[v14,4/4] qemu x86 selinux: base br defconfig

Submitted by Arnout Vandecappelle on July 3, 2017, 9 p.m.


Message ID 20170703210051.3457-4-arnout@mind.be
State New
Headers show

Commit Message

Arnout Vandecappelle July 3, 2017, 9 p.m.
From: Clayton Shotwell <clayton.shotwell@rockwellcollins.com>

This will build a base SELinux system that boots with SELinux
in permissive mode. Also adding documentation on how to use it.

Signed-off-by: Clayton Shotwell <clayton.shotwell@rockwellcollins.com>
Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Niranjan Reddy <niranjan.reddy@rockwellcollins.com>
Signed-off-by: Bryce Ferguson <bryce.ferguson@rockwellcollins.com>
 - Create a 64-bit defconfig instead of a 32-bit one.
 - Move the kernel fragment to board/common_selinux.
 - Align with qemu_x86_64_defconfig.
 - Regenerate .gitlab-ci.yml.]
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
 - Create a 64-bit defconfig instead of a 32-bit one.
 - Move the kernel fragment to board/common_selinux.
 - Align with qemu_x86_defconfig.
 - Regenerate .gitlab-ci.yml.
 - Add the defconfig only after the selinux-specific bits have been

I would really like some explanation why the following config options
are needed:

I switched to x86_64 because the BR2_i386_pentiumpro variant fails to
build glibc:
In file included from ../sysdeps/x86_64/multiarch/strcspn-c.c:22:0,
                 from ../sysdeps/i386/i686/multiarch/strcspn-c.c:2:
../sysdeps/x86_64/multiarch/varshift.h: In function '__m128i_shift_right':
../sysdeps/x86_64/multiarch/varshift.h:26:1: error: SSE vector return without SSE enabled changes the ABI [-Werror=psabi]

(and more). I couldn't be bothered to debug that, switching to x86_64
was simpler.
 .gitlab-ci.yml                        |  1 +
 board/qemu/x86_64/readme.txt          | 17 +++++++++++++
 configs/qemu_x86_64_selinux_defconfig | 47 +++++++++++++++++++++++++++++++++++
 3 files changed, 65 insertions(+)
 create mode 100644 configs/qemu_x86_64_selinux_defconfig

Patch hide | download patch | download mbox

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 3ae7e5db64..4a48c560f2 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -174,6 +174,7 @@  qemu_sh4eb_r2d_defconfig: *defconfig
 qemu_sparc64_sun4u_defconfig: *defconfig
 qemu_sparc_ss10_defconfig: *defconfig
 qemu_x86_64_defconfig: *defconfig
+qemu_x86_64_selinux_defconfig: *defconfig
 qemu_x86_defconfig: *defconfig
 qemu_xtensa_lx60_defconfig: *defconfig
 qemu_xtensa_lx60_nommu_defconfig: *defconfig
diff --git a/board/qemu/x86_64/readme.txt b/board/qemu/x86_64/readme.txt
index ecd7813a1e..742cf13ba5 100644
--- a/board/qemu/x86_64/readme.txt
+++ b/board/qemu/x86_64/readme.txt
@@ -7,3 +7,20 @@  Optionally add -smp N to emulate a SMP system with N CPUs.
 The login prompt will appear in the graphical window.
 Tested with QEMU 2.9.0
+Run the SELinux target (based on qemu_x86_64_selinux_defconfig) emulation with:
+    qemu-system-x86_64 -M pc -kernel output/images/bzImage -drive file=output/images/rootfs.ext2,if=ide -append "root=/dev/sda rw console=ttyS0 selinux=1" -net nic,model=rtl8139 -net user -display none -serial stdio
+The emulation should reboot once the first time for relabeling and
+then provide a login prompt. The login is username root and password
+root because PAM requires a password in this secure configuration. To
+enable SELinux enforcing at boot, login and edit the
+/etc/selinux/config and set SELINUX to enforcing. Save and make sure
+to "sync" before restarting the emulation as the ext2 fs would
+otherwise corrupt when the emulation exits. After enforcing is
+default, the selinux= provided as part of the qemu "append" above can
+be used to turn enforcing on/off. This configuration would be tailored
+as part of a targets refpolicy customization.
diff --git a/configs/qemu_x86_64_selinux_defconfig b/configs/qemu_x86_64_selinux_defconfig
new file mode 100644
index 0000000000..28d8d45942
--- /dev/null
+++ b/configs/qemu_x86_64_selinux_defconfig
@@ -0,0 +1,47 @@ 
+# Architecture
+# System
+# Select SYSV init to provide selinux enabled init
+# Pull in SELinux specific file overlay to allow login
+# in enforcing mode.
+BR2_ROOTFS_DEVICE_TABLE="system/device_table.txt board/common_selinux/permissions.txt"
+# Filesystem
+# BR2_TARGET_ROOTFS_TAR is not set
+# Internal toolchain glibc, for policycoreutils
+# Linux headers same as kernel, a 4.11 series
+# Kernel
+# Customized busybox config providing a tailored
+# balance of applets vs full apps
+# Ensure busybox is built as individual binaries for the
+# SELinux refpolicy to work correctly