From 6733785db6f0034c6f8cbbe54ea4713fa60069b0 Mon Sep 17 00:00:00 2001 From: Mark Hatle Date: Thu, 14 Sep 2017 12:06:23 -0500 Subject: README: Add information about running the system We want to give the users some basic information to be able to run the compiled system with SE Linux enabled, but not in enforcing mode. This will allow a knowledgable user to update the reference policy for their configuration. Signed-off-by: Mark Hatle --- README | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) diff --git a/README b/README index f4fadce..35e03f4 100644 --- a/README +++ b/README @@ -86,6 +86,36 @@ VIRTUAL-RUNTIME_init_manager = "systemd" DISTRO_FEATURES_BACKFILL_CONSIDERED = "" +Starting up the system +---------------------- +Most likely the reference policy selected will not just work "out of the box". + +As always, if you update the reference policy to better work with OpenEmbedded +or Poky configurations, please submit the changes back to the project. + +When using 'core-image-selinux', the system will boot and automatically setup +the policy by running the "fixfiles -f -F relabel" for you. This is +implemented via the 'selinux-autorelabel' recipe. + +The 'core-image-selinux-minimal' does not automatically relabel the system. +So you must boot using the parameters "selinux=1 enforcing=0", and then +manually perform the setup. Running 'fixfiles -f -F relabel' is available +in this configuration. + +After logging in you can verify selinux is present using: + +$ sestatus + +Output should include: +SELinux status: enabled +... +Current mode: enforcing +... + +The above indicates that selinux is currently running, and if you are running +in an enforcing mode or not. + + License ------- -- cgit v1.2.3-54-g00ecf