17.14.2.1. SELinux
TODO get a hello world permission control working:
./build-linux \ --config-fragment linux_config/selinux \ --linux-build-id selinux \ ; ./build-buildroot --config 'BR2_PACKAGE_REFPOLICY=y' ./run --enable-kvm --linux-build-id selinux
Source: linux_config/selinux
This builds:
-
BR2_PACKAGE_REFPOLICY, which includes a reference/etc/selinux/configpolicy: https://github.com/SELinuxProject/refpolicyrefpolicy in turn depends on:
-
BR2_PACKAGE_SETOOLS, which contains tools such asgetenforced: https://github.com/SELinuxProject/setoolssetools depends on:
-
BR2_PACKAGE_LIBSELINUX, which is the backing userland library
After boot finishes, we see:
Starting auditd: mkdir: invalid option -- 'Z'
which comes from /etc/init.d/S01auditd, because BusyBox' mkdir does not have the crazy -Z option like Ubuntu. That’s amazing!
The kernel logs contain:
SELinux: Initializing.
Inside the guest we now have:
getenforce
which initially says:
Disabled
TODO: if we try to enforce:
setenforce 1
it does not work and outputs:
setenforce: SELinux is disabled
SELinux requires glibc as mentioned at: Section 26.10, “libc choice”.