[yocto] [meta-selinux][PATCH 1/4] selinux-config: Separate init script into new recipe.

Philip Tricca flihp at twobit.us
Sun Nov 8 11:00:37 PST 2015 

Add runtime dependencies for init script.

Signed-off-by: Philip Tricca <flihp at twobit.us>
---
 .../packagegroups/packagegroup-core-selinux.bb     |  1 +
 .../packagegroups/packagegroup-selinux-minimal.bb  |  1 +
 .../selinux/selinux-config/selinux-init.sh         | 71 ----------------------
 recipes-security/selinux/selinux-config_0.1.bb     | 14 +----
 .../selinux/selinux-init/selinux-init.sh           | 71 ++++++++++++++++++++++
 recipes-security/selinux/selinux-init_0.1.bb       | 37 +++++++++++
 6 files changed, 111 insertions(+), 84 deletions(-)
 delete mode 100644 recipes-security/selinux/selinux-config/selinux-init.sh
 create mode 100644 recipes-security/selinux/selinux-init/selinux-init.sh
 create mode 100644 recipes-security/selinux/selinux-init_0.1.bb

diff --git a/recipes-security/packagegroups/packagegroup-core-selinux.bb b/recipes-security/packagegroups/packagegroup-core-selinux.bb
index 40b35d1..472bf55 100644
--- a/recipes-security/packagegroups/packagegroup-core-selinux.bb
+++ b/recipes-security/packagegroups/packagegroup-core-selinux.bb
@@ -23,6 +23,7 @@ RDEPENDS_${PN} = " \
 	setools \
 	setools-console \
 	selinux-config \
+	selinux-init \
 	refpolicy-standard \
 	refpolicy-mls \
 	coreutils \
diff --git a/recipes-security/packagegroups/packagegroup-selinux-minimal.bb b/recipes-security/packagegroups/packagegroup-selinux-minimal.bb
index 2ff16f8..42fb82d 100644
--- a/recipes-security/packagegroups/packagegroup-selinux-minimal.bb
+++ b/recipes-security/packagegroups/packagegroup-selinux-minimal.bb
@@ -22,5 +22,6 @@ RDEPENDS_${PN} = "\
 	policycoreutils-sestatus \
 	policycoreutils-setfiles \
 	selinux-config \
+	selinux-init \
 	refpolicy-mls \
 "
diff --git a/recipes-security/selinux/selinux-config/selinux-init.sh b/recipes-security/selinux/selinux-config/selinux-init.sh
deleted file mode 100644
index f9f0914..0000000
--- a/recipes-security/selinux/selinux-config/selinux-init.sh
+++ /dev/null
@@ -1,71 +0,0 @@
-#!/bin/sh
-
-/usr/sbin/selinuxenabled 2>/dev/null || exit 0
-
-CHCON=/usr/bin/chcon
-MATCHPATHCON=/usr/sbin/matchpathcon
-FIXFILES=/sbin/fixfiles
-RESTORECON=/sbin/restorecon
-SECON=/usr/bin/secon
-SETENFORCE=/usr/sbin/setenforce
-
-for i in ${CHCON} ${MATCHPATHCON} ${FIXFILES} ${RESTORECON} ${SECON} ${SETENFORCE}; do
-	test -x $i && continue
-	echo "$i is missing in the system."
-	echo "Please add \"selinux=0\" in the kernel command line to disable SELinux."
-	exit 1
-done
-
-check_rootfs()
-{
-	${CHCON} `${MATCHPATHCON} -n /` / >/dev/null 2>&1 && return 0
-	echo ""
-	echo "* SELinux requires the root '/' filesystem support extended"
-	echo "  filesystem attributes (XATTRs).  It does not appear that this"
-	echo "  filesystem has extended attribute support or it is not enabled."
-	echo ""
-	echo "  - To continue using SELinux you will need to enable extended"
-	echo "    attribute support on the root device."
-	echo ""
-	echo "  - To disable SELinux, please add \"selinux=0\" in the kernel"
-	echo "    command line."
-	echo ""
-	echo "* Halting the system now."
-	/sbin/shutdown -f -h now
-}
-
-# Because /dev/console is not relabeled by kernel, many commands
-# would can not use it, including restorecon.
-${CHCON} -t `${MATCHPATHCON} -n /dev/null | cut -d: -f3` /dev/null
-${CHCON} -t `${MATCHPATHCON} -n /dev/console | cut -d: -f3` /dev/console
-
-
-# If /.autorelabel placed, the whole file system should be relabeled
-if [ -f /.autorelabel ]; then
-	echo "Checking SELinux security contexts:"
-	check_rootfs
-	echo " * /.autorelabel placed, filesystem will be relabeled..."
-	${FIXFILES} -F -f relabel
-	/bin/rm -f /.autorelabel
-	echo " * Relabel done, rebooting the system."
-	/sbin/reboot
-fi
-
-# If first booting, the security context type of init would be
-# "kernel_t", and the whole file system should be relabeled.
-if [ "`${SECON} -t --pid 1`" = "kernel_t" ]; then
-	echo "Checking SELinux security contexts:"
-	check_rootfs
-	echo " * First booting, filesystem will be relabeled..."
-	test -x /etc/init.d/auditd && /etc/init.d/auditd start
-	${SETENFORCE} 0
-	${RESTORECON} -RF /
-	${RESTORECON} -F /
-	echo " * Relabel done, rebooting the system."
-	/sbin/reboot
-fi
-
-# Now, we should relabel /dev for most services.
-${RESTORECON} -RF /dev
-
-exit 0
diff --git a/recipes-security/selinux/selinux-config_0.1.bb b/recipes-security/selinux/selinux-config_0.1.bb
index f77b490..37fe4b7 100644
--- a/recipes-security/selinux/selinux-config_0.1.bb
+++ b/recipes-security/selinux/selinux-config_0.1.bb
@@ -13,23 +13,11 @@ PR = "r4"
 
 S = "${WORKDIR}"
 
-SRC_URI = "file://selinux-init.sh"
-
-inherit update-rc.d
-
-INITSCRIPT_NAME = "0selinux-init"
-INITSCRIPT_PARAMS = "start 00 S ."
-
-CONFFILES_${PN} += "${sysconfdir}/selinux/config \
-	${sysconfdir}/init.d/0selinux-init \
-	"
+CONFFILES_${PN} += "${sysconfdir}/selinux/config"
 
 PACKAGE_ARCH = "${MACHINE_ARCH}"
 
 do_install () {
-	install -d ${D}${sysconfdir}/init.d/
-	install -m 0755 ${WORKDIR}/selinux-init.sh ${D}${sysconfdir}/init.d/0selinux-init
-
 	echo "\
 # This file controls the state of SELinux on the system.
 # SELINUX= can take one of these three values:
diff --git a/recipes-security/selinux/selinux-init/selinux-init.sh b/recipes-security/selinux/selinux-init/selinux-init.sh
new file mode 100644
index 0000000..f9f0914
--- /dev/null
+++ b/recipes-security/selinux/selinux-init/selinux-init.sh
@@ -0,0 +1,71 @@
+#!/bin/sh
+
+/usr/sbin/selinuxenabled 2>/dev/null || exit 0
+
+CHCON=/usr/bin/chcon
+MATCHPATHCON=/usr/sbin/matchpathcon
+FIXFILES=/sbin/fixfiles
+RESTORECON=/sbin/restorecon
+SECON=/usr/bin/secon
+SETENFORCE=/usr/sbin/setenforce
+
+for i in ${CHCON} ${MATCHPATHCON} ${FIXFILES} ${RESTORECON} ${SECON} ${SETENFORCE}; do
+	test -x $i && continue
+	echo "$i is missing in the system."
+	echo "Please add \"selinux=0\" in the kernel command line to disable SELinux."
+	exit 1
+done
+
+check_rootfs()
+{
+	${CHCON} `${MATCHPATHCON} -n /` / >/dev/null 2>&1 && return 0
+	echo ""
+	echo "* SELinux requires the root '/' filesystem support extended"
+	echo "  filesystem attributes (XATTRs).  It does not appear that this"
+	echo "  filesystem has extended attribute support or it is not enabled."
+	echo ""
+	echo "  - To continue using SELinux you will need to enable extended"
+	echo "    attribute support on the root device."
+	echo ""
+	echo "  - To disable SELinux, please add \"selinux=0\" in the kernel"
+	echo "    command line."
+	echo ""
+	echo "* Halting the system now."
+	/sbin/shutdown -f -h now
+}
+
+# Because /dev/console is not relabeled by kernel, many commands
+# would can not use it, including restorecon.
+${CHCON} -t `${MATCHPATHCON} -n /dev/null | cut -d: -f3` /dev/null
+${CHCON} -t `${MATCHPATHCON} -n /dev/console | cut -d: -f3` /dev/console
+
+
+# If /.autorelabel placed, the whole file system should be relabeled
+if [ -f /.autorelabel ]; then
+	echo "Checking SELinux security contexts:"
+	check_rootfs
+	echo " * /.autorelabel placed, filesystem will be relabeled..."
+	${FIXFILES} -F -f relabel
+	/bin/rm -f /.autorelabel
+	echo " * Relabel done, rebooting the system."
+	/sbin/reboot
+fi
+
+# If first booting, the security context type of init would be
+# "kernel_t", and the whole file system should be relabeled.
+if [ "`${SECON} -t --pid 1`" = "kernel_t" ]; then
+	echo "Checking SELinux security contexts:"
+	check_rootfs
+	echo " * First booting, filesystem will be relabeled..."
+	test -x /etc/init.d/auditd && /etc/init.d/auditd start
+	${SETENFORCE} 0
+	${RESTORECON} -RF /
+	${RESTORECON} -F /
+	echo " * Relabel done, rebooting the system."
+	/sbin/reboot
+fi
+
+# Now, we should relabel /dev for most services.
+${RESTORECON} -RF /dev
+
+exit 0
diff --git a/recipes-security/selinux/selinux-init_0.1.bb b/recipes-security/selinux/selinux-init_0.1.bb
new file mode 100644
index 0000000..d8e4944
--- /dev/null
+++ b/recipes-security/selinux/selinux-init_0.1.bb
@@ -0,0 +1,37 @@
+SUMMARY = "SELinux init script"
+DESCRIPTION = "\
+SELinux start up stuff for Yocto. \
+"
+
+SECTION = "base"
+LICENSE = "MIT"
+LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420"
+
+${PN}_RDEPENDS = " \
+    coreutils \
+    libselinux-bin \
+    policycoreutils-secon \
+    policycoreutils-setfiles \
+"
+
+S = "${WORKDIR}"
+
+SRC_URI = "file://selinux-init.sh"
+
+inherit update-rc.d
+
+INITSCRIPT_NAME = "0selinux-init"
+INITSCRIPT_PARAMS = "start 00 S ."
+
+CONFFILES_${PN} += "${sysconfdir}/init.d/0selinux-init"
+
+PACKAGE_ARCH = "${MACHINE_ARCH}"
+
+do_install () {
+	install -d ${D}${sysconfdir}/init.d/
+	install -m 0755 ${WORKDIR}/selinux-init.sh ${D}${sysconfdir}/init.d/0selinux-init
+}
+
+sysroot_stage_all_append () {
+	sysroot_stage_dir ${D}${sysconfdir} ${SYSROOT_DESTDIR}${sysconfdir}
+}
-- 
2.1.4

More information about the yocto mailing list