Dustin
f2d6db5af1
Enabling SELinux on the target system needs build-time and run-time configuration changes for ther kernel and userspace. Additionally, SELinux requires a policy that defines allowed operations. Gentoo provides a reasonable baseline for all of these changes, but some modifications are required. First and foremost, the Gentoo SELinux policy is missing several necessary rules for systemd-based systems. Notably, services that use alternate namespaces will fail to start because the base policy does not allow systemd components the necessary privileges, so these rules have to be added. Similarly, `systemd-journald` needs additional privileges in order to be able to capture all metadata for processes generating syslog messages. Finally, additional rules are necessary in order to allow systemd to create files and directories prior to launching servies. Besides patching the policy, we also do some hackery to avoid shipping the Python runtime in SELinux-enabled builds. Several SELinux-related packages, including *libselinux* and *policycoreutils* have dependencies on Python modules for some of their functionality. Unfortunately, the Python build system does NOT properly cross-compile native extension modules, so this functionality is not available on the target system. Fortunately, none of the features provided by these modules are actually needed at runtime, so we can safely ignore them and thus omit the entire Python runtime and all Python programs from the final image. It is important to note that it is impossible to build an SELinux-enabled image on a host that is itself SELinux-enabled. Operations such as changing file labels are checked against the SELinux policy in the running kernel, and may be denied if the target policy differs significantly from the running policy. The `setfiles` command fails, for example, when run on a Fedora host. As such, building an SELinux-enabled system should be done in a virtual machine using a kernel that does not have a loaded SELinux policy. The `ocivm` script can be used to create a suitable runtime from a container image. |
||
|---|---|---|
| host-portage | ||
| overlay | ||
| patches | ||
| portage | ||
| u-boot@62e2ad1cea | ||
| .gitignore | ||
| .gitmodules | ||
| Makefile | ||
| README.md | ||
| build-all.sh | ||
| build-grub.sh | ||
| build-host-tools.sh | ||
| build-kernel.sh | ||
| build-rootfs.sh | ||
| build-squashfs.sh | ||
| build-uboot.sh | ||
| build-update.sh | ||
| build.packages | ||
| build.sh | ||
| busybox.symlinks | ||
| config | ||
| config-portage.sh | ||
| config.txt | ||
| genimage.cfg | ||
| genimage.sh | ||
| grub.cfg | ||
| host-tools.packages | ||
| install-update.sh | ||
| install.packages | ||
| installonly.packages | ||
| linux.config | ||
| ocivm.sh | ||
| patch-uboot.sh | ||
| podman-build.sh | ||
| post-build.sh | ||
| prepare.sh | ||
| setup-local-repo.sh | ||
| squashfs.exclude | ||
| start-container.sh | ||
| u-boot.config | ||
| vm-build.sh | ||
README.md
Errors
SWIOTLB Buffer
OF: reserved mem: failed to allocate memory for node … Can not allocate SWIOTLB buffer earlier and can't now provide you with the DMA bounce buffer
Ensure start_x=1 is in config.txt and start_file/fixup_file are not
specified.
U-Boot: Overwrite Reserved Memory
** Reading file would overwrite reserved memory **
Set CONFIG_LMB_MAX_REGIONS=16 in u-boot/.config