[yocto] [meta-selinux][PATCH 4/4] selinux-init: Break handling of /.autorelabel out into separate script.

Philip Tricca flihp at twobit.us
Sun Nov 8 11:00:40 PST 2015 

Fixup DESCRIPTION in old selinux-init recipe.
Exclude this autorelabel script from the minimal packagegroup.

Signed-off-by: Philip Tricca <flihp at twobit.us>
---
 .../packagegroups/packagegroup-core-selinux.bb     |  1 +
 .../selinux-autorelabel/selinux-autorelabel.sh     | 22 ++++++++++++++++++++++
 .../selinux/selinux-autorelabel_0.1.bb             | 17 +++++++++++++++++
 .../selinux/selinux-init/selinux-init.sh           | 14 +-------------
 recipes-security/selinux/selinux-init_0.1.bb       |  3 ++-
 5 files changed, 43 insertions(+), 14 deletions(-)
 create mode 100644 recipes-security/selinux/selinux-autorelabel/selinux-autorelabel.sh
 create mode 100644 recipes-security/selinux/selinux-autorelabel_0.1.bb

diff --git a/recipes-security/packagegroups/packagegroup-core-selinux.bb b/recipes-security/packagegroups/packagegroup-core-selinux.bb
index e46cda7..a2480a3 100644
--- a/recipes-security/packagegroups/packagegroup-core-selinux.bb
+++ b/recipes-security/packagegroups/packagegroup-core-selinux.bb
@@ -23,6 +23,7 @@ RDEPENDS_${PN} = " \
 	setools \
 	setools-console \
 	selinux-config \
+	selinux-autorelabel \
 	selinux-init \
 	selinux-labeldev \
 	refpolicy-standard \
diff --git a/recipes-security/selinux/selinux-autorelabel/selinux-autorelabel.sh b/recipes-security/selinux/selinux-autorelabel/selinux-autorelabel.sh
new file mode 100644
index 0000000..154dad1
--- /dev/null
+++ b/recipes-security/selinux/selinux-autorelabel/selinux-autorelabel.sh
@@ -0,0 +1,22 @@
+#!/bin/sh
+
+/usr/sbin/selinuxenabled 2>/dev/null || exit 0
+
+FIXFILES=/sbin/fixfiles
+
+if ! test -x ${FIXFILES}; then
+	echo "${FIXFILES} is missing in the system."
+	echo "Please add \"selinux=0\" in the kernel command line to disable SELinux."
+	exit 1
+fi
+
+# If /.autorelabel placed, the whole file system should be relabeled
+if [ -f /.autorelabel ]; then
+	echo "SELinux: /.autorelabel placed, filesystem will be relabeled..."
+	${FIXFILES} -F -f relabel
+	/bin/rm -f /.autorelabel
+	echo " * Relabel done, rebooting the system."
+	/sbin/reboot
+fi
+
+exit 0
diff --git a/recipes-security/selinux/selinux-autorelabel_0.1.bb b/recipes-security/selinux/selinux-autorelabel_0.1.bb
new file mode 100644
index 0000000..2664863
--- /dev/null
+++ b/recipes-security/selinux/selinux-autorelabel_0.1.bb
@@ -0,0 +1,17 @@
+SUMMARY = "SELinux autorelabel script"
+DESCRIPTION = "\
+Script to reset SELinux labels on the root file system when /.autorelabel \
+file is present.\
+"
+
+LICENSE = "MIT"
+LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420"
+
+${PN}_RDEPENDS = " \
+    policycoreutils-setfiles \
+"
+
+SRC_URI = "file://${BPN}.sh"
+INITSCRIPT_PARAMS = "start 01 S ."
+
+require selinux-initsh.inc
diff --git a/recipes-security/selinux/selinux-init/selinux-init.sh b/recipes-security/selinux/selinux-init/selinux-init.sh
index 32c4de1..ead4f00 100644
--- a/recipes-security/selinux/selinux-init/selinux-init.sh
+++ b/recipes-security/selinux/selinux-init/selinux-init.sh
@@ -4,12 +4,11 @@
 
 CHCON=/usr/bin/chcon
 MATCHPATHCON=/usr/sbin/matchpathcon
-FIXFILES=/sbin/fixfiles
 RESTORECON=/sbin/restorecon
 SECON=/usr/bin/secon
 SETENFORCE=/usr/sbin/setenforce
 
-for i in ${CHCON} ${MATCHPATHCON} ${FIXFILES} ${RESTORECON} ${SECON} ${SETENFORCE}; do
+for i in ${CHCON} ${MATCHPATHCON} ${RESTORECON} ${SECON} ${SETENFORCE}; do
 	test -x $i && continue
 	echo "$i is missing in the system."
 	echo "Please add \"selinux=0\" in the kernel command line to disable SELinux."
@@ -34,17 +33,6 @@ check_rootfs()
 	/sbin/shutdown -f -h now
 }
 
-# If /.autorelabel placed, the whole file system should be relabeled
-if [ -f /.autorelabel ]; then
-	echo "Checking SELinux security contexts:"
-	check_rootfs
-	echo " * /.autorelabel placed, filesystem will be relabeled..."
-	${FIXFILES} -F -f relabel
-	/bin/rm -f /.autorelabel
-	echo " * Relabel done, rebooting the system."
-	/sbin/reboot
-fi
-
 # If first booting, the security context type of init would be
 # "kernel_t", and the whole file system should be relabeled.
 if [ "`${SECON} -t --pid 1`" = "kernel_t" ]; then
diff --git a/recipes-security/selinux/selinux-init_0.1.bb b/recipes-security/selinux/selinux-init_0.1.bb
index 87f8dad..54932e8 100644
--- a/recipes-security/selinux/selinux-init_0.1.bb
+++ b/recipes-security/selinux/selinux-init_0.1.bb
@@ -1,6 +1,7 @@
 SUMMARY = "SELinux init script"
 DESCRIPTION = "\
-SELinux start up stuff for Yocto. \
+Script to detect and attempt to correct a misconfigured SELinux system at \
+boot time. \
 "
 
 LICENSE = "MIT"
-- 
2.1.4

More information about the yocto mailing list