUSIVE,7290 https://tomoyo.osdn.jp/cgi-bin/lxr/source/security/selinux/hooks.c#L7290 .enabled https://tomoyo.osdn.jp/cgi-bin/lxr/ident?i=enabled = &selinux_enabled_boot https://tomoyo.osdn.jp/cgi-bin/lxr/ident?i=selinux_enabled_boot,7291 https://tomoyo.osdn.jp/cgi-bin/lxr/source/security/selinux/hooks.c#L7291 .blobs = &selinux_blob_sizes https://tomoyo.osdn.jp/cgi-bin/lxr/ident?i=selinux_blob_sizes,7292 https://tomoyo.osdn.jp/cgi-bin/lxr/source/security/selinux/hooks.c#L7292 .init https://tomoyo.osdn.jp/cgi-bin/lxr/ident?i=init = selinux_init https://tomoyo.osdn.jp/cgi-bin/lxr/ident?i=selinux_init,7293 https://tomoyo.osdn.jp/cgi-bin/lxr/source/security/selinux/hooks.c#L7293 };
My question is why the selinux_init() is not called when kernel 5.15 boots up?
---henry
On Sat, Aug 5, 2023 at 2:53 AM Henry Zhang henryzhang62@gmail.com wrote:
Hi guys,
I am porting selinux from kernel 4.14 to 5.15. Everything works fine in kernel 4.14. keep same /etc/selinux/conf and kernel parameters to enable SELinux.
But the selinux_init() is not executed when kernel 5.15 boots because no "SELinux: Initializing" is seen in dmesg.
This selinux_init() is defined in http://tomoyo.osdn.jp/cgi-bin/lxr/source/security/selinux/hooks.c
DEFINE_LSM(selinux) = { 7288 .name = "selinux", 7289 .flags = LSM_FLAG_LEGACY_MAJOR | LSM_FLAG_EXCLUSIVE, 7290 .enabled = &selinux_enabled_boot, 7291 .blobs = &selinux_blob_sizes, 7292 .init = selinux_init, 7293 };
My question is why the selinux_init() is not called when kernel 5.15 boots up?
Hi Henry,
Can you share your kernel build config? If you don't know what it is or how to get it, then the next question would be: How did you obtain/build the kernel in question?
Ondrej,
Attached is my kernel configuration file. ~# cat /etc/selinux/config # This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=enforcing # SELINUXTYPE= can take one of these values: # minimum - Minimum Security protection. # standard - Standard Security protection. # mls - Multi Level Security protection. # targeted - Targeted processes are protected. # mcs - Multi Category Security protection. SELINUXTYPE=mcs
# sestatus SELinux status: disabled
# getenforce Disabled
# setenforce 1 setenforce: SELinux is disabled
# dmesg|grep SELi
[ 5.604171] systemd[1]: Starting SELinux init for /dev service loading...
# dmesg|grep SELI [ 4.180494] systemd[1]: systemd 250.5+ running in system mode (+PAM +AUDIT +SELINUX -APPARMOR +IMA -SMACK +SECCOMP -GCRYPT -GNUTLS -OPENSSL +ACL +BLKID -CURL -ELFUTILS -FIDO2 -IDN2 -IDN -IPTC +KMOD -LIBCRYPTSETUP)
"SELInux: Initializing" is not seen in dmesg.
Please comment on what is missing? On Sat, Aug 5, 2023 at 1:12 AM Ondrej Mosnacek omosnace@redhat.com wrote:
On Sat, Aug 5, 2023 at 2:53 AM Henry Zhang henryzhang62@gmail.com wrote:
Hi guys,
I am porting selinux from kernel 4.14 to 5.15. Everything works fine in
kernel 4.14.
keep same /etc/selinux/conf and kernel parameters to enable SELinux.
But the selinux_init() is not executed when kernel 5.15 boots because no
"SELinux: Initializing" is seen in dmesg.
This selinux_init() is defined in
http://tomoyo.osdn.jp/cgi-bin/lxr/source/security/selinux/hooks.c
DEFINE_LSM(selinux) = { 7288 .name = "selinux", 7289 .flags = LSM_FLAG_LEGACY_MAJOR | LSM_FLAG_EXCLUSIVE, 7290 .enabled = &selinux_enabled_boot, 7291 .blobs = &selinux_blob_sizes, 7292 .init = selinux_init, 7293 };
My question is why the selinux_init() is not called when kernel 5.15
boots up?
Hi Henry,
Can you share your kernel build config? If you don't know what it is or how to get it, then the next question would be: How did you obtain/build the kernel in question?
-- Ondrej Mosnacek Senior Software Engineer, Linux Security - SELinux kernel Red Hat, Inc.
That is not a kernel config file. How are you building/installing the kernel? What Linux distribution (Fedora/CentOS/Ubuntu/...) is this on?
On Mon, Aug 7, 2023 at 6:29 PM Henry Zhang henryzhang62@gmail.com wrote:
Ondrej,
Attached is my kernel configuration file. ~# cat /etc/selinux/config # This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=enforcing # SELINUXTYPE= can take one of these values: # minimum - Minimum Security protection. # standard - Standard Security protection. # mls - Multi Level Security protection. # targeted - Targeted processes are protected. # mcs - Multi Category Security protection. SELINUXTYPE=mcs
# sestatus SELinux status: disabled
# getenforce Disabled
# setenforce 1 setenforce: SELinux is disabled
# dmesg|grep SELi [ 5.604171] systemd[1]: Starting SELinux init for /dev service loading...
# dmesg|grep SELI [ 4.180494] systemd[1]: systemd 250.5+ running in system mode (+PAM +AUDIT +SELINUX -APPARMOR +IMA -SMACK +SECCOMP -GCRYPT -GNUTLS -OPENSSL +ACL +BLKID -CURL -ELFUTILS -FIDO2 -IDN2 -IDN -IPTC +KMOD -LIBCRYPTSETUP)
"SELInux: Initializing" is not seen in dmesg.
Please comment on what is missing? On Sat, Aug 5, 2023 at 1:12 AM Ondrej Mosnacek omosnace@redhat.com wrote:
On Sat, Aug 5, 2023 at 2:53 AM Henry Zhang henryzhang62@gmail.com wrote:
Hi guys,
I am porting selinux from kernel 4.14 to 5.15. Everything works fine in kernel 4.14. keep same /etc/selinux/conf and kernel parameters to enable SELinux.
But the selinux_init() is not executed when kernel 5.15 boots because no "SELinux: Initializing" is seen in dmesg.
This selinux_init() is defined in http://tomoyo.osdn.jp/cgi-bin/lxr/source/security/selinux/hooks.c
DEFINE_LSM(selinux) = { 7288 .name = "selinux", 7289 .flags = LSM_FLAG_LEGACY_MAJOR | LSM_FLAG_EXCLUSIVE, 7290 .enabled = &selinux_enabled_boot, 7291 .blobs = &selinux_blob_sizes, 7292 .init = selinux_init, 7293 };
My question is why the selinux_init() is not called when kernel 5.15 boots up?
Hi Henry,
Can you share your kernel build config? If you don't know what it is or how to get it, then the next question would be: How did you obtain/build the kernel in question?
-- Ondrej Mosnacek Senior Software Engineer, Linux Security - SELinux kernel Red Hat, Inc.
Ondrej,
Thanks for your help! I am using Yocto embedded to compile. The kernel config file is copied from /proc/config.gz in my linux device. The kernel function selinux_init() is not triggered when booting up.
---henry
On Tue, Aug 8, 2023 at 1:17 AM Ondrej Mosnacek omosnace@redhat.com wrote:
That is not a kernel config file. How are you building/installing the kernel? What Linux distribution (Fedora/CentOS/Ubuntu/...) is this on?
On Mon, Aug 7, 2023 at 6:29 PM Henry Zhang henryzhang62@gmail.com wrote:
Ondrej,
Attached is my kernel configuration file. ~# cat /etc/selinux/config # This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=enforcing # SELINUXTYPE= can take one of these values: # minimum - Minimum Security protection. # standard - Standard Security protection. # mls - Multi Level Security protection. # targeted - Targeted processes are protected. # mcs - Multi Category Security protection. SELINUXTYPE=mcs
# sestatus SELinux status: disabled
# getenforce Disabled
# setenforce 1 setenforce: SELinux is disabled
# dmesg|grep SELi [ 5.604171] systemd[1]: Starting SELinux init for /dev service
loading...
# dmesg|grep SELI [ 4.180494] systemd[1]: systemd 250.5+ running in system mode (+PAM
+AUDIT +SELINUX -APPARMOR +IMA -SMACK +SECCOMP -GCRYPT -GNUTLS -OPENSSL +ACL +BLKID -CURL -ELFUTILS -FIDO2 -IDN2 -IDN -IPTC +KMOD -LIBCRYPTSETUP)
"SELInux: Initializing" is not seen in dmesg.
Please comment on what is missing? On Sat, Aug 5, 2023 at 1:12 AM Ondrej Mosnacek omosnace@redhat.com
wrote:
On Sat, Aug 5, 2023 at 2:53 AM Henry Zhang henryzhang62@gmail.com
wrote:
Hi guys,
I am porting selinux from kernel 4.14 to 5.15. Everything works fine
in kernel 4.14.
keep same /etc/selinux/conf and kernel parameters to enable SELinux.
But the selinux_init() is not executed when kernel 5.15 boots because
no "SELinux: Initializing" is seen in dmesg.
This selinux_init() is defined in
http://tomoyo.osdn.jp/cgi-bin/lxr/source/security/selinux/hooks.c
DEFINE_LSM(selinux) = { 7288 .name = "selinux", 7289 .flags = LSM_FLAG_LEGACY_MAJOR | LSM_FLAG_EXCLUSIVE, 7290 .enabled = &selinux_enabled_boot, 7291 .blobs = &selinux_blob_sizes, 7292 .init = selinux_init, 7293 };
My question is why the selinux_init() is not called when kernel 5.15
boots up?
Hi Henry,
Can you share your kernel build config? If you don't know what it is or how to get it, then the next question would be: How did you obtain/build the kernel in question?
-- Ondrej Mosnacek Senior Software Engineer, Linux Security - SELinux kernel Red Hat, Inc.
-- Ondrej Mosnacek Senior Software Engineer, Linux Security - SELinux kernel Red Hat, Inc.
Oh, right, I completely overlooked the file attachment. Sorry!
It seems your CONFIG_LSM is not set correctly. It is missing "selinux" and the order seems wrong, but since you have most of the listed modules disabled, you can set it to just:
CONFIG_LSM="integrity,selinux"
Then the kernel should boot with SELinux enabled.
On Tue, Aug 8, 2023 at 4:26 PM Henry Zhang henryzhang62@gmail.com wrote:
Ondrej,
Thanks for your help! I am using Yocto embedded to compile. The kernel config file is copied from /proc/config.gz in my linux device. The kernel function selinux_init() is not triggered when booting up.
---henry
On Tue, Aug 8, 2023 at 1:17 AM Ondrej Mosnacek omosnace@redhat.com wrote:
That is not a kernel config file. How are you building/installing the kernel? What Linux distribution (Fedora/CentOS/Ubuntu/...) is this on?
On Mon, Aug 7, 2023 at 6:29 PM Henry Zhang henryzhang62@gmail.com wrote:
Ondrej,
Attached is my kernel configuration file. ~# cat /etc/selinux/config # This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=enforcing # SELINUXTYPE= can take one of these values: # minimum - Minimum Security protection. # standard - Standard Security protection. # mls - Multi Level Security protection. # targeted - Targeted processes are protected. # mcs - Multi Category Security protection. SELINUXTYPE=mcs
# sestatus SELinux status: disabled
# getenforce Disabled
# setenforce 1 setenforce: SELinux is disabled
# dmesg|grep SELi [ 5.604171] systemd[1]: Starting SELinux init for /dev service loading...
# dmesg|grep SELI [ 4.180494] systemd[1]: systemd 250.5+ running in system mode (+PAM +AUDIT +SELINUX -APPARMOR +IMA -SMACK +SECCOMP -GCRYPT -GNUTLS -OPENSSL +ACL +BLKID -CURL -ELFUTILS -FIDO2 -IDN2 -IDN -IPTC +KMOD -LIBCRYPTSETUP)
"SELInux: Initializing" is not seen in dmesg.
Please comment on what is missing? On Sat, Aug 5, 2023 at 1:12 AM Ondrej Mosnacek omosnace@redhat.com wrote:
On Sat, Aug 5, 2023 at 2:53 AM Henry Zhang henryzhang62@gmail.com wrote:
Hi guys,
I am porting selinux from kernel 4.14 to 5.15. Everything works fine in kernel 4.14. keep same /etc/selinux/conf and kernel parameters to enable SELinux.
But the selinux_init() is not executed when kernel 5.15 boots because no "SELinux: Initializing" is seen in dmesg.
This selinux_init() is defined in http://tomoyo.osdn.jp/cgi-bin/lxr/source/security/selinux/hooks.c
DEFINE_LSM(selinux) = { 7288 .name = "selinux", 7289 .flags = LSM_FLAG_LEGACY_MAJOR | LSM_FLAG_EXCLUSIVE, 7290 .enabled = &selinux_enabled_boot, 7291 .blobs = &selinux_blob_sizes, 7292 .init = selinux_init, 7293 };
My question is why the selinux_init() is not called when kernel 5.15 boots up?
Hi Henry,
Can you share your kernel build config? If you don't know what it is or how to get it, then the next question would be: How did you obtain/build the kernel in question?
-- Ondrej Mosnacek Senior Software Engineer, Linux Security - SELinux kernel Red Hat, Inc.
-- Ondrej Mosnacek Senior Software Engineer, Linux Security - SELinux kernel Red Hat, Inc.
Ondrej,
Yes. my SELINUX is enabled finally after CONFIG_LSM="integrity, selinux".
Do you guys manage meta-selinux?
----henry
On Tue, Aug 8, 2023 at 8:01 AM Ondrej Mosnacek omosnace@redhat.com wrote:
Oh, right, I completely overlooked the file attachment. Sorry!
It seems your CONFIG_LSM is not set correctly. It is missing "selinux" and the order seems wrong, but since you have most of the listed modules disabled, you can set it to just:
CONFIG_LSM="integrity,selinux"
Then the kernel should boot with SELinux enabled.
On Tue, Aug 8, 2023 at 4:26 PM Henry Zhang henryzhang62@gmail.com wrote:
Ondrej,
Thanks for your help! I am using Yocto embedded to compile. The kernel config file is copied
from /proc/config.gz in my linux device.
The kernel function selinux_init() is not triggered when booting up.
---henry
On Tue, Aug 8, 2023 at 1:17 AM Ondrej Mosnacek omosnace@redhat.com
wrote:
That is not a kernel config file. How are you building/installing the kernel? What Linux distribution (Fedora/CentOS/Ubuntu/...) is this on?
On Mon, Aug 7, 2023 at 6:29 PM Henry Zhang henryzhang62@gmail.com
wrote:
Ondrej,
Attached is my kernel configuration file. ~# cat /etc/selinux/config # This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=enforcing # SELINUXTYPE= can take one of these values: # minimum - Minimum Security protection. # standard - Standard Security protection. # mls - Multi Level Security protection. # targeted - Targeted processes are protected. # mcs - Multi Category Security protection. SELINUXTYPE=mcs
# sestatus SELinux status: disabled
# getenforce Disabled
# setenforce 1 setenforce: SELinux is disabled
# dmesg|grep SELi [ 5.604171] systemd[1]: Starting SELinux init for /dev service
loading...
# dmesg|grep SELI [ 4.180494] systemd[1]: systemd 250.5+ running in system mode
(+PAM +AUDIT +SELINUX -APPARMOR +IMA -SMACK +SECCOMP -GCRYPT -GNUTLS -OPENSSL +ACL +BLKID -CURL -ELFUTILS -FIDO2 -IDN2 -IDN -IPTC +KMOD -LIBCRYPTSETUP)
"SELInux: Initializing" is not seen in dmesg.
Please comment on what is missing? On Sat, Aug 5, 2023 at 1:12 AM Ondrej Mosnacek omosnace@redhat.com
wrote:
On Sat, Aug 5, 2023 at 2:53 AM Henry Zhang henryzhang62@gmail.com
wrote:
Hi guys,
I am porting selinux from kernel 4.14 to 5.15. Everything works
fine in kernel 4.14.
keep same /etc/selinux/conf and kernel parameters to enable
SELinux.
But the selinux_init() is not executed when kernel 5.15 boots
because no "SELinux: Initializing" is seen in dmesg.
This selinux_init() is defined in
http://tomoyo.osdn.jp/cgi-bin/lxr/source/security/selinux/hooks.c
DEFINE_LSM(selinux) = { 7288 .name = "selinux", 7289 .flags = LSM_FLAG_LEGACY_MAJOR | LSM_FLAG_EXCLUSIVE, 7290 .enabled = &selinux_enabled_boot, 7291 .blobs = &selinux_blob_sizes, 7292 .init = selinux_init, 7293 };
My question is why the selinux_init() is not called when kernel
5.15 boots up?
Hi Henry,
Can you share your kernel build config? If you don't know what it is or how to get it, then the next question would be: How did you obtain/build the kernel in question?
-- Ondrej Mosnacek Senior Software Engineer, Linux Security - SELinux kernel Red Hat, Inc.
-- Ondrej Mosnacek Senior Software Engineer, Linux Security - SELinux kernel Red Hat, Inc.
-- Ondrej Mosnacek Senior Software Engineer, Linux Security - SELinux kernel Red Hat, Inc.
You mean https://github.com/ni/meta-selinux ? If so, none of us [Red Hat SELinux engineers] works on it, AFAIK.
On Tue, Aug 8, 2023 at 8:03 PM Henry Zhang henryzhang62@gmail.com wrote:
Ondrej,
Yes. my SELINUX is enabled finally after CONFIG_LSM="integrity, selinux".
Do you guys manage meta-selinux?
----henry
On Tue, Aug 8, 2023 at 8:01 AM Ondrej Mosnacek omosnace@redhat.com wrote:
Oh, right, I completely overlooked the file attachment. Sorry!
It seems your CONFIG_LSM is not set correctly. It is missing "selinux" and the order seems wrong, but since you have most of the listed modules disabled, you can set it to just:
CONFIG_LSM="integrity,selinux"
Then the kernel should boot with SELinux enabled.
On Tue, Aug 8, 2023 at 4:26 PM Henry Zhang henryzhang62@gmail.com wrote:
Ondrej,
Thanks for your help! I am using Yocto embedded to compile. The kernel config file is copied from /proc/config.gz in my linux device. The kernel function selinux_init() is not triggered when booting up.
---henry
On Tue, Aug 8, 2023 at 1:17 AM Ondrej Mosnacek omosnace@redhat.com wrote:
That is not a kernel config file. How are you building/installing the kernel? What Linux distribution (Fedora/CentOS/Ubuntu/...) is this on?
On Mon, Aug 7, 2023 at 6:29 PM Henry Zhang henryzhang62@gmail.com wrote:
Ondrej,
Attached is my kernel configuration file. ~# cat /etc/selinux/config # This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=enforcing # SELINUXTYPE= can take one of these values: # minimum - Minimum Security protection. # standard - Standard Security protection. # mls - Multi Level Security protection. # targeted - Targeted processes are protected. # mcs - Multi Category Security protection. SELINUXTYPE=mcs
# sestatus SELinux status: disabled
# getenforce Disabled
# setenforce 1 setenforce: SELinux is disabled
# dmesg|grep SELi [ 5.604171] systemd[1]: Starting SELinux init for /dev service loading...
# dmesg|grep SELI [ 4.180494] systemd[1]: systemd 250.5+ running in system mode (+PAM +AUDIT +SELINUX -APPARMOR +IMA -SMACK +SECCOMP -GCRYPT -GNUTLS -OPENSSL +ACL +BLKID -CURL -ELFUTILS -FIDO2 -IDN2 -IDN -IPTC +KMOD -LIBCRYPTSETUP)
"SELInux: Initializing" is not seen in dmesg.
Please comment on what is missing? On Sat, Aug 5, 2023 at 1:12 AM Ondrej Mosnacek omosnace@redhat.com wrote:
On Sat, Aug 5, 2023 at 2:53 AM Henry Zhang henryzhang62@gmail.com wrote: > > Hi guys, > > I am porting selinux from kernel 4.14 to 5.15. Everything works fine in kernel 4.14. > keep same /etc/selinux/conf and kernel parameters to enable SELinux. > > But the selinux_init() is not executed when kernel 5.15 boots because no "SELinux: Initializing" is seen in dmesg. > > This selinux_init() is defined in http://tomoyo.osdn.jp/cgi-bin/lxr/source/security/selinux/hooks.c > > DEFINE_LSM(selinux) = { > 7288 .name = "selinux", > 7289 .flags = LSM_FLAG_LEGACY_MAJOR | LSM_FLAG_EXCLUSIVE, > 7290 .enabled = &selinux_enabled_boot, > 7291 .blobs = &selinux_blob_sizes, > 7292 .init = selinux_init, > 7293 }; > > My question is why the selinux_init() is not called when kernel 5.15 boots up?
Hi Henry,
Can you share your kernel build config? If you don't know what it is or how to get it, then the next question would be: How did you obtain/build the kernel in question?
-- Ondrej Mosnacek Senior Software Engineer, Linux Security - SELinux kernel Red Hat, Inc.
-- Ondrej Mosnacek Senior Software Engineer, Linux Security - SELinux kernel Red Hat, Inc.
-- Ondrej Mosnacek Senior Software Engineer, Linux Security - SELinux kernel Red Hat, Inc.
-- Ondrej Mosnacek Senior Software Engineer, Linux Security - SELinux kernel Red Hat, Inc.
Ondrej,
Yes. https://github.com/ni/meta-selinux is used to manage SElinux in the Yocto environment. SELinux is quite complex. After the SELinux is enabled, I have to deal with the policy.
Another challenge is to find out which application causes a denied AVC message in /var/log/audit/audit.log. Do you have any good suggestions for that challenge?
----henry
On Wed, Aug 9, 2023 at 12:46 AM Ondrej Mosnacek omosnace@redhat.com wrote:
You mean https://github.com/ni/meta-selinux ? If so, none of us [Red Hat SELinux engineers] works on it, AFAIK.
On Tue, Aug 8, 2023 at 8:03 PM Henry Zhang henryzhang62@gmail.com wrote:
Ondrej,
Yes. my SELINUX is enabled finally after CONFIG_LSM="integrity, selinux".
Do you guys manage meta-selinux?
----henry
On Tue, Aug 8, 2023 at 8:01 AM Ondrej Mosnacek omosnace@redhat.com
wrote:
Oh, right, I completely overlooked the file attachment. Sorry!
It seems your CONFIG_LSM is not set correctly. It is missing "selinux" and the order seems wrong, but since you have most of the listed modules disabled, you can set it to just:
CONFIG_LSM="integrity,selinux"
Then the kernel should boot with SELinux enabled.
On Tue, Aug 8, 2023 at 4:26 PM Henry Zhang henryzhang62@gmail.com
wrote:
Ondrej,
Thanks for your help! I am using Yocto embedded to compile. The kernel config file is
copied from /proc/config.gz in my linux device.
The kernel function selinux_init() is not triggered when booting up.
---henry
On Tue, Aug 8, 2023 at 1:17 AM Ondrej Mosnacek omosnace@redhat.com
wrote:
That is not a kernel config file. How are you building/installing the kernel? What Linux distribution (Fedora/CentOS/Ubuntu/...) is this
on?
On Mon, Aug 7, 2023 at 6:29 PM Henry Zhang henryzhang62@gmail.com
wrote:
Ondrej,
Attached is my kernel configuration file. ~# cat /etc/selinux/config # This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=enforcing # SELINUXTYPE= can take one of these values: # minimum - Minimum Security protection. # standard - Standard Security protection. # mls - Multi Level Security protection. # targeted - Targeted processes are protected. # mcs - Multi Category Security protection. SELINUXTYPE=mcs
# sestatus SELinux status: disabled
# getenforce Disabled
# setenforce 1 setenforce: SELinux is disabled
# dmesg|grep SELi [ 5.604171] systemd[1]: Starting SELinux init for /dev service
loading...
# dmesg|grep SELI [ 4.180494] systemd[1]: systemd 250.5+ running in system mode
(+PAM +AUDIT +SELINUX -APPARMOR +IMA -SMACK +SECCOMP -GCRYPT -GNUTLS -OPENSSL +ACL +BLKID -CURL -ELFUTILS -FIDO2 -IDN2 -IDN -IPTC +KMOD -LIBCRYPTSETUP)
"SELInux: Initializing" is not seen in dmesg.
Please comment on what is missing? On Sat, Aug 5, 2023 at 1:12 AM Ondrej Mosnacek <
omosnace@redhat.com> wrote:
> > On Sat, Aug 5, 2023 at 2:53 AM Henry Zhang <
henryzhang62@gmail.com> wrote:
> > > > Hi guys, > > > > I am porting selinux from kernel 4.14 to 5.15. Everything works
fine in kernel 4.14.
> > keep same /etc/selinux/conf and kernel parameters to enable
SELinux.
> > > > But the selinux_init() is not executed when kernel 5.15 boots
because no "SELinux: Initializing" is seen in dmesg.
> > > > This selinux_init() is defined in
http://tomoyo.osdn.jp/cgi-bin/lxr/source/security/selinux/hooks.c
> > > > DEFINE_LSM(selinux) = { > > 7288 .name = "selinux", > > 7289 .flags = LSM_FLAG_LEGACY_MAJOR |
LSM_FLAG_EXCLUSIVE,
> > 7290 .enabled = &selinux_enabled_boot, > > 7291 .blobs = &selinux_blob_sizes, > > 7292 .init = selinux_init, > > 7293 }; > > > > My question is why the selinux_init() is not called when kernel
5.15 boots up?
> > Hi Henry, > > Can you share your kernel build config? If you don't know what it
is
> or how to get it, then the next question would be: How did you > obtain/build the kernel in question? > > -- > Ondrej Mosnacek > Senior Software Engineer, Linux Security - SELinux kernel > Red Hat, Inc. >
-- Ondrej Mosnacek Senior Software Engineer, Linux Security - SELinux kernel Red Hat, Inc.
-- Ondrej Mosnacek Senior Software Engineer, Linux Security - SELinux kernel Red Hat, Inc.
-- Ondrej Mosnacek Senior Software Engineer, Linux Security - SELinux kernel Red Hat, Inc.
selinux@lists.fedoraproject.org