document: add FAQ file for selinux

Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
author: Xin Ouyang <Xin.Ouyang@windriver.com> 2012-09-14 15:46:19 +0800
committer: Xin Ouyang <Xin.Ouyang@windriver.com> 2012-10-18 11:07:44 +0800
commit: ad05ee24950baaf4c97aba374662065361d15908 (patch)
tree: 98c13c57ba9df6674705f07ef14bc03ef8672dce
parent: 72ae0475734c2a4b8d14e2ab817b038cdd0578c6 (diff)
download: meta-selinux-ad05ee24950baaf4c97aba374662065361d15908.tar.gz
1 files changed, 146 insertions, 0 deletions
diff --git a/SELinux-FAQ b/SELinux-FAQ
new file mode 100644
index 0000000..5894626
--- /dev/null
+++ b/SELinux-FAQ
@@ -0,0 +1,146 @@
+                                 SELinux FAQ
+----------------------------------------------------------------------------
+This file contains answers to frequently-asked questions about the SELinux
+feature for Poky.
+Copyright (C) 2012 Wind River Systems, Inc. 
+============================================================================
+Table of Contents
+1. About SELinux
+  * 1.1 What is SELinux?
+  * 1.2 How does this layer do to enable SELinux features? 
+2. Building with SELinux
+  * 2.1 How can I build a SELinux image?
+  * 2.2 How can I add SELinux to my custom images?
+3. Using SELinux
+  * 3.1 How do I turn SELinux off at boot?
+  * 3.2 How do I turn enforcing mode on/off at boot?
+4. Resolving Problems
+  * 4.1 Why I can not login in via ssh in enforcing mode? 
+==============================================================================
+1 - About SELinux
+------------------------------------------------------------------------------
+1.1 - What is SELinux?
+Security-enhanced Linux (SELinux) is a reference implementation of the Flask
+security architecture for flexible mandatory access control. It was created to
+demonstrate the value of flexible mandatory access controls and how such 
+controls could be added to an operating system. 
+1.2 - How does this layer do to enable SELinux features? 
+To enable SELinux features, this layers has done these works:
+   * new DISTRO_FEATURES "selinux" defined
+   * new DISTRO "poky-selinux" defined, with DISTRO_FEATURES += "pam selinux"
+   * config file for Linux kernel to enable SELinux
+   * recipes for SELinux userland libraries and tools
+   * package group (packagegroup-core-selinux) for SELinux userland packages
+   * bbappends for SELinux related recipes to build with SELinux enabled
+   * recipes for SELinux policy modified from refpolicy
+==============================================================================
+2 - Building with SELinux 
+------------------------------------------------------------------------------
+2.1 - How can I build a SELinux image?
+After init Poky build environment, please follow these steps:
+   1. Add meta-selinux path to BUILDDIR/conf/bblayers.conf file.
+   2. Set DISTRO="poky-selinux" or add DISTRO_FEATURES_append=" pam selinux"
+      in BUILDDIR/conf/local.conf file.
+   3. Build the default selinux image.
+       $ bitbake core-image-selinux
+2.2 - How can I add SELinux to my custom images?
+If you only want to add SELinux to your custom image, then you should perform
+the following steps:
+   1. Add meta-selinux path to BUILDDIR/conf/bblayers.conf file
+   2. Add DISTRO_FEATURES_append=" pam selinux" in BUILDDIR/conf/local.conf 
+      file.
+   3. Add packagegroup-core-selinux to your custom image.
+      For example, if core-image-custom.bb is your building image file, then
+      you should add packagegroup-core-selinux to IMAGE_INSTALL in 
+      core-image-custom.bb.
+   4. Build your custom image in build directory
+       $ bitbake core-image-custom
+==============================================================================
+3 - Using SELinux 
+------------------------------------------------------------------------------
+3.1 - How do I turn SELinux off at boot?
+Set SELINUX=disabled in /etc/selinux/config.
+Alternatively, you can add "selinux=0" to your kernel boot parameters. It is
+not recommended but useful on some testing situations.
+For example, when you are using qemu targets,  
+  $ runqemu qemumips core-image-selinux ext3 nographic bootparams="selinux=0"
+3.2 - How do I turn enforcing mode on/off?
+You can specify the SELinux mode in /etc/selinux/config.
+  # SELINUX= can take one of these three values:
+  #       enforcing - SELinux security policy is enforced.
+  #       permissive - SELinux prints warnings instead of enforcing.
+  #       disabled - No SELinux policy is loaded.
+  SELINUX=enforcing
+Setting "SELINUX" to "enforcing" is the same as adding "enforcing=1" to the 
+kernel boot parameters. While to "permissive" is the same as adding
+"enforcing=0" to the kernel boot parameters.
+However, to "disabled" is not the same as the "selinux=0" kernel boot
+parameter. Rather than fully disabling SELinux in the kernel, the "disabled"
+setting instead turns enforcing off and skips loading a policy.
+==============================================================================
+4 - Resolving Problems
+------------------------------------------------------------------------------
+4.1 - Why I can not login in via ssh in enforcing mode?
+Please check "PermitEmptyPasswords" in /etc/ssh/sshd_config. If it is set to
+"yes", set to "no" then restart sshd. That's because pam_selinux module does 
+not allow sshd to set PermitEmptyPasswords to "yes".
+Note: If both IMAGE_FEATURES debug-tweaks ssh-server-openssh are enabled, this 
+"PermitEmptyPasswords" will be set to "yes" by default for Poky images.
author	Xin Ouyang <Xin.Ouyang@windriver.com>	2012-09-14 15:46:19 +0800
committer	Xin Ouyang <Xin.Ouyang@windriver.com>	2012-10-18 11:07:44 +0800
commit	ad05ee24950baaf4c97aba374662065361d15908 (patch)
tree	98c13c57ba9df6674705f07ef14bc03ef8672dce
parent	72ae0475734c2a4b8d14e2ab817b038cdd0578c6 (diff)
download	meta-selinux-ad05ee24950baaf4c97aba374662065361d15908.tar.gz

diff --git a/SELinux-FAQ b/SELinux-FAQ new file mode 100644 index 0000000..5894626 --- /dev/null +++ b/SELinux-FAQ
@@ -0,0 +1,146 @@
	1	SELinux FAQ
	2
	3	----------------------------------------------------------------------------
	4
	5	This file contains answers to frequently-asked questions about the SELinux
	6	feature for Poky.
	7
	8	Copyright (C) 2012 Wind River Systems, Inc.
	9
	10	============================================================================
	11
	12	Table of Contents
	13
	14	1. About SELinux
	15	* 1.1 What is SELinux?
	16	* 1.2 How does this layer do to enable SELinux features?
	17
	18	2. Building with SELinux
	19
	20	* 2.1 How can I build a SELinux image?
	21	* 2.2 How can I add SELinux to my custom images?
	22
	23	3. Using SELinux
	24
	25	* 3.1 How do I turn SELinux off at boot?
	26	* 3.2 How do I turn enforcing mode on/off at boot?
	27
	28	4. Resolving Problems
	29
	30	* 4.1 Why I can not login in via ssh in enforcing mode?
	31
	32	==============================================================================
	33
	34	1 - About SELinux
	35
	36	------------------------------------------------------------------------------
	37
	38	1.1 - What is SELinux?
	39
	40	Security-enhanced Linux (SELinux) is a reference implementation of the Flask
	41	security architecture for flexible mandatory access control. It was created to
	42	demonstrate the value of flexible mandatory access controls and how such
	43	controls could be added to an operating system.
	44
	45	1.2 - How does this layer do to enable SELinux features?
	46
	47	To enable SELinux features, this layers has done these works:
	48
	49	* new DISTRO_FEATURES "selinux" defined
	50	* new DISTRO "poky-selinux" defined, with DISTRO_FEATURES += "pam selinux"
	51	* config file for Linux kernel to enable SELinux
	52	* recipes for SELinux userland libraries and tools
	53	* package group (packagegroup-core-selinux) for SELinux userland packages
	54	* bbappends for SELinux related recipes to build with SELinux enabled
	55	* recipes for SELinux policy modified from refpolicy
	56
	57
	58	==============================================================================
	59
	60	2 - Building with SELinux
	61
	62	------------------------------------------------------------------------------
	63
	64	2.1 - How can I build a SELinux image?
	65
	66	After init Poky build environment, please follow these steps:
	67
	68	1. Add meta-selinux path to BUILDDIR/conf/bblayers.conf file.
	69
	70	2. Set DISTRO="poky-selinux" or add DISTRO_FEATURES_append=" pam selinux"
	71	in BUILDDIR/conf/local.conf file.
	72
	73	3. Build the default selinux image.
	74
	75	$ bitbake core-image-selinux
	76
	77	2.2 - How can I add SELinux to my custom images?
	78
	79	If you only want to add SELinux to your custom image, then you should perform
	80	the following steps:
	81
	82	1. Add meta-selinux path to BUILDDIR/conf/bblayers.conf file
	83
	84	2. Add DISTRO_FEATURES_append=" pam selinux" in BUILDDIR/conf/local.conf
	85	file.
	86
	87	3. Add packagegroup-core-selinux to your custom image.
	88	For example, if core-image-custom.bb is your building image file, then
	89	you should add packagegroup-core-selinux to IMAGE_INSTALL in
	90	core-image-custom.bb.
	91
	92	4. Build your custom image in build directory
	93
	94	$ bitbake core-image-custom
	95
	96
	97
	98	==============================================================================
	99
	100	3 - Using SELinux
	101
	102	------------------------------------------------------------------------------
	103
	104	3.1 - How do I turn SELinux off at boot?
	105
	106	Set SELINUX=disabled in /etc/selinux/config.
	107
	108	Alternatively, you can add "selinux=0" to your kernel boot parameters. It is
	109	not recommended but useful on some testing situations.
	110	For example, when you are using qemu targets,
	111
	112	$ runqemu qemumips core-image-selinux ext3 nographic bootparams="selinux=0"
	113
	114	3.2 - How do I turn enforcing mode on/off?
	115
	116	You can specify the SELinux mode in /etc/selinux/config.
	117
	118	# SELINUX= can take one of these three values:
	119	# enforcing - SELinux security policy is enforced.
	120	# permissive - SELinux prints warnings instead of enforcing.
	121	# disabled - No SELinux policy is loaded.
	122	SELINUX=enforcing
	123
	124	Setting "SELINUX" to "enforcing" is the same as adding "enforcing=1" to the
	125	kernel boot parameters. While to "permissive" is the same as adding
	126	"enforcing=0" to the kernel boot parameters.
	127	However, to "disabled" is not the same as the "selinux=0" kernel boot
	128	parameter. Rather than fully disabling SELinux in the kernel, the "disabled"
	129	setting instead turns enforcing off and skips loading a policy.
	130
	131	==============================================================================
	132
	133	4 - Resolving Problems
	134
	135	------------------------------------------------------------------------------
	136
	137	4.1 - Why I can not login in via ssh in enforcing mode?
	138
	139	Please check "PermitEmptyPasswords" in /etc/ssh/sshd_config. If it is set to
	140	"yes", set to "no" then restart sshd. That's because pam_selinux module does
	141	not allow sshd to set PermitEmptyPasswords to "yes".
	142
	143	Note: If both IMAGE_FEATURES debug-tweaks ssh-server-openssh are enabled, this
	144	"PermitEmptyPasswords" will be set to "yes" by default for Poky images.
	145
	146