[yocto] [meta-selinux][PATCH 3/4] selinux-init: Break labeling of /dev out into separate script.
Philip Tricca
flihp at twobit.us
Sun Nov 8 11:00:39 PST 2015
Remove selinux-init package from packagegroup-selinux-minimal.
Signed-off-by: Philip Tricca <flihp at twobit.us>
---
.../packagegroups/packagegroup-core-selinux.bb | 1 +
.../packagegroups/packagegroup-selinux-minimal.bb | 2 +-
.../selinux/selinux-init/selinux-init.sh | 9 --------
recipes-security/selinux/selinux-init_0.1.bb | 2 +-
.../selinux/selinux-labeldev/selinux-labeldev.sh | 24 ++++++++++++++++++++++
recipes-security/selinux/selinux-labeldev_0.1.bb | 16 +++++++++++++++
6 files changed, 43 insertions(+), 11 deletions(-)
create mode 100644 recipes-security/selinux/selinux-labeldev/selinux-labeldev.sh
create mode 100644 recipes-security/selinux/selinux-labeldev_0.1.bb
diff --git a/recipes-security/packagegroups/packagegroup-core-selinux.bb b/recipes-security/packagegroups/packagegroup-core-selinux.bb
index 472bf55..e46cda7 100644
--- a/recipes-security/packagegroups/packagegroup-core-selinux.bb
+++ b/recipes-security/packagegroups/packagegroup-core-selinux.bb
@@ -24,6 +24,7 @@ RDEPENDS_${PN} = " \
setools-console \
selinux-config \
selinux-init \
+ selinux-labeldev \
refpolicy-standard \
refpolicy-mls \
coreutils \
diff --git a/recipes-security/packagegroups/packagegroup-selinux-minimal.bb b/recipes-security/packagegroups/packagegroup-selinux-minimal.bb
index 42fb82d..34c5f7c 100644
--- a/recipes-security/packagegroups/packagegroup-selinux-minimal.bb
+++ b/recipes-security/packagegroups/packagegroup-selinux-minimal.bb
@@ -22,6 +22,6 @@ RDEPENDS_${PN} = "\
policycoreutils-sestatus \
policycoreutils-setfiles \
selinux-config \
- selinux-init \
+ selinux-labeldev \
refpolicy-mls \
"
diff --git a/recipes-security/selinux/selinux-init/selinux-init.sh b/recipes-security/selinux/selinux-init/selinux-init.sh
index f9f0914..32c4de1 100644
--- a/recipes-security/selinux/selinux-init/selinux-init.sh
+++ b/recipes-security/selinux/selinux-init/selinux-init.sh
@@ -34,12 +34,6 @@ check_rootfs()
/sbin/shutdown -f -h now
}
-# Because /dev/console is not relabeled by kernel, many commands
-# would can not use it, including restorecon.
-${CHCON} -t `${MATCHPATHCON} -n /dev/null | cut -d: -f3` /dev/null
-${CHCON} -t `${MATCHPATHCON} -n /dev/console | cut -d: -f3` /dev/console
-
-
# If /.autorelabel placed, the whole file system should be relabeled
if [ -f /.autorelabel ]; then
echo "Checking SELinux security contexts:"
@@ -65,7 +59,4 @@ if [ "`${SECON} -t --pid 1`" = "kernel_t" ]; then
/sbin/reboot
fi
-# Now, we should relabel /dev for most services.
-${RESTORECON} -RF /dev
-
exit 0
diff --git a/recipes-security/selinux/selinux-init_0.1.bb b/recipes-security/selinux/selinux-init_0.1.bb
index cde142d..87f8dad 100644
--- a/recipes-security/selinux/selinux-init_0.1.bb
+++ b/recipes-security/selinux/selinux-init_0.1.bb
@@ -14,6 +14,6 @@ ${PN}_RDEPENDS = " \
"
SRC_URI = "file://${BPN}.sh"
-SELINUX_SCRIPT_DST = "0${BPN}"
+INITSCRIPT_PARAMS = "start 01 S ."
require selinux-initsh.inc
diff --git a/recipes-security/selinux/selinux-labeldev/selinux-labeldev.sh b/recipes-security/selinux/selinux-labeldev/selinux-labeldev.sh
new file mode 100644
index 0000000..62e7a42
--- /dev/null
+++ b/recipes-security/selinux/selinux-labeldev/selinux-labeldev.sh
@@ -0,0 +1,24 @@
+#!/bin/sh
+
+/usr/sbin/selinuxenabled 2>/dev/null || exit 0
+
+CHCON=/usr/bin/chcon
+MATCHPATHCON=/usr/sbin/matchpathcon
+RESTORECON=/sbin/restorecon
+
+for i in ${CHCON} ${MATCHPATHCON} ${RESTORECON}; do
+ test -x $i && continue
+ echo "$i is missing in the system."
+ echo "Please add \"selinux=0\" in the kernel command line to disable SELinux."
+ exit 1
+done
+
+# Because /dev/console is not relabeled by kernel, many commands
+# would can not use it, including restorecon.
+${CHCON} -t `${MATCHPATHCON} -n /dev/null | cut -d: -f3` /dev/null
+${CHCON} -t `${MATCHPATHCON} -n /dev/console | cut -d: -f3` /dev/console
+
+# Now, we should relabel /dev for most services.
+${RESTORECON} -RF /dev
+
+exit 0
diff --git a/recipes-security/selinux/selinux-labeldev_0.1.bb b/recipes-security/selinux/selinux-labeldev_0.1.bb
new file mode 100644
index 0000000..b692bb2
--- /dev/null
+++ b/recipes-security/selinux/selinux-labeldev_0.1.bb
@@ -0,0 +1,16 @@
+SUMMARY = "SELinux init script"
+DESCRIPTION = "Set SELinux labels for /dev."
+
+LICENSE = "MIT"
+LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420"
+
+${PN}_RDEPENDS = " \
+ coreutils \
+ libselinux-bin \
+ policycoreutils-setfiles \
+"
+
+SRC_URI = "file://${BPN}.sh"
+SELINUX_SCRIPT_DST = "0${BPN}"
+
+require selinux-initsh.inc
--
2.1.4
More information about the yocto
mailing list