This feature isn’t enabled in the current release.
When SELinux is enabled, all system objects, including files, directories, processes, sockets, drivers, and more, are labeled with a security context.
A security context consists of a user, role, type identifier, and optional sensitivity, separated by colons.
For example: user:role:type:sensitivity
Note
User is unrelated to a Linux user, and Type is unrelated to the kind of object it is.
- A set of valid users, roles, and types is defined in the policy.
- Different objects are labeled with the same security context.
- The MAC mechanism of SELinux security policies is implemented using:
- Type enforcement (TE)
- Role-based access control (RBAC)
- Multilevel security (MLS)
- Types enable the policy to specify the allowed operations.
Figure : SELinux process
The following procedures explains how to verify and enable SELinux and modify SELinux modes.
Note
By default, SELinux is disabled to simplify the validation process while working with the SoC and SDK. For commercial use, it’s recommended to enable the SELinux security feature.
Verify and modify SELinux mode
If SELinux is enabled, you may not be allowed to update the anti-rollback protection flag.
- Check the current SELinux configuration of the device (Enforcing or Permissive mode):
- If it’s set to the Enforcing mode, run the
setenforce command to change the mode.
- Connect to the device using SSH.
- Change the SELinux mode by using the following commands.
- To switch the device to Enforcing mode:
- To switch the device to Permissive mode:
- To recheck the current configuration of the device (Enforcing or Permissive mode):
To switch to Enforcing mode (restrictive) or Permissive mode (non-restrictive with logging), follow these steps:
- To enable or disable SELinux:
- To disable SELinux for the build, delete the lines of code. By default, these lines are already removed from the distro section, which results in SELinux being disabled.
- To enable SELinux, add the lines of code as shown in the figure to enable SELinux.
- Use policy version 33.
- To add policies for SELinux, see upstream refpolicy. The following figure shows the steps in a SELinux:
- Check the system status with
getenforce on target. This command returns one of the three values:
- Enforcing
- Permissive
- Disabled
- To change the mode, select a mode at runtime by running
setenforce with a number (this change won’t persist after reboot).
| Command | Result |
|---|
setenforce 1 | Switch to Enforcing mode |
setenforce 0 | Switch to Permissive mode |
- To persist after reboot:
- Connect to the device using SSH. For instructions, see Qualcomm Linux Build Guide.
- Edit SELINUX= to one of the three supported values:
enforcing, permissive, or disabled in /etc/selinux/config.
- Reboot the device using the following command:
- To specify the SELinux mode in the build: Change the
DEFAULT_ENFORCING build flag to one of the three supported values: enforcing, permissive, or disabled.
conf/distro/include/qcom-base.inc
-- DEFAULT_ENFORCING = "permissive"
++ DEFAULT_ENFORCING = "enforcing"
- The SELinux Disabled mode leaves behind many code paths that go through the SELinux framework. These code paths aren’t useful for KPI testing or verifying bugs in the SELinux framework. It also doesn’t allow any more access than Permissive mode.
To disable the feature for testing, remove SELinux from
DISTRO_FEATURES:
conf/distro/include/qcom-base.inc
-- DISTRO_FEATURES:append = " selinux"
Next steps