From patchwork Tue Jun 28 03:58:37 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matt Weber X-Patchwork-Id: 641331 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from fraxinus.osuosl.org (smtp4.osuosl.org [140.211.166.137]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 3rdsWm2t0Mz9sCp for ; Tue, 28 Jun 2016 13:59:48 +1000 (AEST) Received: from localhost (localhost [127.0.0.1]) by fraxinus.osuosl.org (Postfix) with ESMTP id E754888908; Tue, 28 Jun 2016 03:59:46 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from fraxinus.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aNevGh7d-gCh; Tue, 28 Jun 2016 03:59:43 +0000 (UTC) Received: from ash.osuosl.org (ash.osuosl.org [140.211.166.34]) by fraxinus.osuosl.org (Postfix) with ESMTP id 3CA1FC0560; Tue, 28 Jun 2016 03:59:17 +0000 (UTC) X-Original-To: buildroot@lists.busybox.net Delivered-To: buildroot@osuosl.org Received: from silver.osuosl.org (smtp3.osuosl.org [140.211.166.136]) by ash.osuosl.org (Postfix) with ESMTP id CB9F81CF711 for ; Tue, 28 Jun 2016 03:59:04 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by silver.osuosl.org (Postfix) with ESMTP id AA8F73029F for ; Tue, 28 Jun 2016 03:59:04 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from silver.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FM9hBlEOUQgI for ; Tue, 28 Jun 2016 03:58:57 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6 Received: from ch3vs02.rockwellcollins.com (ch3vs02.rockwellcollins.com [205.175.226.29]) by silver.osuosl.org (Postfix) with ESMTPS id 4B38C331A4 for ; Tue, 28 Jun 2016 03:58:52 +0000 (UTC) Received: from ofwch3n02.rockwellcollins.com (HELO dtulimr01.rockwellcollins.com) ([205.175.226.14]) by ch3vs02.rockwellcollins.com with ESMTP; 27 Jun 2016 22:58:52 -0500 X-Received: from largo.rockwellcollins.com (unknown [192.168.140.76]) by dtulimr01.rockwellcollins.com (Postfix) with ESMTP id 19648601D4; Mon, 27 Jun 2016 22:58:51 -0500 (CDT) From: Matt Weber To: buildroot@buildroot.org Date: Mon, 27 Jun 2016 22:58:37 -0500 Message-Id: <1467086319-42783-7-git-send-email-matthew.weber@rockwellcollins.com> X-Mailer: git-send-email 1.9.1 In-Reply-To: <1467086319-42783-1-git-send-email-matthew.weber@rockwellcollins.com> References: <1467086319-42783-1-git-send-email-matthew.weber@rockwellcollins.com> Cc: Niranjan Reddy Subject: [Buildroot] [PATCH v12 7/9] qemu x86 selinux: base br defconfig X-BeenThere: buildroot@busybox.net X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Discussion and development of buildroot List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: buildroot-bounces@busybox.net Sender: "buildroot" From: Clayton Shotwell This will build a base SELinux system that boots with SELinux in permissive mode. Also adding documentation on how to use it. Signed-off-by: Clayton Shotwell Signed-off-by: Matthew Weber Signed-off-by: Niranjan Reddy --- Changes v11 -> v12: - Bump kernel to 4.6 - Renamed fragment config to be 4.x vs 4.0 Changes v10 -> v11: - Removed configs BR2_ROOTFS_XXX (post build script,device table and overlay) from this patch and added these configs to another patch (common-selinux-support-files.patch) - Included configuration BR2_LINUX_KERNEL_CONFIG_FRAGMENT_FILES in defconfig. Changes v9 -> v10: - Changed version number of QEMU from 2.2.1 to 2.3.0 Changes v8 -> v9: - No changes Changes v7 -> v8: - No changes Changes v6 -> v7: - No changes Changes v5 -> v6: - No changes Changes v4 -> v5: - Update the qemu_x86_defconfig to the 4.0 kernel series (Clayton S.) Changes v1 -> v4: - Did not exist --- board/qemu/x86/linux-4.x-selinux.config | 19 ++++++++++++ board/qemu/x86/readme.txt | 17 ++++++++++ configs/qemu_x86_selinux_defconfig | 55 +++++++++++++++++++++++++++++++++ 3 files changed, 91 insertions(+) create mode 100644 board/qemu/x86/linux-4.x-selinux.config create mode 100644 configs/qemu_x86_selinux_defconfig diff --git a/board/qemu/x86/linux-4.x-selinux.config b/board/qemu/x86/linux-4.x-selinux.config new file mode 100644 index 0000000..1235141 --- /dev/null +++ b/board/qemu/x86/linux-4.x-selinux.config @@ -0,0 +1,19 @@ +CONFIG_AUDIT=y +CONFIG_MODULES=y +CONFIG_IP_PNP=y +CONFIG_DEVTMPFS=y +CONFIG_DEVTMPFS_MOUNT=y +ONFIG_EXT2_FS=y +CONFIG_EXT2_FS_XATTR=y +CONFIG_EXT2_FS_POSIX_ACL=y +CONFIG_EXT2_FS_SECURITY=y +CONFIG_EXT3_FS=y +CONFIG_EXT3_FS_POSIX_ACL=y +CONFIG_EXT3_FS_SECURITY=y +CONFIG_NFS_FS=y +CONFIG_ROOT_NFS=y +CONFIG_SECURITY=y +CONFIG_SECURITY_NETWORK=y +CONFIG_SECURITY_SELINUX=y +CONFIG_SECURITY_SELINUX_BOOTPARAM=y +CONFIG_CRYPTO_ANSI_CPRNG=y diff --git a/board/qemu/x86/readme.txt b/board/qemu/x86/readme.txt index 4f2e4c7..f7bf256 100644 --- a/board/qemu/x86/readme.txt +++ b/board/qemu/x86/readme.txt @@ -7,3 +7,20 @@ Optionally add -smp N to emulate a SMP system with N CPUs. The login prompt will appear in the graphical window. Tested with QEMU 2.5.0 + +------------------------------------------------------------------- + +Run the SElinux target emulation with: + + qemu-system-i386 -M pc -kernel output/images/bzImage -drive file=output/images/rootfs.ext2,if=ide -append "root=/dev/sda rw console=ttyS0 selinux=1" -net nic,model=rtl8139 -net user -display none -serial stdio + +The emulation should reboot once the first time for relabeling and +then provide a login prompt. The login is username root and password +root because PAM requires a password in this secure configuration. To +enable SELinux enforcing at boot, login and edit the +/etc/selinux/config and set SELINUX to enforcing. Save and make sure +to "sync" before restarting the emulation as the ext2 fs would +otherwise corrupt when the emulation exits. After enforcing is +default, the selinux= provided as part of the qemu "append" above can +be used to turn enforcing on/off. This configuration would be tailored +as part of a targets refpolicy customization. diff --git a/configs/qemu_x86_selinux_defconfig b/configs/qemu_x86_selinux_defconfig new file mode 100644 index 0000000..084a519 --- /dev/null +++ b/configs/qemu_x86_selinux_defconfig @@ -0,0 +1,55 @@ +# Architecture +BR2_x86_pentiumpro=y + +# Internal tool chain glibc +BR2_TOOLCHAIN_BUILDROOT_GLIBC=y +BR2_PACKAGE_HOST_LINUX_HEADERS_CUSTOM_4_6=y + +# Select SYSV init to provide selinux enabled init +BR2_INIT_SYSV=y + +# Default password to allow PAM login +BR2_TARGET_GENERIC_ROOT_PASSWD="root" + +# Lock to a kernel that's been tested against selinux libs +BR2_LINUX_KERNEL=y +BR2_LINUX_KERNEL_CUSTOM_VERSION=y +BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="4.6" +BR2_LINUX_KERNEL_USE_CUSTOM_CONFIG=y +BR2_LINUX_KERNEL_CUSTOM_CONFIG_FILE="board/qemu/x86/linux-4.6.config" +BR2_LINUX_KERNEL_CONFIG_FRAGMENT_FILES="board/qemu/x86/linux-4.x-selinux.config" + +# Ensure busybox is built as individual binaries for the +# SELinux refpolicy to work correctly +BR2_PACKAGE_BUSYBOX_INDIVIDUAL_BINARIES=y + +# Audit service +BR2_PACKAGE_AUDIT=y + +# Enhanced authentication with selinux hooks +BR2_PACKAGE_LINUX_PAM=y + +# Full version of login with SELinux support +BR2_PACKAGE_UTIL_LINUX=y +BR2_PACKAGE_UTIL_LINUX_BINARIES=y +BR2_PACKAGE_UTIL_LINUX_LOGIN_UTILS=y + +# SSH daemon for secure login +BR2_PACKAGE_OPENSSH=y + +# Provides tools for fs security context relabeling +BR2_PACKAGE_POLICYCOREUTILS=y + +# SELinux policy config/definition +BR2_PACKAGE_REFPOLICY=y + +# Logging daemon +BR2_PACKAGE_RSYSLOG=y + +#rootfs with spare space for fs relabel activity +BR2_TARGET_ROOTFS_EXT2=y +BR2_TARGET_ROOTFS_EXT2_RESBLKS=5 +# BR2_TARGET_ROOTFS_TAR is not set + +# Offline tools for policy analysis/building +BR2_PACKAGE_HOST_CHECKPOLICY=y