We will first need to add Linux kernel support for our selected security framework. To enable SELinux support, we need to configure the Linux kernel as explained in the Configuring the Linux kernel section in Chapter 2, The BSP Layer. We can add the following changes to the Wandboard's defconfig in a bbappend to the Linux kernel recipe:
CONFIG_AUDIT=y CONFIG_SECURITY=y CONFIG_SECURITY_NETWORK=y CONFIG_SECURITY_SELINUX=y
Refer to the source code distributed with the book for further details.
The meta-selinux layer enables SELinux support on a Yocto image. To use it, first we need to clone it into the sources directory:
$ cd /opt/yocto/fsl-community-bsp/sources $ git clone git://git.yoctoproject.org/meta-selinux
$ git clone https://github.com/yoctocookbook2ndedition/meta-selinux.git -b rocko
Then we also need to add it to our conf/bblayers.conf, as described in the Creating a custom BSP layer section in Chapter 2, The BSP Layer. The layer also depends on meta-python, which is part of meta-oe, so we also need to add it to our conf/bblayers.conf:
+ ${BSPDIR}/sources/meta-selinux
+ ${BSPDIR}/sources/meta-openembedded/meta-python
We then need to explicitly change our distribution configuration file to support some extra features:
DISTRO_FEATURES_append = " pam selinux"
Finally, a reference policy to be used as a base for future customization needs to be selected. The meta-selinux layer supports the following:
- minimum, the most permissive with minimum security protection. Supports a minimal set of confined daemons.
- standard, which supports both confined daemons and other areas as users.
- mls, with support for multilevel security protection.
- targeted, supporting a greater number of daemons, as well as other areas as users.
- mcs, a standard for multicategory security protection systems.
To choose, for example, the minimum policy, we add the following to the conf/local.conf configuration file:
PREFERRED_PROVIDER_virtual/refpolicy ?= "refpolicy-minimum"
The meta-selinux layer incorporates two SELinux enabled images, core-image-selinux-minimal and core-image-selinux. In order to add SELinux functionality to an existing image, you can add the following to conf/local.conf:
IMAGE_INSTALL_append = " packagegroup-core-selinux"
To build core-image-selinux, change to the fsl-community-bsp directory and type:
$ source setup-environment wandboard $ bitbake core-image-selinux
ERROR: cairo-1.14.10-r0 do_prepare_recipe_sysroot: The file /usr/lib/pkgconfig/wayland-egl.pc is installed by both mesa and imx-gpu-viv, aborting
To work around it, remove the wayland distribution feature in your conf/local.conf as follows:
DISTRO_FEATURES_remove = "wayland"
We will learn how to choose between the different graphical backends available in the FSL community BSP in Chapter 4, Application Development.
The core-image-selinux image will relabel the filesystem to the new policy on boot as it includes the selinux-autorelabel recipe; we should see the following messages on boot:
Checking SELinux security contexts: * First booting, filesystem will be relabeled... * Relabel done, rebooting the system.
With core-image-selinux-minimal, the relabeling needs to be manually triggered after booting into an SELinux-enabled system with:
# fixfiles -f -F relabel
After booting, we can verify SELinux is enabled and enforcing by doing this:
$ sestatus SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: minimum Current mode: permissive Mode from config file: permissive Policy MLS status: enabled Policy deny_unknown status: allowed Memory protection checking: requested (insecure) Max kernel policy version: 29