[yocto] [meta-selinux][PATCH 4/4] selinux-init: Break handling of /.autorelabel out into separate script.
Philip Tricca
flihp at twobit.us
Sun Nov 8 11:00:40 PST 2015
Fixup DESCRIPTION in old selinux-init recipe.
Exclude this autorelabel script from the minimal packagegroup.
Signed-off-by: Philip Tricca <flihp at twobit.us>
---
.../packagegroups/packagegroup-core-selinux.bb | 1 +
.../selinux-autorelabel/selinux-autorelabel.sh | 22 ++++++++++++++++++++++
.../selinux/selinux-autorelabel_0.1.bb | 17 +++++++++++++++++
.../selinux/selinux-init/selinux-init.sh | 14 +-------------
recipes-security/selinux/selinux-init_0.1.bb | 3 ++-
5 files changed, 43 insertions(+), 14 deletions(-)
create mode 100644 recipes-security/selinux/selinux-autorelabel/selinux-autorelabel.sh
create mode 100644 recipes-security/selinux/selinux-autorelabel_0.1.bb
diff --git a/recipes-security/packagegroups/packagegroup-core-selinux.bb b/recipes-security/packagegroups/packagegroup-core-selinux.bb
index e46cda7..a2480a3 100644
--- a/recipes-security/packagegroups/packagegroup-core-selinux.bb
+++ b/recipes-security/packagegroups/packagegroup-core-selinux.bb
@@ -23,6 +23,7 @@ RDEPENDS_${PN} = " \
setools \
setools-console \
selinux-config \
+ selinux-autorelabel \
selinux-init \
selinux-labeldev \
refpolicy-standard \
diff --git a/recipes-security/selinux/selinux-autorelabel/selinux-autorelabel.sh b/recipes-security/selinux/selinux-autorelabel/selinux-autorelabel.sh
new file mode 100644
index 0000000..154dad1
--- /dev/null
+++ b/recipes-security/selinux/selinux-autorelabel/selinux-autorelabel.sh
@@ -0,0 +1,22 @@
+#!/bin/sh
+
+/usr/sbin/selinuxenabled 2>/dev/null || exit 0
+
+FIXFILES=/sbin/fixfiles
+
+if ! test -x ${FIXFILES}; then
+ echo "${FIXFILES} is missing in the system."
+ echo "Please add \"selinux=0\" in the kernel command line to disable SELinux."
+ exit 1
+fi
+
+# If /.autorelabel placed, the whole file system should be relabeled
+if [ -f /.autorelabel ]; then
+ echo "SELinux: /.autorelabel placed, filesystem will be relabeled..."
+ ${FIXFILES} -F -f relabel
+ /bin/rm -f /.autorelabel
+ echo " * Relabel done, rebooting the system."
+ /sbin/reboot
+fi
+
+exit 0
diff --git a/recipes-security/selinux/selinux-autorelabel_0.1.bb b/recipes-security/selinux/selinux-autorelabel_0.1.bb
new file mode 100644
index 0000000..2664863
--- /dev/null
+++ b/recipes-security/selinux/selinux-autorelabel_0.1.bb
@@ -0,0 +1,17 @@
+SUMMARY = "SELinux autorelabel script"
+DESCRIPTION = "\
+Script to reset SELinux labels on the root file system when /.autorelabel \
+file is present.\
+"
+
+LICENSE = "MIT"
+LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420"
+
+${PN}_RDEPENDS = " \
+ policycoreutils-setfiles \
+"
+
+SRC_URI = "file://${BPN}.sh"
+INITSCRIPT_PARAMS = "start 01 S ."
+
+require selinux-initsh.inc
diff --git a/recipes-security/selinux/selinux-init/selinux-init.sh b/recipes-security/selinux/selinux-init/selinux-init.sh
index 32c4de1..ead4f00 100644
--- a/recipes-security/selinux/selinux-init/selinux-init.sh
+++ b/recipes-security/selinux/selinux-init/selinux-init.sh
@@ -4,12 +4,11 @@
CHCON=/usr/bin/chcon
MATCHPATHCON=/usr/sbin/matchpathcon
-FIXFILES=/sbin/fixfiles
RESTORECON=/sbin/restorecon
SECON=/usr/bin/secon
SETENFORCE=/usr/sbin/setenforce
-for i in ${CHCON} ${MATCHPATHCON} ${FIXFILES} ${RESTORECON} ${SECON} ${SETENFORCE}; do
+for i in ${CHCON} ${MATCHPATHCON} ${RESTORECON} ${SECON} ${SETENFORCE}; do
test -x $i && continue
echo "$i is missing in the system."
echo "Please add \"selinux=0\" in the kernel command line to disable SELinux."
@@ -34,17 +33,6 @@ check_rootfs()
/sbin/shutdown -f -h now
}
-# If /.autorelabel placed, the whole file system should be relabeled
-if [ -f /.autorelabel ]; then
- echo "Checking SELinux security contexts:"
- check_rootfs
- echo " * /.autorelabel placed, filesystem will be relabeled..."
- ${FIXFILES} -F -f relabel
- /bin/rm -f /.autorelabel
- echo " * Relabel done, rebooting the system."
- /sbin/reboot
-fi
-
# If first booting, the security context type of init would be
# "kernel_t", and the whole file system should be relabeled.
if [ "`${SECON} -t --pid 1`" = "kernel_t" ]; then
diff --git a/recipes-security/selinux/selinux-init_0.1.bb b/recipes-security/selinux/selinux-init_0.1.bb
index 87f8dad..54932e8 100644
--- a/recipes-security/selinux/selinux-init_0.1.bb
+++ b/recipes-security/selinux/selinux-init_0.1.bb
@@ -1,6 +1,7 @@
SUMMARY = "SELinux init script"
DESCRIPTION = "\
-SELinux start up stuff for Yocto. \
+Script to detect and attempt to correct a misconfigured SELinux system at \
+boot time. \
"
LICENSE = "MIT"
--
2.1.4
More information about the yocto
mailing list