Search code examples
linux-kernelyoctoselinux

Why is SELinux still disabled eventhough CONFIG_SECURITY_SELINUX is enabled in the kernel?

I am compiling Linux kernel v3.12.61 with PREEMPT-RT patch in Yocto (1.8.1 Fido) with the following kernel configuration enabled. The /sys/fs/selinux directory is created but it is empty. 

CONFIG_SECURITY_SELINUX=y
CONFIG_SECURITY_SELINUX_BOOTPARAM=y
CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE=1 
 #CONFIG_SECURITY_SELINUX_DISABLE is not set 
CONFIG_SECURITY_SELINUX_DEVELOP=y
CONFIG_SECURITY_SELINUX_AVC_STATS=y
CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=1
 #CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX is not set
CONFIG_DEFAULT_SECURITY_SELINUX=y

Regardless of whether I enable CONFIG_SECURITY_SELINUX_BOOTPARAM or set it 0 or 1, the result is still the same.

I have installed the SELinux userspace tools using the meta-selinux layer from OE. I also set SELINUX=permissive in /etc/selinux/config. Running sestatus returns "SELinux status: disabled". Previously that was all I needed to do when compiling an older kernel (v3.2). Am I missing anything here?

Solution

  • The documentation for the meta-selinux layer has a section that pretty much outlines what to do if you want to use selinux in your images.

    For the sake of Stack Overflow completeness I will paste it in here, but please be aware that this state might be outdated when you read it here, so please always refer to the original if possible.

    Building the meta-selinux layer

    In order to add selinux support to the poky build this layer should be added to your projects bblayers.conf file.

    By default the selinux components are disabled. This conforms to the Yocto Project compatible guideline that indicate that simply including a layer should not change the system behavior.

    In order to use the components in this layer you must add the 'selinux' to the DISTRO_FEATURES. In addition to selinux, you should be sure that acl, xattr and pam are also present. e.g. DISTRO_FEATURES_append = " acl xattr pam selinux"

    You must also specify a preferred provider for the virtual/refpolicy. The included policies with this layer are simply reference policies and will need to be tailored for your environment.

    Enable the refpolicy-mls: e.g. PREFERRED_PROVIDER_virtual/refpolicy ?= "refpolicy-mls"