Share your knowledge at the LQ Wiki.
Go Back > Forums > Linux Forums > Linux - Hardware > Linux - Embedded & Single-board computer
User Name
Linux - Embedded & Single-board computer This forum is for the discussion of Linux on both embedded devices and single-board computers (such as the Raspberry Pi, BeagleBoard and PandaBoard). Discussions involving Arduino, plug computers and other micro-controller like devices are also welcome.


  Search this Thread
Old 01-28-2022, 01:42 AM   #1
LQ Newbie
Registered: Jul 2018
Posts: 15

Rep: Reputation: Disabled
Offline setting an SELinux boolean

I had an issue with an SELinux boolean, allow_ypbind that is wrongly set at 0 when starting my embedded Linux distro.

I know that at runtime I may run a setsebool command to set it to 1.

I need to configure my yocto distribution correctly and I may not be able to launch the setsebool command on the fly on my final distribution.

Thus I need to set this SELinux boolean offline (before the first boot): is there any configuration file that I may modify to start with allow_ypbind=1 without the need to manually launch a command at runtime?
Old 01-28-2022, 06:25 AM   #2
LQ Newbie
Registered: Oct 2016
Posts: 24

Rep: Reputation: Disabled
I guess you'd have to set the boolean in policy before the policy is compiled and installed to the image because the boolean in your case is actually a built-time tunable.

In OpenWrt the SELinux policy is also "immutable at runtime" due to device constraints. There you would basically do the same and fork the policy, edit the default conditional value, compile and install [1]. There is even an example in the Makefile for this:

However, that SELinux policy is not "refpolicy" based and so even though the main concept applies, the implementation would be different for you.

Alternatively you can, even if you choose not to install `setsebool` change the boolean value in memory only by using the SELinux apifs directly:

root@myguest1:~# cat /sys/fs/selinux/booleans/systemdnspawn_bind_user
0 0root@myguest1:~#
root@myguest1:~# echo 1 > /sys/fs/selinux/booleans/systemdnspawn_bind_user
root@myguest1:~# cat /sys/fs/selinux/booleans/systemdnspawn_bind_user
0 1root@myguest1:~#
root@myguest1:~# echo 1 > /sys/fs/selinux/commit_pending_bools
root@myguest1:~# cat /sys/fs/selinux/booleans/systemdnspawn_bind_user
1 1root@myguest1:~#

Note the 0 0, 0 1 and 1 1 values where the first value is the actual value and the second value is the pending value.



Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] apt-offline fails to install updates to offline computer with ERROR: Failed to unlink /var/lib/apt/lists/partial/ JoLinuxUser Ubuntu 9 09-12-2019 08:11 AM
SELinux Boolean Functions? cowmoo32 Linux - Security 1 03-22-2014 01:33 AM
unknown boolean httpd_tty_comm philio Fedora 2 02-06-2005 09:48 AM
C++ boolean in cout statement AMMullan Programming 2 06-08-2004 12:44 PM
Boolean Algebra question gdbugger General 5 10-23-2003 06:54 PM > Forums > Linux Forums > Linux - Hardware > Linux - Embedded & Single-board computer

All times are GMT -5. The time now is 09:34 PM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration