Porting SELinux on Openmoko

We at Security Engineering Research group (SERG) in IM | Sciences Peshawar has Ported NSA’s SELinux on Openmoko. Below is a rough detail the we (me and shahbaz) did to port SELinux on Openmoko (on Neo Freerunner). 1. Obtaining source code We decided to cross compile the code provided by Willis Vandevanter available at Google Summer of Code.

2. To Enable Auditing:

  • The Device was storing all the messages in buffer. This was corrected by modify the file /etc/syslog.conf. In the entry buffer was replaced with file. And hence the problem was solved.

3. Compiling Libraries:

  • We downloaded the tool chain for openmoko and was setup accordingly. to cross-compile we setuped the environment by running the script provided by tool-chain#/usr/local/openmoko/arm/setup-env 
  • The path was exported to to make available the tools provided by tool-chain.

    #export PATH=$PATHusr/local/openmoko/arm/bin/
  • The following two well known commands were used used to compile

  • libselinux: libselinux was CROSS COMPILED. The problems were with paths. The paths were specified in CFLAGS portion in Makefile by specifying the paths. The Makefile also contain some switches like def, and –z which produced errors, they were removed to solve the errors. The output files libselinux.a, libselinux.so and libselinux.so.1 were copied to /usr/local/openmoko/arm/arm-angstrom-linux-gnueabi/usr/lib and the include folder was copied to /usr/local/openmoko/arm/arm-angstrom-linux- gnueabi/usr/include.
  • libsepol: It got the same problems as libselinux. The output files were libsepol.a, libsepol.so and libsepol.so.1 which were copied to /usr/local/openmoko/arm/arm-angstrom-linux- gnueabi/usr/lib and the include folder was copied to /usr/local/openmoko/arm/arm- angstrom-linux-gnueabi/usr/include.
  • libsemanage:It also got the same problems as above libraries. The output files were libsemanage.a, libsemanage.so and libsemanage.so.1 which were copied to /usr/local/openmoko/arm/arm-angstrom-linux-gnueabi/usr/lib and the include folder was copied to /usr/local/openmoko/arm/arm-angstrom-linux-gnueabi/usr/include.
  • Busybox: The commands that were used are:$make menuconfig ARCH=armThen go to Selinux Utilities and enable all enteries. This was done to add additional Applets to busybox to handle SELinux.Busybox provides the following applets for selinux:


    The output file was busybox. This file was then copied to /usr/bin folder of openmoko.

3. Compiling the Kernel:

  • The Kernel was also CROSS COMPILED for the ARM Architecture. The Command is:$make ARCH=arm CROSS_COMPILE=arm-angstrom-linux-gnueabi- 
  • To add support for EXT2 for using SELinux and Xttented attributes support was added to the Kernel by using the following command.$make menuconfig ARCH=arm CROSS_COMPILE=arm-angstrom-linux-gnueabi- 
  • Then in File System menu, the following were enabled. Second extended fs support Ext2 extended attributes Ext2 Security Labels Ext2 execute in place support
    <*>Ext3 journalling file system support Ext3 extended attributes Ext3 Security Labels 
  • Then the Kernel was compiled using the above command. The result was a file called uImage.bin which was copied to the first partition of the SD Card.

4. Flashing Neo Free Runner:

  • The Root FS was flashed using the utility called dfu-util. The ROOT FS was flashed using following steps:
    1. The Neo Free Runner was booted in NOR (AUX+PWR) until the boot menu arrive.
    2. The device was connected to PC via USB cable.
    3. To check whether dfu-util sees your device, run the command:$dfu-util –l 
  • If you get error messages from the dfu-util command then try again. Often it works on the second try. The usage of dfu-util is as following:$dfu-util -a -R -D
    Where: -a:  altsetting: Specify the altsetting of the DFU interface by name or by number -R:  Issue USB Reset signalling once we’re finished -D:  filename: Write firmware from file_name into device
  • Flashing the Kernel: Kernel can be flashed by using simple copy paste command as shown above or it can be done using dfu-util. The command format is:$dfu-util -a kernel -R -D /path/to/uImageWhen flashing succeeds the following will be shown:status(0) = No error condition is present Done!
  • Flashing the Root Filesystem: The Root FS can be downloaded from its website (Given Below).If the file you downloaded is zipped or compressed (has a .gz, bz2, .zip, tar, tar.gz or .tgz extension) you have to uncompress it first. And you can do simple copy paste into SD Card second partition. If the root filesystem is in image in jffs2 format, then you can flash it using the command given below$dfu-util -a rootfs -R -D rootfs_filename.jffs2The flashing process can take up to 15 minutes for a ~70MB image. It is also wise to make sure that your Neo has enough battery charge prior to flashing. When flashing succeeds the following will be shown:status(0) = No error condition is present Done!
  • Alternative Way: An alternative and easy way to flash Neo Free Runner is by using a graphic utility called NEO TOOLS. Its self explainer in use.

5. Copying Compiled Libraries and other files to Device:

  • The compiled libraries and include folder that were copied to /usr/local/openmoko/arm/arm-angstrom-linux-gnueabi/usr and include in previous step, were copied /usr/lib/ and /usr/include/ folder of the device. The files from /selinux-openmoko-read-only/bin were copied to /usr/bin folder of device. Missing files such as setfiles, sestatus and load_policy were provided as soft links from busybox by using the following command:$ln –s busybox setiles$ln –s busybox setstatus

    $ln –s busybox load_policy

6. Adding SELinux FS:

  • To SELinux FS fstab file in /etc/ folder on device and the following lines were added to it

    none /selinux      selinuxfs     noauto 0    0

    After that the folder /selinux was created using the following command.$mkdir /selinuxAnd then mounted using following command

    $mount /selinux

    After that /selinux-openmoko-read-only/targeted/ folder along with its config file was copied to the /etc/selinux folder of device.

  • Reloading and Building the Policy: To build and load the policy the following commands were used in /etc/selinux/targeted folder.
    To install the Policy:
    #make installTo Relabel the File System:
    #make relabel

    To Load The Policy:
    #make load

    To Check whether selinux is running use the following command:

    Also check the /var/log/messages file for selinux entries.

7. Trouble Shooting:

  • Auditing: When you don’t get messages file in /var/log/, this means they are saved in buffer, to fix this error, Go to /etc/syslog.conf and edit it, change the entry of buffer to file.
  • Missing Core Files:When you flush new kernel, the first problem you get is missing core utilities like make, m4 etc. You can download the files from the website (site No. 9).Another way to do is download them directly to your device using opkg. Opkg will download, install and configure your package automatically.The Command to do this is:#opkg install make
    #opkg install m4

    For the above process you will need to set Internet on your device through USB Networking, refer to site link No.11 for USB Networking. Another easy way to do this is by using wifi, setting wifi is easy and self explainer.

  • No selinuxfs: When this problem, it means that you haven’t added selinux support to your kernel, add selinux support to your kernel and then recompile it, for detail see section 3 for detail.
  • Mls and other files missing: When you get this error, it means you haven’t mounted your /selinux filesystem.
  • Setfiles, load_policy files missing:These files are provided by busybox, to set these files make soft links to set them. The following command shows how to do it#ln -s busybox setfiles #ln -s busybox load_policyFor more information, see section 5.
  • Busybox complains about missing applets such as setfiles: This means that you haven’t added selinux support to your busybox. See section 2 for detail.
  • Clock skew: This means that the time of device is different then that of files, to fix this error, correct the date and time on your device.
  • Policy not loading: This problem will occur when you try to load policy from ssh. Try loading policy directly from device.
  • tmp/load error:This means that load_policy doesn’t take a policy file argument anymore (it always loads policy from the standard location and selects the appropriate version). So just modify your Makefile to omit the policy file or run load_policy by hand with no arguments. If your try this from ssh, your terminal will hang up. Try it directly on your device.

8. List of Websites for Openmoko: Sites containing ROOTFS and Kernels: http://downloads.openmoko.org/distro/releases/Om2008.12/ http://downloads.freesmartphone.org/fso-stable/milestone5.1/om-gta02/ http://build.shr-project.org/shr-testing/images/om-gta02/ http://wiki.openmoko.org/wiki/Download http://downloads.openmoko.org/distro/obsoleteimages/Om2008.8/Om2008.8.rootfs.tar.gz http://downloads.openmoko.org/distro/obsolete-images/Om2008.9/Om2008.9.rootfs.tar.gz http://compartida.net/openmoko/FDOM/ Site containing utilities for Openmoko: http://wiki.openmoko.org/wiki/MokoMakefile http://downloads.openmoko.org/repository/Om2008.8/armv4t/ Openmoko Wiki: http://wiki.openmoko.org/wiki/Neo_FreeRunner http://wiki.openmoko.org/wiki/USB_Networking

One thought on “Porting SELinux on Openmoko

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s