3

Issue

I'm running CentOS 7 on a Raspberry Pi 3 (image here: http://buildlogs.centos.org/centos/7/isos/armhfp/CentOS-Userland-7-armv7hl-Minimal-1602-RaspberryPi3.img.xz). I'm attempting to enable SELinux on the Pi. After installing the necessary packages, changing the parameter SELINUX=disabled to SELINUX=permissive, and running:

touch /.autorelabel reboot

all as the root user, I'm still faced with the following output after reboot:

$ getenforce Disabled $ sestatus SELinux status: disabled

Troubleshooting

I've installed the following packages:

policycoreutils policycoreutils-python selinux-policy selinux-policy-targeted libselinux-utils setroubleshoot-server setools setools-console

The current content of /etc/selinux/config:

# This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=permissive # SELINUXTYPE= can take one of three two values: # targeted - Targeted processes are protected, # minimum - Modification of targeted policy. Only selected processes are protected. # mls - Multi Level Security protection. SELINUXTYPE=targeted

I know that bootloaders such as grub sometimes disable SELinux in their config files during boot but I checked the native raspberry pi boot configs (/boot/config.txt and /boot/cmdline.txt) and there doesn't seem to be anything that would disable SELinux in those either.

Any help or suggestion is appreciated!

Improve this question
1

1 Answer 1

Reset to default
4

SELinux requires kernel support, and the default Raspberry Pi kernel does not include it. You can check the configuration this way:

sudo modprobe configs sudo gunzip -c /proc/config.gz | grep SELINUX

You'll get nothing with the pi's stock kernel. By contrast, here's the output using the defconfig from a vanilla 4.2.1 source:

CONFIG_SECURITY_SELINUX=y CONFIG_SECURITY_SELINUX_BOOTPARAM=y CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE=1 CONFIG_SECURITY_SELINUX_DISABLE=y CONFIG_SECURITY_SELINUX_DEVELOP=y CONFIG_SECURITY_SELINUX_AVC_STATS=y CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=1 # CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX is not set CONFIG_DEFAULT_SECURITY_SELINUX=y

So, you have to configure and build your own kernel. If you are comfortable with that and it seems worthwhile, here's the official Pi kernel source tree.

I recommend cross-compiling it as it will probably take at least an hour (or two...) even on the 3 -- I don't know. If you look up a level in that github repo there is a cross-compiler there under "tools", but, for the version used on the Pi 2/3 you can also use the arm-linux-gnueabi cross-compiler that is stock on most current linux distros (CentOS has a lot less available than most though, so if you use that elsewhere you may have to install a fedora or similar rpm from rpmfind).

Beware

This is no guarantee that it will actually work on the Pi (just a pretty good bet), so you may want to search around to see if anyone has actually confirmed using it.

Improve this answer

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.