[yocto] [meta-selinux][PATCH 3/4] selinux-init: Break labeling of /dev out into separate script.

Philip Tricca flihp at twobit.us
Sun Nov 8 11:00:39 PST 2015 

Remove selinux-init package from packagegroup-selinux-minimal.

Signed-off-by: Philip Tricca <flihp at twobit.us>
---
 .../packagegroups/packagegroup-core-selinux.bb     |  1 +
 .../packagegroups/packagegroup-selinux-minimal.bb  |  2 +-
 .../selinux/selinux-init/selinux-init.sh           |  9 --------
 recipes-security/selinux/selinux-init_0.1.bb       |  2 +-
 .../selinux/selinux-labeldev/selinux-labeldev.sh   | 24 ++++++++++++++++++++++
 recipes-security/selinux/selinux-labeldev_0.1.bb   | 16 +++++++++++++++
 6 files changed, 43 insertions(+), 11 deletions(-)
 create mode 100644 recipes-security/selinux/selinux-labeldev/selinux-labeldev.sh
 create mode 100644 recipes-security/selinux/selinux-labeldev_0.1.bb

diff --git a/recipes-security/packagegroups/packagegroup-core-selinux.bb b/recipes-security/packagegroups/packagegroup-core-selinux.bb
index 472bf55..e46cda7 100644
--- a/recipes-security/packagegroups/packagegroup-core-selinux.bb
+++ b/recipes-security/packagegroups/packagegroup-core-selinux.bb
@@ -24,6 +24,7 @@ RDEPENDS_${PN} = " \
 	setools-console \
 	selinux-config \
 	selinux-init \
+	selinux-labeldev \
 	refpolicy-standard \
 	refpolicy-mls \
 	coreutils \
diff --git a/recipes-security/packagegroups/packagegroup-selinux-minimal.bb b/recipes-security/packagegroups/packagegroup-selinux-minimal.bb
index 42fb82d..34c5f7c 100644
--- a/recipes-security/packagegroups/packagegroup-selinux-minimal.bb
+++ b/recipes-security/packagegroups/packagegroup-selinux-minimal.bb
@@ -22,6 +22,6 @@ RDEPENDS_${PN} = "\
 	policycoreutils-sestatus \
 	policycoreutils-setfiles \
 	selinux-config \
-	selinux-init \
+	selinux-labeldev \
 	refpolicy-mls \
 "
diff --git a/recipes-security/selinux/selinux-init/selinux-init.sh b/recipes-security/selinux/selinux-init/selinux-init.sh
index f9f0914..32c4de1 100644
--- a/recipes-security/selinux/selinux-init/selinux-init.sh
+++ b/recipes-security/selinux/selinux-init/selinux-init.sh
@@ -34,12 +34,6 @@ check_rootfs()
 	/sbin/shutdown -f -h now
 }
 
-# Because /dev/console is not relabeled by kernel, many commands
-# would can not use it, including restorecon.
-${CHCON} -t `${MATCHPATHCON} -n /dev/null | cut -d: -f3` /dev/null
-${CHCON} -t `${MATCHPATHCON} -n /dev/console | cut -d: -f3` /dev/console
-
-
 # If /.autorelabel placed, the whole file system should be relabeled
 if [ -f /.autorelabel ]; then
 	echo "Checking SELinux security contexts:"
@@ -65,7 +59,4 @@ if [ "`${SECON} -t --pid 1`" = "kernel_t" ]; then
 	/sbin/reboot
 fi
 
-# Now, we should relabel /dev for most services.
-${RESTORECON} -RF /dev
-
 exit 0
diff --git a/recipes-security/selinux/selinux-init_0.1.bb b/recipes-security/selinux/selinux-init_0.1.bb
index cde142d..87f8dad 100644
--- a/recipes-security/selinux/selinux-init_0.1.bb
+++ b/recipes-security/selinux/selinux-init_0.1.bb
@@ -14,6 +14,6 @@ ${PN}_RDEPENDS = " \
 "
 
 SRC_URI = "file://${BPN}.sh"
-SELINUX_SCRIPT_DST = "0${BPN}"
+INITSCRIPT_PARAMS = "start 01 S ."
 
 require selinux-initsh.inc
diff --git a/recipes-security/selinux/selinux-labeldev/selinux-labeldev.sh b/recipes-security/selinux/selinux-labeldev/selinux-labeldev.sh
new file mode 100644
index 0000000..62e7a42
--- /dev/null
+++ b/recipes-security/selinux/selinux-labeldev/selinux-labeldev.sh
@@ -0,0 +1,24 @@
+#!/bin/sh
+
+/usr/sbin/selinuxenabled 2>/dev/null || exit 0
+
+CHCON=/usr/bin/chcon
+MATCHPATHCON=/usr/sbin/matchpathcon
+RESTORECON=/sbin/restorecon
+
+for i in ${CHCON} ${MATCHPATHCON} ${RESTORECON}; do
+	test -x $i && continue
+	echo "$i is missing in the system."
+	echo "Please add \"selinux=0\" in the kernel command line to disable SELinux."
+	exit 1
+done
+
+# Because /dev/console is not relabeled by kernel, many commands
+# would can not use it, including restorecon.
+${CHCON} -t `${MATCHPATHCON} -n /dev/null | cut -d: -f3` /dev/null
+${CHCON} -t `${MATCHPATHCON} -n /dev/console | cut -d: -f3` /dev/console
+
+# Now, we should relabel /dev for most services.
+${RESTORECON} -RF /dev
+
+exit 0
diff --git a/recipes-security/selinux/selinux-labeldev_0.1.bb b/recipes-security/selinux/selinux-labeldev_0.1.bb
new file mode 100644
index 0000000..b692bb2
--- /dev/null
+++ b/recipes-security/selinux/selinux-labeldev_0.1.bb
@@ -0,0 +1,16 @@
+SUMMARY = "SELinux init script"
+DESCRIPTION = "Set SELinux labels for /dev."
+
+LICENSE = "MIT"
+LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420"
+
+${PN}_RDEPENDS = " \
+    coreutils \
+    libselinux-bin \
+    policycoreutils-setfiles \
+"
+
+SRC_URI = "file://${BPN}.sh"
+SELINUX_SCRIPT_DST = "0${BPN}"
+
+require selinux-initsh.inc
-- 
2.1.4

More information about the yocto mailing list