README: Add information about running the system

We want to give the users some basic information to be able to run the compiled system with SE Linux enabled, but not in enforcing mode. This will allow a knowledgable user to update the reference policy for their configuration. Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
author: Mark Hatle <mark.hatle@windriver.com> 2017-09-14 12:06:23 -0500
committer: Mark Hatle <mark.hatle@windriver.com> 2017-09-14 16:12:25 -0500
commit: 6733785db6f0034c6f8cbbe54ea4713fa60069b0 (patch)
tree: b373f0712ad3a2deb5e3935de9a537b6711e51a3
parent: 4fefe83c3203c11fadbe43637a3058284b60427b (diff)
download: meta-selinux-6733785db6f0034c6f8cbbe54ea4713fa60069b0.tar.gz
1 files changed, 30 insertions, 0 deletions
diff --git a/README b/README
index f4fadce..35e03f4 100644
--- a/README
+++ b/README
@@ -86,6 +86,36 @@ VIRTUAL-RUNTIME_init_manager = "systemd"
 DISTRO_FEATURES_BACKFILL_CONSIDERED = ""
+Starting up the system
+----------------------
+Most likely the reference policy selected will not just work "out of the box".
+As always, if you update the reference policy to better work with OpenEmbedded
+or Poky configurations, please submit the changes back to the project.
+When using 'core-image-selinux', the system will boot and automatically setup
+the policy by running the "fixfiles -f -F relabel" for you.  This is
+implemented via the 'selinux-autorelabel' recipe.
+The 'core-image-selinux-minimal' does not automatically relabel the system.
+So you must boot using the parameters "selinux=1 enforcing=0", and then
+manually perform the setup.  Running 'fixfiles -f -F relabel' is available
+in this configuration.
+After logging in you can verify selinux is present using:
+$ sestatus
+Output should include:
+SELinux status:                 enabled
+...
+Current mode:                   enforcing
+...
+The above indicates that selinux is currently running, and if you are running
+in an enforcing mode or not.
 License
 -------
author	Mark Hatle <mark.hatle@windriver.com>	2017-09-14 12:06:23 -0500
committer	Mark Hatle <mark.hatle@windriver.com>	2017-09-14 16:12:25 -0500
commit	6733785db6f0034c6f8cbbe54ea4713fa60069b0 (patch)
tree	b373f0712ad3a2deb5e3935de9a537b6711e51a3
parent	4fefe83c3203c11fadbe43637a3058284b60427b (diff)
download	meta-selinux-6733785db6f0034c6f8cbbe54ea4713fa60069b0.tar.gz

diff --git a/README b/README index f4fadce..35e03f4 100644 --- a/README +++ b/README
@@ -86,6 +86,36 @@ VIRTUAL-RUNTIME_init_manager = "systemd"
86	DISTRO_FEATURES_BACKFILL_CONSIDERED = ""	86	DISTRO_FEATURES_BACKFILL_CONSIDERED = ""
87		87
88		88
		89	Starting up the system
		90	----------------------
		91	Most likely the reference policy selected will not just work "out of the box".
		92
		93	As always, if you update the reference policy to better work with OpenEmbedded
		94	or Poky configurations, please submit the changes back to the project.
		95
		96	When using 'core-image-selinux', the system will boot and automatically setup
		97	the policy by running the "fixfiles -f -F relabel" for you. This is
		98	implemented via the 'selinux-autorelabel' recipe.
		99
		100	The 'core-image-selinux-minimal' does not automatically relabel the system.
		101	So you must boot using the parameters "selinux=1 enforcing=0", and then
		102	manually perform the setup. Running 'fixfiles -f -F relabel' is available
		103	in this configuration.
		104
		105	After logging in you can verify selinux is present using:
		106
		107	$ sestatus
		108
		109	Output should include:
		110	SELinux status: enabled
		111	...
		112	Current mode: enforcing
		113	...
		114
		115	The above indicates that selinux is currently running, and if you are running
		116	in an enforcing mode or not.
		117
		118
89	License	119	License
90	-------	120	-------
91		121