SELinuxを有効にすると、一部のデバイスノードにアクセスできなくなります。

SELinuxを有効にすると、一部のデバイスノードにアクセスできなくなります。

カーネルを設定してSELinux機能を有効にしました(変更内容は以下にあります)。

@@ -44,7 +44,10 @@ CONFIG_SYSVIPC=y
 CONFIG_SYSVIPC_SYSCTL=y
 # CONFIG_POSIX_MQUEUE is not set
 # CONFIG_FHANDLE is not set
-# CONFIG_AUDIT is not set
+CONFIG_AUDIT=y
+CONFIG_AUDITSYSCALL=y
+CONFIG_AUDIT_WATCH=y
+CONFIG_AUDIT_TREE=y

 #
 # IRQ subsystem
@@ -580,7 +583,8 @@ CONFIG_IPV6_TUNNEL=y
 # CONFIG_IPV6_GRE is not set
 # CONFIG_IPV6_MULTIPLE_TABLES is not set
 # CONFIG_IPV6_MROUTE is not set
-# CONFIG_NETWORK_SECMARK is not set
+# CONFIG_NETLABEL is not set
+CONFIG_NETWORK_SECMARK=y
 # CONFIG_NETWORK_PHY_TIMESTAMPING is not set
 CONFIG_NETFILTER=y
 CONFIG_NETFILTER_DEBUG=y
@@ -605,6 +609,7 @@ CONFIG_NETFILTER_XT_MARK=y
 #
 # Xtables targets
 #
+# CONFIG_NETFILTER_XT_TARGET_AUDIT is not set
 CONFIG_NETFILTER_XT_TARGET_CHECKSUM=y
 CONFIG_NETFILTER_XT_TARGET_CLASSIFY=y
 CONFIG_NETFILTER_XT_TARGET_DSCP=y
@@ -619,6 +624,7 @@ CONFIG_NETFILTER_XT_TARGET_RATEEST=y
 CONFIG_NETFILTER_XT_TARGET_TEE=y
 # CONFIG_NETFILTER_XT_TARGET_TPROXY is not set
 CONFIG_NETFILTER_XT_TARGET_TRACE=y
+# CONFIG_NETFILTER_XT_TARGET_SECMARK is not set
 CONFIG_NETFILTER_XT_TARGET_TCPMSS=y
 # CONFIG_NETFILTER_XT_TARGET_TCPOPTSTRIP is not set

@@ -679,6 +685,7 @@ CONFIG_IP_NF_MANGLE=y
 CONFIG_IP_NF_TARGET_ECN=y
 CONFIG_IP_NF_TARGET_TTL=y
 CONFIG_IP_NF_RAW=y
+# CONFIG_IP_NF_SECURITY is not set
 CONFIG_IP_NF_ARPTABLES=y
 CONFIG_IP_NF_ARPFILTER=y
 CONFIG_IP_NF_ARP_MANGLE=y
@@ -702,6 +709,7 @@ CONFIG_IP6_NF_FILTER=y
 CONFIG_IP6_NF_TARGET_REJECT=y
 CONFIG_IP6_NF_MANGLE=y
 CONFIG_IP6_NF_RAW=y
+# CONFIG_IP6_NF_SECURITY is not set
 # CONFIG_IP_DCCP is not set
 # CONFIG_IP_SCTP is not set
 # CONFIG_RDS is not set
@@ -1945,10 +1953,29 @@ CONFIG_KEYS=y
 # CONFIG_ENCRYPTED_KEYS is not set
 # CONFIG_KEYS_DEBUG_PROC_KEYS is not set
 # CONFIG_SECURITY_DMESG_RESTRICT is not set
-# CONFIG_SECURITY is not set
+CONFIG_SECURITY=y
 # CONFIG_SECURITYFS is not set
-CONFIG_DEFAULT_SECURITY_DAC=y
-CONFIG_DEFAULT_SECURITY=""
+CONFIG_SECURITY_NETWORK=y
+# CONFIG_SECURITY_NETWORK_XFRM is not set
+# CONFIG_SECURITY_PATH is not set
+CONFIG_LSM_MMAP_MIN_ADDR=32768
+CONFIG_SECURITY_SELINUX=y
+# CONFIG_SECURITY_SELINUX_BOOTPARAM is not set
+CONFIG_SECURITY_SELINUX_DISABLE=y
+CONFIG_SECURITY_SELINUX_DEVELOP=y
+# CONFIG_SECURITY_SELINUX_AVC_STATS is not set
+CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=1
+CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX=y
+CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX_VALUE=19
+# CONFIG_SECURITY_SMACK is not set
+# CONFIG_SECURITY_TOMOYO is not set
+# CONFIG_SECURITY_APPARMOR is not set
+# CONFIG_SECURITY_YAMA is not set
+# CONFIG_IMA is not set
+# CONFIG_EVM is not set
+CONFIG_DEFAULT_SECURITY_SELINUX=y
+# CONFIG_DEFAULT_SECURITY_DAC is not set
+CONFIG_DEFAULT_SECURITY="selinux"
 CONFIG_CRYPTO=y

 #
@@ -2086,6 +2113,7 @@ CONFIG_CRC32_SLICEBY8=y
 # CONFIG_CRC7 is not set
 # CONFIG_LIBCRC32C is not set
 # CONFIG_CRC8 is not set
+CONFIG_AUDIT_GENERIC=y
 # CONFIG_RANDOM32_SELFTEST is not set
 CONFIG_ZLIB_INFLATE=y
 CONFIG_ZLIB_DEFLATE=y

そして私/etc/selinux/config

bmc@bmc:~/worksapce/katana$ cat source/selinux-src/data/etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of these two values:
# default - equivalent to the old strict and targeted policies
# mls     - Multi-Level Security (for military and educational use)
# src     - Custom policy built from source
SELINUXTYPE=ubuntu

# SETLOCALDEFS= Check local definition changes
SETLOCALDEFS=0

新しいカーネルで起動すると、SELinuxが正常にロードされたように見え、無効になります。

[    0.370000] SELinux:  Initializing.
[    0.370000] SELinux:  Starting in permissive mode
[    0.860000] SELinux:  Registering netfilter hooks
[    1.960000] SELinux:  Disabled at runtime.
[    1.960000] SELinux:  Unregistering netfilter hooks
[    2.040000] audit: type=1404 audit(2.030:2): selinux=0 auid=4294967295 ses=4294967295

それでは、問題はSELinuxがオフになっても一部のデバイスノードにアクセスできないのですか/dev/gpio0/dev/bt/dev/sfpga

ただし、他のデバイスノードにアクセスすることは可能です/dev/tty*

関連情報