blob: b6a0df970ae192b5b7d268091fb955e8121b5172 [file] [log] [blame]
lh758261d2023-07-13 05:52:04 -07001 SELinux FAQ
2
3----------------------------------------------------------------------------
4
5This file contains answers to frequently-asked questions about the SELinux
6feature for Poky.
7
8Copyright (C) 2012 Wind River Systems, Inc.
9
10============================================================================
11
12Table of Contents
13
141. About SELinux
15 * 1.1 What is SELinux?
16 * 1.2 How does this layer do to enable SELinux features?
17
182. Building with SELinux
19
20 * 2.1 How can I build a SELinux image?
21 * 2.2 How can I add SELinux to my custom images?
22
233. Using SELinux
24
25 * 3.1 How do I turn SELinux off at boot?
26 * 3.2 How do I turn enforcing mode on/off at boot?
27
284. Resolving Problems
29
30 * 4.1 Why I can not login in via ssh in enforcing mode?
31
32==============================================================================
33
341 - About SELinux
35
36------------------------------------------------------------------------------
37
381.1 - What is SELinux?
39
40Security-enhanced Linux (SELinux) is a reference implementation of the Flask
41security architecture for flexible mandatory access control. It was created to
42demonstrate the value of flexible mandatory access controls and how such
43controls could be added to an operating system.
44
451.2 - How does this layer do to enable SELinux features?
46
47To enable SELinux features, this layers has done these works:
48
49 * new DISTRO_FEATURES "selinux" defined
50 * new DISTRO "poky-selinux" defined, with DISTRO_FEATURES += "pam selinux"
51 * config file for Linux kernel to enable SELinux
52 * recipes for SELinux userland libraries and tools
53 * package group (packagegroup-core-selinux) for SELinux userland packages
54 * bbappends for SELinux related recipes to build with SELinux enabled
55 * recipes for SELinux policy modified from refpolicy
56
57
58==============================================================================
59
602 - Building with SELinux
61
62------------------------------------------------------------------------------
63
642.1 - How can I build a SELinux image?
65
66After init Poky build environment, please follow these steps:
67
68 1. Add meta-selinux path to BUILDDIR/conf/bblayers.conf file.
69
70 2. Set DISTRO="poky-selinux" or add DISTRO_FEATURES_append=" pam selinux"
71 in BUILDDIR/conf/local.conf file.
72
73 3. Build the default selinux image.
74
75 $ bitbake core-image-selinux
76
772.2 - How can I add SELinux to my custom images?
78
79If you only want to add SELinux to your custom image, then you should perform
80the following steps:
81
82 1. Add meta-selinux path to BUILDDIR/conf/bblayers.conf file
83
84 2. Add DISTRO_FEATURES_append=" pam selinux" in BUILDDIR/conf/local.conf
85 file.
86
87 3. Add packagegroup-core-selinux to your custom image.
88 For example, if core-image-custom.bb is your building image file, then
89 you should add packagegroup-core-selinux to IMAGE_INSTALL in
90 core-image-custom.bb.
91
92 4. Build your custom image in build directory
93
94 $ bitbake core-image-custom
95
96
97
98==============================================================================
99
1003 - Using SELinux
101
102------------------------------------------------------------------------------
103
1043.1 - How do I turn SELinux off at boot?
105
106Set SELINUX=disabled in /etc/selinux/config.
107
108Alternatively, you can add "selinux=0" to your kernel boot parameters. It is
109not recommended but useful on some testing situations.
110For example, when you are using qemu targets,
111
112 $ runqemu qemumips core-image-selinux ext3 nographic bootparams="selinux=0"
113
114The initial filesystem relabel step requires considerable memory and can result
115in unexpected, sometimes impossible to reproduce, failures if an OOM condition
116occurs while it is in progress. Therefore you should consider allocating at a
117minimum 512MB of RAM to your qemu image. 1GB or more is recommended. This is
118accomplished by adding qemuparams="-m 1024" to your runqemu options.
119
120The defaults for various platforms vary, though it is usually around 256MB.
121
1223.2 - How do I turn enforcing mode on/off?
123
124You can specify the SELinux mode in /etc/selinux/config.
125
126 # SELINUX= can take one of these three values:
127 # enforcing - SELinux security policy is enforced.
128 # permissive - SELinux prints warnings instead of enforcing.
129 # disabled - No SELinux policy is loaded.
130 SELINUX=enforcing
131
132Setting "SELINUX" to "enforcing" is the same as adding "enforcing=1" to the
133kernel boot parameters. While to "permissive" is the same as adding
134"enforcing=0" to the kernel boot parameters.
135However, to "disabled" is not the same as the "selinux=0" kernel boot
136parameter. Rather than fully disabling SELinux in the kernel, the "disabled"
137setting instead turns enforcing off and skips loading a policy.
138
139==============================================================================
140
1414 - Resolving Problems
142
143------------------------------------------------------------------------------
144
1454.1 - Why I can not login in via ssh in enforcing mode?
146
147Please check "PermitEmptyPasswords" in /etc/ssh/sshd_config. If it is set to
148"yes", set to "no" then restart sshd. That's because pam_selinux module does
149not allow sshd to set PermitEmptyPasswords to "yes".
150
151Note: If both IMAGE_FEATURES debug-tweaks ssh-server-openssh are enabled, this
152"PermitEmptyPasswords" will be set to "yes" by default for Poky images.
153
154