目录
交叉编译SELinux
参考附件《selinux交叉编译-Linux文档类资源-CSDN下载》
设备起来之后,将编译组建拷贝到文件系统中:
cp -afr ./build/audit/bin/* /bin/
cp -afr ./build/audit/etc/* /etc/
cp -afr ./build/audit/include/* /usr/local/include/
cp -afr ./build/audit/lib/* /lib/
cp -afr ./build/audit/libexec/* /usr/libexec/
cp -afr ./build/audit/sbin/* /sbin/
cp -afr ./build/audit/share/* /usr/share/
cp -afr ./build/bzip2/bin/* /bin/
cp -afr ./build/bzip2/include/* /usr/local/include/
cp -afr ./build/bzip2/lib/* /lib/
cp -afr ./build/bzip2/man/* /usr/share/
cp -afr ./build/cap-ng-0.8.3/bin/* /bin/
cp -afr ./build/cap-ng-0.8.3/include/* /usr/local/include/
cp -afr ./build/cap-ng-0.8.3/lib/* /lib/
cp -afr ./build/cap-ng-0.8.3/share/* /usr/share/
cp -afr ./build/db-5.3.28/bin/* /bin/
cp -afr ./build/db-5.3.28/docs/ /usr/share/
cp -afr ./build/db-5.3.28/include/* /usr/local/include/
cp -afr ./build/db-5.3.28/lib/* /lib/
cp -afr ./build/libselinux/include/* /usr/local/include/
cp -afr ./build/libselinux/lib/* /lib/
cp -afr ./build/libselinux/sbin/* /sbin/
cp -afr ./build/libselinux/share/* /usr/share/
cp -afr ./build/libsemanage/bin/* /bin/
cp -afr ./build/libsemanage/etc/* /etc/
cp -afr ./build/libsemanage/include/* /usr/local/include/
cp -afr ./build/libsemanage/lib/* /lib/
cp -afr ./build/libsemanage/libexec/* /usr/libexec/
cp -afr ./build/libsemanage/sbin/* /sbin/
cp -afr ./build/libsemanage/share/* /usr/share/
cp -afr ./build/libsemanage/usr/* /usr/
cp -afr ./build/libsemanage/var/* /var/
cp -afr ./build/openldap-2.6.2/bin/* /bin/
cp -afr ./build/openldap-2.6.2/etc/* /etc/
cp -afr ./build/openldap-2.6.2/include/* /usr/local/include/
cp -afr ./build/openldap-2.6.2/lib/* /lib/
cp -afr ./build/openldap-2.6.2/libexec/* /usr/libexec/
cp -afr ./build/openldap-2.6.2/sbin/* /sbin/
cp -afr ./build/openldap-2.6.2/share/* /usr/share/
cp -afr ./build/openldap-2.6.2/var/* /var/
cp -afr ./build/openssl-master/bin/* /bin/
cp -afr ./build/openssl-master/include/* /usr/local/include/
cp -afr ./build/openssl-master/lib/* /lib/
cp -afr ./build/openssl-master/share/* /usr/share/
mkdir -p /etc/pki/
mkdir -p /etc/ssl/
cp -afr ./build/openssl-master/ssl/ /etc/pki/tls
cd /etc/ssl/
ln -s /etc/pki/tls/certs certs
cp -afr ./build/pcre2/bin/* /bin/
cp -afr ./build/pcre2/include/* /usr/local/include/
cp -afr ./build/pcre2/lib/* /lib/
cp -afr ./build/pcre2/share/* /usr/share/
cp -afr ./build/perl5/bin/* /bin/
cp -afr ./build/perl5/lib/* /lib/
cp -afr ./build/perl5/share/* /usr/share/
cp -afr ./build/selinux/include/* /usr/local/include/
cp -afr ./build/selinux/lib/* /lib/
cp -afr ./build/selinux/sbin/* /sbin/
cp -afr ./build/selinux/share/* /usr/share/
cp -afr ./build/selinux/etc/* /etc/
cp -afr ./build/selinux/libexec/* /usr/libexec/
cp -afr ./build/selinux/bin/* /bin/
cp -afr ./build/selinux/usr/* /usr/
cp -afr ./build/selinux/var/* /var/
cp -afr ./build/sepol-3.4/bin/* /bin/
cp -afr ./build/sepol-3.4/include/* /usr/local/include/
cp -afr ./build/sepol-3.4/lib/* /lib/
cp -afr ./build/sepol-3.4/share/* /usr/share/
bin_aarch64=`find bin/ -name aarch64-* -type f`
for i in $bin_aarch64
do
mv $i bin/${i##*-}
done
sbin_aarch64=`find sbin/ -name aarch64-* -type f`
for i in $sbin_aarch64
do
mv $i sbin/${i##*-}
done
嵌入式环境配置
内核配置
AUDIT(审计):CONFIG_AUDIT
SECURITY:CONFIG_SECURITYFS、、CONFIG_SECURITY_SELINUX、CONFIG_SECURITY_SELINUX_DISABLE、CONFIG_SECURITY_SELINUX_DEVELOP、CONFIG_DEFAULT_SECURITY_SELINUX、CONFIG_DEFAULT_SECURITY=“selinux”、关闭CONFIG_SECURITY_SELINUX_BOOTPARAM(去掉boot配置selinux=来使能selinux)
filesystem:CONFIG_EXT4_FS_SECURITY、CONFIG_EXT2_FS_SECURITY、CONFIG_EXT2_FS_SECURITY、CONFIG_F2FS_FS_SECURITY
network:CONFIG_SECURITY_NETWORK、CONFIG_NETWORK_SECMARK、CONFIG_IP_NF_SECURITY
文件系统配置
主要是挂在文件系统:
mount -t selinuxfs nodev /sys/fs/selinux/
mount -t securityfs nodev /sys/kernel/security/
boot参数配置
setenv bootargs 'console=ttyAMA0,9600n8 earlycon=pl011,0x87e028000000 maxcpus=24 rootwait rw coherent_pool=16M default_hugepagesz=2M iommu.passthrough=1 pkt-memory=32M@0 isolcpus=1-22 nohz_full=1-22 rcu_nocbs=1-22 cpuidle.off=1 quiet rsvMemBaseAddr=8M@0x3f8000000 ip=1.1.1.8:1.1.1.1:: audit=1 security=selinux selinux=1'
在boot参数中增加audit=1 security=selinux selinux=1,如果未开启CONFIG_SECURITY_SELINUX_BOOTPARAM,则去掉selinux=1
参考资料
嵌入式linux集成selinux - bert_qin - 博客园
LSM(Linux Security Modules)框架原理解析_pwl999的博客-CSDN博客_linux lsm
SELinux — The Linux Kernel documentation