[yocto] [meta-selinux][PATCH 0/4] Reorganize SELinux early boot scripts.

Philip Tricca flihp at twobit.us
Sun Nov 8 11:00:36 PST 2015 

With file system labeling support in the build now the init script in the
selinux-config recipe has a lot of unnecessary checks / fixes. This patch
set factors this script out into 3 new recipes:

selinux-labeldev: The first init script that a system needs to run in order
to get devices nodes labeled properly.
selinux-autorelabel: A boot script to detect the existance of the
/.autorelabel file and relabel the file system accordingly.
selinux-init: The remaining functionality. This is effectively a debugging
script that detects system misconfiguration at boot time.

Some of the bonus features I've added: 
Proper use of RDEPENDS in the recipes for dependency tracking.
Packagegroups have been updated. core-selinux group is kept the same
and the minimal system package group has only thge labeldev script which
is all that's needed to boot.

Philip Tricca (4):
  selinux-config: Separate init script into new recipe.
  selinux-init: Move script logic into include.
  selinux-init: Break labeling of /dev out into separate script.
  selinux-init: Break handling of /.autorelabel out into separate
    script.

 .../packagegroups/packagegroup-core-selinux.bb     |  3 +
 .../packagegroups/packagegroup-selinux-minimal.bb  |  1 +
 .../selinux-autorelabel/selinux-autorelabel.sh     | 22 +++++++
 .../selinux/selinux-autorelabel_0.1.bb             | 17 ++++++
 .../selinux/selinux-config/selinux-init.sh         | 71 ----------------------
 recipes-security/selinux/selinux-config_0.1.bb     | 14 +----
 .../selinux/selinux-init/selinux-init.sh           | 50 +++++++++++++++
 recipes-security/selinux/selinux-init_0.1.bb       | 20 ++++++
 recipes-security/selinux/selinux-initsh.inc        | 25 ++++++++
 .../selinux/selinux-labeldev/selinux-labeldev.sh   | 24 ++++++++
 recipes-security/selinux/selinux-labeldev_0.1.bb   | 16 +++++
 11 files changed, 179 insertions(+), 84 deletions(-)
 create mode 100644 recipes-security/selinux/selinux-autorelabel/selinux-autorelabel.sh
 create mode 100644 recipes-security/selinux/selinux-autorelabel_0.1.bb
 delete mode 100644 recipes-security/selinux/selinux-config/selinux-init.sh
 create mode 100644 recipes-security/selinux/selinux-init/selinux-init.sh
 create mode 100644 recipes-security/selinux/selinux-init_0.1.bb
 create mode 100644 recipes-security/selinux/selinux-initsh.inc
 create mode 100644 recipes-security/selinux/selinux-labeldev/selinux-labeldev.sh
 create mode 100644 recipes-security/selinux/selinux-labeldev_0.1.bb

-- 
2.1.4

More information about the yocto mailing list