Implementation of SELinux on Openmoko
July 22nd, 2010 By alishinwari

This blog shows how to port SELinux on OpenMoko Neo Free Runner where we build the infrastructure for mobile platforms based on ARMv4t. It is based on the Linux kernel 2.6.24 and  run policy version 19 with support for Booleans. Most of the work is cross compilation with thorough understanding of the infrastructure (SELinux user space libraries and policy management binaries).

Requirements

•  Before starting the process below, first read the Openmoko wiki

•  Ubuntu 9.04 or later as host operating system.

•  Default User will be root. If you are not root then use sudo.

Obtaining User-Space Source code

To port SELinux on openmoko, we will need its User-space source code. Download it from Google Code via SVN using the following command:

#svn checkout http://selinux-openmoko.googlecode.com/svn/trunk/ selinux-openmoko-read-only

Tool Chain

You need a tool chain to cross compile the libraries and to setup environment for cross compilation.

The Tools-Chain’s Cross-compiler will compile the source code from native machine (x86 in our case) to a target platform (ARM).

Download the tool chain from  here

Extract the contents of the archive to the root directory and the files will get to /usr/local/openmoko.

Deployment of a Mandatory Access Control Mechanism on the mobile platform

USB Networking

Here is a quick method of connecting your Openmoko with PC via USB interface.

1.  Plug-in the USB Cable in both Openmoko and PC.

2.  Open terminal and type the Following Commands

# ifconfig usb0 192.168.0.200 netmask 255.255.255.0 up

# ssh root@192.168.0.202

Press enter if asked for root password.

This  logs  you in as  root  to Openmoko and you can give commands to Openmoko from this terminal.

Required Libraries

We need libraries and tools for the host system such as gcc, binutiles, bison etc to compile SELinux User-

Space libraries, whenever you are asked for  something missing, the easiest way to find it is to use

Synaptic manager provided by Ubuntu.

Acquiring Kernel and Root File System for Openmoko

•  You would need to acquire a Kernel and Root File System which we will flash.

•  Download them from here.

•  The Method of how to flash the Kernel and Root File System is given here

Problem with Auditing
We need device to store all the messages in a file rather than buffer, to do this modify the file /etc/syslog.conf (inside device). Replace the entry buffer with file as shown in the Figure below

Compiling User-Space Libraries

Perform the following steps to CROSS COMPILE the libraries.

Note:  Remove –Werror switch from the internal makefile files.

Setting the Environment

The  setup-evn  is a script that comes with the tool chain; it sets up environment variables for c

compilation, run the setup-env command in /usr/local/openmoko/arm.

Note:  Make setup-env executable by setting it’s execute bit on in order to execute it.

Setting Environment Variables

To allow access to tools provided by tool chain, setup the environment variables.

shows it.

#export PATH=$PATH:/usr/local/openmoko/arm/bin

Commands to Compile User Space Libraries

Go to the Source code user-space libraries and type the following commands

#./configure

#make

Libselinux

Information:

libselinux is the core library, which is used by all selinux-aware applications.

Go to  libselinux  folder in User-Space source code directory. Use the above commands to  CROSS COMPILE  them. There are a few problems  with paths  in makefile.  Specify  the  paths  in  CFLAGS portion in Makefile. The Makefile also  contain some switches like def, and –z which produced errors, Removed  them  to  solve  compilation  errors.  Copy the  output files  libselinux.a, libselinux.so  and libselinux.so.1 to /usr/local/openmoko/arm/arm-angstrom-linux-gnueabi/usr/lib and copy the include folder to /usr/local/openmoko/arm/arm-angstrom-linux-gnueabi/usr/include.

Verbose output of compiling libselinux

Libsepol

Information:

Sepol is a Linux user space tool to parse existing selinux polices with existing selinux boolean settings generating new policy.

Go to the  libsepol  folder in user-space source code and run the compilation commands.  It got the same problems as  libselinux.  copy  output files  to  libsepol.a, libsepol.so and  libsepol.so.1 to /usr/local/openmoko/arm/arm-angstrom-linux-gnueabi/usr/lib and   the  include  folder to /usr/local/openmoko/arm/arm-angstrom-linux-gnueabi/usr/include.

Libsemanage

Information:

Semanage is used to configure SELinux Policy. You can configure SELinux  user mappings, SELinux Port mappings, and SELinux Users. File Context and Network Interfaces and MLS/MCS  translations. It canreconfigure certain elements of the policy without modifying or recompiling the policy.

Go to libsemanage folder in user-space source code directory and run the compilation commands.

It also got the same problems as above libraries. Copy the output  files libsemanage.a, libsemanage.so and  libsemanage.so.1 to  /usr/local/openmoko/arm/arm-angstrom-linux-gnueabi/usr/lib and the include folder to /usr/local/openmoko/arm/arm-angstrom-linux-gnueabi/usr/include.

Busybox

Information:

BusyBox combines tiny versions of many common UNIX utilities into a single small executable. It provides replacements for most of the utilities you usually find in GNU fileutils, shellutils, etc.

Download  busybox source code from its website. Extract it. Next we will add  SELinux  user space commands and tools to it.

Go to its source code and type the following commands:

#makemenuconfig

Then go to SELinux Section and enable all entries. We did this  to add additional applets  to busybox to handle SELinux.

Busybox provides the following applets for SELinux:

Chcon                              getenforce

Getsebool                      load_policy

Matchpathcon           restorecon

Runcon                            selinuxenabled

Setenforce                      setfiles

Setsebool                        sestatus

Copy the output binary file busybox to /usr/bin folder of on device.

Compiling the Kernel

Download the Openmoko kernel source code from the git repository by using the following commands.

#git clone git://git.openmoko.org/git/kernel.git linux-2.6

#cd linux-2.6

#git checkout -b mystable origin/andy-tracking

#mkdir GTA02

#cp arch/arm/configs/gta02-moredrivers-defconfig GTA02/.config

Add support for  SELinux and EXT2 for using SELinux and Xttented attributes to the  downloaded Kernel by using the following command.

#make menuconfig ARCH=arm CROSS_COMPILE=arm-angstrom-linux-gnueabi-

In Security Option menu, enable the following.

[*]           NSA SELinux Support

[*]           NSA SELinux boot parameter

(0)                       NSA SELinux boot parameter default value

[*]           NSA SELinux runtime disable

[*]          NSA SELinux Development Support

[*]          NSA SELinux AVC Statistics

(1)                      NSA SELinux checkreqprot default value

[ ]           NSA SELinux maximum supported policy format version

Note: Do not enable NSA SELinux maximum supported policy format version. You might end up hanged.

The Secuity Option Screen where SELinux is enabled

Then in File System menu, enable the following.

<M> Second extended fs support

Ext2 extended attributes

Ext2 Security Labels

Ext2 execute in place support

<*>   Ext3 journalling file system support

Ext3 extended attributes

Ext3 Security Labels

CROSS COMPILE the kernel for ARM Architecture. The Command is:

#make

Compile the kernel using commands mentioned above. The downloaded source code contains a script by the name of  build. Run it so that we can obtain a binary image file  (with  .bin  extension)  in order to flash/copy it to device. To run the script use the following command.

#sh build

The result will be a file called uImage.bin, copy it to the first partition of the SD Card in case of SD Card and flashed in case of Phone’s internal memory.

Flashing Neo Free Runner:

You  need to flash the Neo Free Runner in case you want to add new Root Filesystems and kernels.

To Flash the Root FS using the utility called dfu-util. Flash the ROOT FS using following steps:

1.  Boot the Neo Free Runner in NOR (AUX+PWR).

2.  The boot menu appears.

3.  Connect the device to PC via USB cable.

4.  To check whether dfu-util sees your device, run the command:

#dfu-util –l

If you get error messages from the dfu-util command then try again. Often it works on the second try.

The usage of dfu-util is as following:

#dfu-util -a <altsetting> -R -D <file_name>

Where:

-a:  altsetting: Specify the altsetting of the DFU interface by name or by number

-R:  Issue USB Reset signalling once we’re finished

-D:  filename: Write firmware from file_name into device

Flashing the Kernel

Flash the kernel using simple copy paste command as shown above or do it using dfu-util. The command format is:

#dfu-util -a kernel -R -D /path/to/uImage

When flashing succeeds the following will be shown:

status(0) = No error condition is present

Done!

Flashing the Root Filesystem

Downloaded  therootfs from  from its website. If the file you downloaded is  zipped or compressed (has a  .gz, bz2, .zip, tar, tar.gz or  .tgz extension)  then   uncompress  it first. And do simple copy paste into SD Card second partition. If the root filesystem is in image in jffs2 format, then flash it using the command given below

#dfu-util -a rootfs -R -D root fs_filename.jffs2

The flashing process  takes up to 15 minutes for a ~70MB image. It is also wise to make sure  that your

Neo has enough battery charge prior to flashing. When flashing succeeds the following will be shown:

status(0) = No error condition is present

Done!

Alternative Way

An alternative and easy way to flash Neo Free Runner is by using a graphic utility called NEO TOOLS.

1.  To use neotools, download and install neotools.

2.  Run it from command prompt, the following window will appear.

The Main Screen of Neotools

3.  Click 2 Flash your Neo. The Following screen will appear.

Options for What to Flash

4.  Select Root-Filesystem and Kernel as shown and click OK.

5.  Select your Root-Filesystem as shown.

Selecting RootFS

6.  Next, select your kernel as shown.

Selecting Kernel

7.  The Following warning Appears; Just click OK and writing process will start.

Warning “Ready to flash”

Copying Compiled Libraries and other files to Device:

Copy the compiled libraries  and include folder to  /usr/local/openmoko/arm/arm-angstrom-linux-

gnueabi/usr in PC and then copy it to /usr/lib on device and the include folder /usr/include/ folder of the device.

Copy the files from /selinux-openmoko-read-only/bin to /usr/bin folder of device.

Make soft links of missing files such as  setfilessestatus and  load_policy from busybox by using the following command:

#ln –s busybox setiles

#ln –s busybox setstatus

#ln –s busybox load_policy

Adding SELinux FS

Edit fstab file in  /etc/ folder on device  to add mountable SELinux filesystem support, add  the following to fstab.

none /selinux       selinuxfs      noauto 0     0

After that create a folder /selinux in device using the following command

#mkdir /selinux

And then mount it using following command

#mount /selinux

After that  copy the  /selinux-openmoko-read-only/targeted/ folder along with its  config  file to the /etc/selinux folder of device.

Reloading and Building the Policy

Build and load the policy use the following commands in /etc/selinux/targeted folder.

To install the Policy

#make install

To Relabel the File System

#make relabel

To Load The Policy

#make load

To check whether selinux is running use the following command

#sestatus

Also check the /var/log/messages file for SELinux entries.

Final Snapshots:

The Following figures show SELinux enabled on Openmoko.

result of ls-Z command on openmoko

Result of sestatus

Snapshot of denials by SELinux

Trouble Shooting

Auditing:

When you don’t get messages file in /var/log/, this means they are saved in buffer, to fix this error, Go to /etc/syslog.conf and edit it, change the entry of buffer to file.

Opkg not working

If opkg does not download the appropriate file:

This means that you haven’t configured internet in your Openmoko. Use graphical interface for configuringwifi, or use Openmoko’s wiki to configure wired network, you can also use the following script to configure wired network between your PC and Openmoko.

#!/bin/sh

/sbin/route add -host 192.168.0.202/32 dev usb0

iptables  -A POSTROUTING  -t nat  -j MASQUERADE  -s

192.168.1.1/24

iptables -P FORWARD ACCEPT

sysctl -w net.ipv4.ip_forward=1

scp /etc/resolv.confroot@192.168.0.202:/etc/resolv.conf

Make your required changes according to your networking.

If opkg returns signature failure:

You can safely ignore this error but don’t forget to setup Internet in Openmoko.

If opkg does not find your appropriate file in repository then you can specify the exact path with opkg and it will install and configure it by it self, like example below.

opkg install

http://downloads.openmoko.org/repository/Om2008.8/armv4t/pidgin_2.5.1-r0_armv4t.opk

Missing Core Files

When you flash new kernel, the first problem you get is missing core utilities like make, m4 etc. You can download the files from here

Another way to do is download them directly to your device using opkg. Opkg will download, install and configure your package automatically. The Command to do this is:

#opkg install make

#opkg install m4

No selinuxfs

When this problem, it means that you haven’t added selinux support to your kernel, add selinux support to your kernel and then recompile it, for detail see section 3 for detail.

Mls and other files missing

When you get this error, it means you haven’t mounted your /selinux filesystem.

Setfiles, load_policy files missing

These files are provided  by busybox, to set these files make soft links to set them. The following command shows how to do it:

ln -s busyboxsetfiles

ln -s busyboxload_policy

Busybox complains about missing applets such as setfiles

This means that you haven’t added selinux support to your busybox. See section 2 for detail.

Clock skew

This means that the time of device is different then that of files, to fix this error, correct the date and time on your device.

Policy not loading

This problem will occur when you try to load policy from ssh. Try loading policy directly from device.

tmp/load error

This means that load_policy doesn’t take a policy file argument anymore (it always loads policy from the standard location and selects the appropriate version). So just modify your Makefile to omit  the policy file or run load_policy by hand with no arguments. If your try this from ssh, your terminal will hang up.

Try it directly on your device.

1 Responses to " Implementation of SELinux on Openmoko "
 
Shahbaz
July 23rd, 2010

This has been updated to 2.6.32 recently and the IMA code has also been used along.

Leave a Reply


(Required)

(Required)