SELinux (Security-Enhanced Linux) is a kernel security module that enables administrators to define and implement access control policies, which are sets of rules that enable granular control over system resources such as files, networks, and devices. For example, SELinux supports differentiation between user access and application access to protect against both malicious applications and user error.

For more background information on SELinux, see the official project wiki.

Enable SELinux for Digi Embedded Yocto

  1. Verify the meta-selinux layer is cloned and available on your Digi Embedded Yocto install folder. If not, sync the source code to get it:

    $ cd /usr/local/dey-3.2/sources
    $ repo init -b gatesgarth
    $ repo sync -j8 --no-repo-verify
  2. Verify the layer is on your project’s conf/bblayers.conf. If not, add it:

    conf/bblayers.conf
      /usr/local/dey-3.2/sources/meta-selinux \
  3. Add the selinux DISTRO_FEATURE to your project’s conf/local.conf configuration file to enable SELinux:

    conf/local.conf
    DISTRO_FEATURES_append = " selinux"

This triggers all SELinux requirements: kernel configuration changes, userspace package modifications, and the inclusion of SELinux libraries and tools in the filesystem. With this modification, any Digi Embedded Yocto image built with this project will include SELinux support. With SELinux enabled, Digi Embedded Yocto denies any actions that aren’t specifically allowed in the active SELinux policy.

Booting a system with SELinux for the first time automatically launches a file relabeling process. The process takes approximately two minutes and reboots the target when finished.

Customize the SELinux policy

Digi Embedded Yocto modifies the default policy included in the meta-selinux Yocto layer so most of the features available on the ConnectCore 8X are usable out of the box. However, this policy is lenient and meant only for testing purposes. Production scenarios require stricter policies. You can use the unmodified policy provided by meta-selinux as a reference point for tailoring a policy to your needs.

To disable the Digi Embedded Yocto policy modifications and start directly with the meta-selinux policy, add the following line to your project’s conf/local.conf file:

conf/local.conf
DEY_SELINUX_POLICY = "0"
Many Digi Embedded Yocto features such as audio and video playback, standby/resume operations, the Digi APIX library, XWayland desktop environment, and several command line interface utilities do not automatically work when using an unmodified policy. This is expected. You must customize the policy so it meets the needs of your specific use case.

Learn more

See the meta-selinux README and FAQ for more information on how to change policy types and enforcement modes.