| lh | 758261d | 2023-07-13 05:52:04 -0700 | [diff] [blame^] | 1 | meta-selinux |
| 2 | ============ |
| 3 | |
| 4 | This layer's purpose is enabling SE Linux support. |
| 5 | |
| 6 | The majority of this layers work is accomplished in bbappend files, used to |
| 7 | enable SE Linux support in existing recipes. |
| 8 | |
| 9 | A new recipes-security was added. The purpose of this category is to add |
| 10 | software specific to system security. |
| 11 | |
| 12 | Please see the MAINTAINERS file for information on contacting the maintainers |
| 13 | of this layer, as well as instructions for submitting patches. |
| 14 | |
| 15 | |
| 16 | Dependencies |
| 17 | ------------ |
| 18 | |
| 19 | This layer depends on the openembedded-core metadata and the meta-python and |
| 20 | meta-oe layers from the meta-openembedded repository. |
| 21 | |
| 22 | |
| 23 | Maintenance |
| 24 | ----------- |
| 25 | Please see the MAINTAINERS file for information on contacting the maintainers |
| 26 | of this layer, as well as instructions for submitting patches. |
| 27 | |
| 28 | |
| 29 | Building the meta-selinux layer |
| 30 | ------------------------------- |
| 31 | In order to add selinux support to the poky build this layer should be added |
| 32 | to your projects bblayers.conf file. |
| 33 | |
| 34 | By default the selinux components are disabled. This conforms to the |
| 35 | Yocto Project compatible guideline that indicate that simply including a |
| 36 | layer should not change the system behavior. |
| 37 | |
| 38 | In order to use the components in this layer you must add the 'selinux' to the |
| 39 | DISTRO_FEATURES. In addition to selinux, you should be sure that acl, xattr and |
| 40 | pam are also present. |
| 41 | e.g. DISTRO_FEATURES_append = " acl xattr pam selinux" |
| 42 | |
| 43 | You must also specify a preferred provider for the virtual/refpolicy. The |
| 44 | included policies with this layer are simply reference policies and will need |
| 45 | to be tailored for your environment. |
| 46 | * Enable the refpolicy-mls: |
| 47 | e.g. PREFERRED_PROVIDER_virtual/refpolicy ?= "refpolicy-mls" |
| 48 | |
| 49 | |
| 50 | Using different versions of refpolicy |
| 51 | ------------------------------------- |
| 52 | To prepare selinux enabled images using different ver. of refpolicy, |
| 53 | we can choose supported releases of refpolicy |
| 54 | refer to available versions under recipes-security/refpolicy |
| 55 | |
| 56 | We can use the refpolicy directly from git repository instead of release tarballs. |
| 57 | By default refpolicy from git builds head commit of master branch, we can update |
| 58 | SRCREV for refpolicy and refpolicy-contrib as appropriate at refpolicy_git.inc |
| 59 | to check refpolicy as per required commits. |
| 60 | |
| 61 | * enable the preferred refpolicy-minimum: |
| 62 | PREFERRED_VERSION_refpolicy-minimum = "2.20151208" |
| 63 | PREFERRED_VERSION_refpolicy = "2.20151208" |
| 64 | |
| 65 | |
| 66 | Using different init manager |
| 67 | ---------------------------- |
| 68 | By default selinux enabled images coming up with "sysvinit" as init manager, |
| 69 | we can use "systemd" as an init manager using below changes to local.conf |
| 70 | |
| 71 | * enable systemd as init manager changes to local.conf |
| 72 | DISTRO_FEATURES_remove = " sysvinit" |
| 73 | DISTRO_FEATURES_append = " systemd" |
| 74 | VIRTUAL-RUNTIME_init_manager = "systemd" |
| 75 | DISTRO_FEATURES_BACKFILL_CONSIDERED = "" |
| 76 | |
| 77 | |
| 78 | Starting up the system |
| 79 | ---------------------- |
| 80 | Most likely the reference policy selected will not just work "out of the box". |
| 81 | |
| 82 | As always, if you update the reference policy to better work with OpenEmbedded |
| 83 | or Poky configurations, please submit the changes back to the project. |
| 84 | |
| 85 | When using 'core-image-selinux', the system will boot and automatically setup |
| 86 | the policy by running the "fixfiles -f -F relabel" for you. This is |
| 87 | implemented via the 'selinux-autorelabel' recipe. |
| 88 | |
| 89 | The 'core-image-selinux-minimal' does not automatically relabel the system. |
| 90 | So you must boot using the parameters "selinux=1 enforcing=0", and then |
| 91 | manually perform the setup. Running 'fixfiles -f -F relabel' is available |
| 92 | in this configuration. |
| 93 | |
| 94 | After logging in you can verify selinux is present using: |
| 95 | |
| 96 | $ sestatus |
| 97 | |
| 98 | Output should include: |
| 99 | SELinux status: enabled |
| 100 | ... |
| 101 | Current mode: enforcing |
| 102 | ... |
| 103 | |
| 104 | The above indicates that selinux is currently running, and if you are running |
| 105 | in an enforcing mode or not. |
| 106 | |
| 107 | |
| 108 | License |
| 109 | ------- |
| 110 | |
| 111 | All metadata is MIT licensed unless otherwise stated. Source code included |
| 112 | in tree for individual recipes is under the LICENSE stated in each recipe |
| 113 | (.bb file) unless otherwise stated. |
| 114 | |
| 115 | This README document is Copyright (C) 2012 Wind River Systems, Inc. |