qweasdf Posted November 8, 2021 Share Posted November 8, 2021 Hello to all good folks in Armbian team! On a odroid HC1/HC2 - where everything works like a swis clock, i cant - no matter what i do - to get "getenforce Enforcing" . I would be thankful if someone could point to the right direction. ----------------- uname -a Linux odroid 5.4.151-odroidxu4 #21.08.3 SMP PREEMPT Fri Oct 8 19:52:26 UTC 2021 armv7l GNU/Linux cat /etc/os-release PRETTY_NAME="Debian GNU/Linux 10 (buster)" NAME="Debian GNU/Linux" VERSION_ID="10" VERSION="10 (buster)" VERSION_CODENAME=buster ID=debian HOME_URL="https://www.debian.org/" SUPPORT_URL="https://www.debian.org/support" BUG_REPORT_URL="https://bugs.debian.org/" cat /etc/selinux/config # This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=enforcing # SELINUXTYPE= can take one of these two values: # default - equivalent to the old strict and targeted policies # mls - Multi-Level Security (for military and educational use) # src - Custom policy built from source SELINUXTYPE=default # SETLOCALDEFS= Check local definition changes SETLOCALDEFS=0 on "cat /boot/config-5.4.151-odroidxu4" on # Security options i have related on selinux: # CONFIG_SECURITY_DMESG_RESTRICT is not set CONFIG_SECURITY=y CONFIG_SECURITYFS=y CONFIG_SECURITY_NETWORK=y CONFIG_SECURITY_NETWORK_XFRM=y CONFIG_SECURITY_PATH=y CONFIG_LSM_MMAP_MIN_ADDR=0 CONFIG_HAVE_HARDENED_USERCOPY_ALLOCATOR=y CONFIG_HARDENED_USERCOPY=y CONFIG_HARDENED_USERCOPY_FALLBACK=y CONFIG_FORTIFY_SOURCE=y # CONFIG_STATIC_USERMODEHELPER is not set CONFIG_SECURITY_SELINUX=y CONFIG_SECURITY_SELINUX_BOOTPARAM=y # CONFIG_SECURITY_SELINUX_DISABLE is not set CONFIG_SECURITY_SELINUX_DEVELOP=y CONFIG_SECURITY_SELINUX_AVC_STATS=y CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=1 CONFIG_SECURITY_SMACK=y # CONFIG_SECURITY_SMACK_BRINGUP is not set CONFIG_SECURITY_SMACK_NETFILTER=y CONFIG_SECURITY_SMACK_APPEND_SIGNALS=y CONFIG_SECURITY_TOMOYO=y CONFIG_SECURITY_TOMOYO_MAX_ACCEPT_ENTRY=2048 CONFIG_SECURITY_TOMOYO_MAX_AUDIT_LOG=1024 CONFIG_SECURITY_TOMOYO=y CONFIG_SECURITY_TOMOYO_MAX_ACCEPT_ENTRY=2048 CONFIG_SECURITY_TOMOYO_MAX_AUDIT_LOG=1024 # CONFIG_SECURITY_TOMOYO_OMIT_USERSPACE_LOADER is not set CONFIG_SECURITY_TOMOYO_POLICY_LOADER="/sbin/tomoyo-init" CONFIG_SECURITY_TOMOYO_ACTIVATION_TRIGGER="/sbin/init" # CONFIG_SECURITY_TOMOYO_INSECURE_BUILTIN_SETTING is not set CONFIG_SECURITY_APPARMOR=y CONFIG_SECURITY_APPARMOR_HASH=y CONFIG_SECURITY_APPARMOR_HASH_DEFAULT=y # CONFIG_SECURITY_APPARMOR_DEBUG is not set ----------------- ##what i did: apt remove apparmour "Reading package lists... Done Building dependency tree Reading state information... Done E: Unable to locate package apparmour" #so apparmour is no longer present apt update && upgrade apt install selinux-basics selinux-policy-default auditd #all has installed ok no problem with dependencies et all ## i did observe, in /boot/config-5.4.151-odroidxu4 the folowing lines about apparmour: # Automatically generated file; DO NOT EDIT. CONFIG_SECURITY_APPARMOR=y CONFIG_SECURITY_APPARMOR_HASH=y CONFIG_SECURITY_APPARMOR_HASH_DEFAULT=y ## at command: "selinux-activate" ## i get "Activating SE Linux SE Linux is activated. You may need to reboot now." #but no change after reboot 0 Quote Link to comment Share on other sites More sharing options...
qweasdf Posted December 13, 2021 Author Share Posted December 13, 2021 Enabling SELINUX on "Debian GNU/Linux 10 (buster)" on ODROID HC1/HC2 --- is a more complete title 0 Quote Link to comment Share on other sites More sharing options...
Werner Posted December 14, 2021 Share Posted December 14, 2021 Moved to Common issues / peer to peer technical support 0 Quote Link to comment Share on other sites More sharing options...
doff Posted January 17, 2023 Share Posted January 17, 2023 I'm facing the same issue with my armbian XU4 bullseyes. I've noticed in the /boot/config-5.4.225-odroidxu4 file, that there are multiple security modules compiled in the kernel $ grep SECURITY /boot/config-5.4.225-odroidxu4 ONFIG_SECURITY=y CONFIG_SECURITYFS=y CONFIG_SECURITY_NETWORK=y CONFIG_SECURITY_NETWORK_XFRM=y CONFIG_SECURITY_PATH=y CONFIG_SECURITY_SELINUX=y CONFIG_SECURITY_SELINUX_BOOTPARAM=y # CONFIG_SECURITY_SELINUX_DISABLE is not set CONFIG_SECURITY_SELINUX_DEVELOP=y CONFIG_SECURITY_SELINUX_AVC_STATS=y CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=1 CONFIG_SECURITY_SMACK=y # CONFIG_SECURITY_SMACK_BRINGUP is not set CONFIG_SECURITY_SMACK_NETFILTER=y CONFIG_SECURITY_SMACK_APPEND_SIGNALS=y CONFIG_SECURITY_TOMOYO=y CONFIG_SECURITY_TOMOYO_MAX_ACCEPT_ENTRY=2048 CONFIG_SECURITY_TOMOYO_MAX_AUDIT_LOG=1024 # CONFIG_SECURITY_TOMOYO_OMIT_USERSPACE_LOADER is not set CONFIG_SECURITY_TOMOYO_POLICY_LOADER="/sbin/tomoyo-init" CONFIG_SECURITY_TOMOYO_ACTIVATION_TRIGGER="/sbin/init" # CONFIG_SECURITY_TOMOYO_INSECURE_BUILTIN_SETTING is not set CONFIG_SECURITY_APPARMOR=y CONFIG_SECURITY_APPARMOR_HASH=y CONFIG_SECURITY_APPARMOR_HASH_DEFAULT=y # CONFIG_SECURITY_APPARMOR_DEBUG is not set # CONFIG_SECURITY_LOADPIN is not set CONFIG_SECURITY_YAMA=y CONFIG_SECURITY_SAFESETID=y CONFIG_SECURITY_LOCKDOWN_LSM=y CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y # CONFIG_DEFAULT_SECURITY_SELINUX is not set # CONFIG_DEFAULT_SECURITY_SMACK is not set # CONFIG_DEFAULT_SECURITY_TOMOYO is not set CONFIG_DEFAULT_SECURITY_APPARMOR=y # CONFIG_DEFAULT_SECURITY_DAC is not set I see SElinux, AppArmor, Smack and Tomoyo. But if you look at the last lines, it seems that the default security module loaded, is AppArmor. I remember that the choice of the security module can be done by adding the parameter security= in the boot line. I haven't tested it, because I'm a bit lost on "how to change this parameter" for the XU4. Would it be in the /boot/boot.ini ? I do not see where. In the initrd ? How to update this ? 0 Quote Link to comment Share on other sites More sharing options...
doff Posted January 20, 2023 Share Posted January 20, 2023 mmmm, this worth trying : Quote apt install policycoreutils selinux-basics selinux-policy-default auditd selinux-activate vi /boot/armbianEnv.txt # add a line: extraargs=selinux=1 security=selinux # this is needed with stock config where security is unset and SElinux is disabled by default 0 Quote Link to comment Share on other sites More sharing options...
doff Posted January 22, 2023 Share Posted January 22, 2023 tested on Odroid XU4 with armbian bullseyes # uname -a Linux thor 5.4.225-odroidxu4 #22.11.1 SMP PREEMPT Wed Nov 30 10:55:16 UTC 2022 armv7l GNU/Linux # cat /etc/armbian-release # PLEASE DO NOT EDIT THIS FILE BOARD=odroidxu4 BOARD_NAME="Odroid XU4" BOARDFAMILY=odroidxu4 BUILD_REPOSITORY_URL=https://github.com/armbian/build BUILD_REPOSITORY_COMMIT=84940abbbe3d VERSION=22.11.1 LINUXFAMILY=odroidxu4 ARCH=arm IMAGE_TYPE=stable BOARD_TYPE=conf INITRD_ARCH=arm KERNEL_IMAGE_TYPE=Image BRANCH=current I've added in /boot/boot.ini # activate selinux setenv extraargs "selinux=1 security=selinux" before line # final boot args setenv bootargs "${bootrootfs} ${videoconfig} smsc95xx.macaddr=${macaddr} governor=${governor} ${hdmi_phy_control} usb-storage.quirks=${usbstoragequirks} ${extraargs}" and rebooted. After reboot : root~# getenforce Permissive 0 Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.