[yocto] [meta-selinux][PATCH] selinux-autorelabel: disable enforcing mode before relabel

Yi Zhao yi.zhao at windriver.com
Thu Sep 5 20:31:46 PDT 2019 

On 9/5/19 7:57 PM, Joe MacDonald wrote:
> [[meta-selinux][PATCH] selinux-autorelabel: disable enforcing mode before relabel] On 19.09.05 (Thu 16:57) Yi Zhao wrote:
>
>> The commit b0d31db104d9a4e94bc1409c2ffcc1d82f4a780f introduced an issue
>> when first boot with bootparams="selinux=1 enforcing=1". At first boot,
>> all files are unlabeled including /sbin/fixfiles. The relabel operation
>> is not permitted under enforcing mode. Set /sys/fs/selinux/enforce to 0
>> to ensure the enforcing mode is disabled before relabel.
> Did you try this with '/usr/sbin/setenforce 0' instead?  The rationale
> makes sense but going straight at sysfs like that isn't the right
> approach intuitively.  If that's not working, please just include a bit
> of an explanation for why this is the best option.

It also works with setenforce.

I referred to the selinux-autorelabel script on Fedora 30, it uses `echo 
"0" > /sys/fs/selinux/enforce` to disables enforcing mode:

cat /usr/libexec/selinux/selinux-autorelabel

[snip]
      32 relabel_selinux() {
      33     # if /sbin/init is not labeled correctly this process is 
running in the
      34     # wrong context, so a reboot will be required after relabel
      35     AUTORELABEL=
      36     . /etc/selinux/config
      37     echo "0" > /sys/fs/selinux/enforce
      38     [ -x /bin/plymouth ] && plymouth --quit
      39
[snip]


//Yi


>
> Thanks.
> -J.
>
>> Signed-off-by: Yi Zhao <yi.zhao at windriver.com>
>> ---
>>   recipes-security/selinux/selinux-autorelabel/selinux-autorelabel.sh | 1 +
>>   1 file changed, 1 insertion(+)
>>
>> diff --git a/recipes-security/selinux/selinux-autorelabel/selinux-autorelabel.sh b/recipes-security/selinux/selinux-autorelabel/selinux-autorelabel.sh
>> index 154dad1..cb40971 100644
>> --- a/recipes-security/selinux/selinux-autorelabel/selinux-autorelabel.sh
>> +++ b/recipes-security/selinux/selinux-autorelabel/selinux-autorelabel.sh
>> @@ -13,6 +13,7 @@ fi
>>   # If /.autorelabel placed, the whole file system should be relabeled
>>   if [ -f /.autorelabel ]; then
>>   	echo "SELinux: /.autorelabel placed, filesystem will be relabeled..."
>> +	echo "0" > /sys/fs/selinux/enforce
>>   	${FIXFILES} -F -f relabel
>>   	/bin/rm -f /.autorelabel
>>   	echo " * Relabel done, rebooting the system."
>> -- 
>> 2.7.4
>>

More information about the yocto mailing list