为什么在内核中启用 CONFIG_SECURITY_SELINUX 后 SELinux 仍然被禁用?
Why is SELinux still disabled eventhough CONFIG_SECURITY_SELINUX is enabled in the kernel?
我正在 Yocto (1.8.1 Fido) 中使用 PREEMPT-RT 补丁编译 Linux 内核 v3.12.61,启用了以下内核配置。 /sys/fs/selinux 目录已创建,但它是空的。
CONFIG_SECURITY_SELINUX=y
CONFIG_SECURITY_SELINUX_BOOTPARAM=y
CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE=1
#CONFIG_SECURITY_SELINUX_DISABLE is not set
CONFIG_SECURITY_SELINUX_DEVELOP=y
CONFIG_SECURITY_SELINUX_AVC_STATS=y
CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=1
#CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX is not set
CONFIG_DEFAULT_SECURITY_SELINUX=y
无论我启用CONFIG_SECURITY_SELINUX_BOOTPARAM还是设置0或1,结果都是一样的
我已经使用 OE 的 meta-selinux 层安装了 SELinux 用户空间工具。我还在/etc/selinux/config中设置了SELINUX=permissive。 运行 sestatus returns "SELinux status: disabled"。以前,这就是编译旧内核 (v3.2) 时我需要做的所有事情。我在这里遗漏了什么吗?
documentation for the meta-selinux layer 有一个部分大致概述了如果您想在图像中使用 selinux 应该做什么。
为了 Stack Overflow 的完整性,我将其粘贴在这里,但请注意,当您在此处阅读时,此状态可能已过时,因此请尽可能参考原文。
构建 meta-selinux 层
In order to add selinux support to the poky build this layer should be added to your projects bblayers.conf file.
By default the selinux components are disabled. This conforms to the Yocto Project compatible guideline that indicate that simply including a layer should not change the system behavior.
In order to use the components in this layer you must add the 'selinux' to the DISTRO_FEATURES. In addition to selinux, you should be sure that acl, xattr and pam are also present. e.g. DISTRO_FEATURES_append = " acl xattr pam selinux"
You must also specify a preferred provider for the virtual/refpolicy. The included policies with this layer are simply reference policies and will need to be tailored for your environment.
Enable the refpolicy-mls: e.g. PREFERRED_PROVIDER_virtual/refpolicy ?= "refpolicy-mls"
我正在 Yocto (1.8.1 Fido) 中使用 PREEMPT-RT 补丁编译 Linux 内核 v3.12.61,启用了以下内核配置。 /sys/fs/selinux 目录已创建,但它是空的。
CONFIG_SECURITY_SELINUX=y
CONFIG_SECURITY_SELINUX_BOOTPARAM=y
CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE=1
#CONFIG_SECURITY_SELINUX_DISABLE is not set
CONFIG_SECURITY_SELINUX_DEVELOP=y
CONFIG_SECURITY_SELINUX_AVC_STATS=y
CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=1
#CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX is not set
CONFIG_DEFAULT_SECURITY_SELINUX=y
无论我启用CONFIG_SECURITY_SELINUX_BOOTPARAM还是设置0或1,结果都是一样的
我已经使用 OE 的 meta-selinux 层安装了 SELinux 用户空间工具。我还在/etc/selinux/config中设置了SELINUX=permissive。 运行 sestatus returns "SELinux status: disabled"。以前,这就是编译旧内核 (v3.2) 时我需要做的所有事情。我在这里遗漏了什么吗?
documentation for the meta-selinux layer 有一个部分大致概述了如果您想在图像中使用 selinux 应该做什么。
为了 Stack Overflow 的完整性,我将其粘贴在这里,但请注意,当您在此处阅读时,此状态可能已过时,因此请尽可能参考原文。
构建 meta-selinux 层
In order to add selinux support to the poky build this layer should be added to your projects bblayers.conf file.
By default the selinux components are disabled. This conforms to the Yocto Project compatible guideline that indicate that simply including a layer should not change the system behavior.
In order to use the components in this layer you must add the 'selinux' to the
DISTRO_FEATURES. In addition to selinux, you should be sure thatacl,xattrandpamare also present. e.g.DISTRO_FEATURES_append = " acl xattr pam selinux"You must also specify a preferred provider for the virtual/refpolicy. The included policies with this layer are simply reference policies and will need to be tailored for your environment.
Enable the refpolicy-mls: e.g.
PREFERRED_PROVIDER_virtual/refpolicy ?= "refpolicy-mls"