0

I have been working on trying to enable SELINUX for Yocto Builds of my customer image for a congatec iMX8m som. It seems to install but I am unable to move to enabled (enforcing or permissive mode)

SELinux is configured via the following flags in my image.bb file:

inherit selinux-image

#install SELinux packages
IMAGE_INSTALL_append = "\
    packagegroup-core-selinux \
"

as well as the following addition in my local.conf:

DISTRO_FEATURES_append +="acl pam selinux xattr systemd"
...
DISTRO_FEATURES_BACKFILL_CONSIDERED = ""
VIRTUAL-RUNTIME_init_manager = "systemd"
PREFERRED_PROVIDER_virtual/refpolicy ?= "refpolicy-targeted"

While this seemed to install all the tools etc to make it work no mater what I did I couldn't enable it, sestatus always returned Disable.

I then added the following to my kernel config which also hasn't helped:

CONFIG_SECURITY_NETWORK=y
CONFIG_SECURITY_SELINUX=y
CONFIG_SECURITY_SELINUX_BOOTPARAM=y
CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE=1 
CONFIG_SECURITY_SELINUX_DISABLE=n
CONFIG_SECURITY_SELINUX_DEVELOP=y
CONFIG_SECURITY_SELINUX_AVC_STATS=y
CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=0
#CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX is not set`

Lastly I tried editing the various kernel boot cmdline options selinux=1 and enforcing=0/1.

Josh Patterson
  • 31
  • 3

1 Answers1

0

So the missing piece of this turns out to be one missing kernel config that seems to be rarely mentioned on the internet, and not at all in the yocto selinux documents. I had to add selinux to the CONFIG_LSM kernel option:

CONFIG_LSM="selinux,lockdown,yama,loadpin,safesetid,integrity"
Josh Patterson
  • 31
  • 3
  • I answered my own question in case others run into this themselves. I imagine I must be overriding my kernel config in a more manual way that is typically proper, as I bet usually yocto auto sets all these kernel configs up when you pull in the selinux layer. But I figure this is useful for anyone else who has things configured similar to my setup. – Josh Patterson Aug 04 '23 at 16:13