[yocto] [meta-selinux][PATCH] selinux-init: use systemd (re)labelling

Mark Asselstine mark.asselstine at windriver.com
Fri Sep 6 07:07:51 PDT 2019 

On Thursday, September 5, 2019 4:02:11 P.M. EDT Joe MacDonald wrote:
> [Re: [yocto] [meta-selinux][PATCH] selinux-init: use systemd (re)labelling] 
On 19.09.05 (Thu 13:55) Mark Asselstine wrote:
> > On Friday, August 23, 2019 2:19:53 P.M. EDT Mark Asselstine wrote:
> > > Boot loops were being seen when booting with selinux enabled, when the
> > > init system in use is systemd. Once logs were retrieved from the
> > > failing system the error was found to be
> > > 
> > > selinux-init.sh[284]: /sbin/restorecon: Could not set context for
> > > /sys/fs/cgroup/cpuacct:  Read-only file system selinux-init.sh[284]:
> > > /sbin/restorecon: Could not set context for /sys/fs/cgroup/cpu: 
> > > Read-only
> > > file system
> > > 
> > > Systemd mounts /sys/fs/cgroup read-only and the (re)labelling code
> > > used by selinux-init.sh is unable to handle this. On top of this the
> > > system is basically presenting two methods of (re)labelling; using the
> > > built in systemd approach via selinux-autorelabel.service *and* the
> > > code we have in selinux-init.sh. This can get confusing especially
> > > given that most online resources will speak to the systemd approach
> > > using selinux-autorelabel.service and /.autorelabel.
> > > 
> > > These changes leave the current approach in place when sysvinit is the
> > > init system used, but if systemd is being used we make use of it's
> > > internal (re)labelling functionality. Overall the workflow remains the
> > > same but we now avoid boot loops (systemd remounts /sys/fs/cgroup rw
> > > during the (re)labelling procedure).
> > > 
> > > Signed-off-by: Mark Asselstine <mark.asselstine at windriver.com>
> > > ---
> > 
> > Joe, any thoughts on this change?
> 
> Not especially, it sounded good to me, seemed to work on a quick test
> for my use-case, and I merged it:
> 
> http://git.yoctoproject.org/cgit/cgit.cgi/meta-selinux/commit/?id=b0d31db104
> d9a4e94bc1409c2ffcc1d82f4a780f
> 
> Is there something else I should've considered?  Or did you want it on a
> different branch too?

Nope, nope. I figure I should take git off my resume as I just screwed up and 
so didn't see that it was merged. I see it now. Sorry for the churn, we'll 
have to meetup for a beer for retribution.

MarkA

> 
> -J.
> 
> > MarkA
> > 
> > >  .../selinux/selinux-init/selinux-init.sh           | 14 +-------------
> > >  .../selinux/selinux-init/selinux-init.sh.sysvinit  | 14 ++++++++++++++
> > >  recipes-security/selinux/selinux-init_0.1.bb       |  8 +++++---
> > >  recipes-security/selinux/selinux-initsh.inc        |  8 ++++++++
> > >  4 files changed, 28 insertions(+), 16 deletions(-)
> > >  create mode 100644
> > > 
> > > recipes-security/selinux/selinux-init/selinux-init.sh.sysvinit
> > > 
> > > diff --git a/recipes-security/selinux/selinux-init/selinux-init.sh
> > > b/recipes-security/selinux/selinux-init/selinux-init.sh index
> > > ead4f00..f93d231 100644
> > > --- a/recipes-security/selinux/selinux-init/selinux-init.sh
> > > +++ b/recipes-security/selinux/selinux-init/selinux-init.sh
> > > @@ -33,18 +33,6 @@ check_rootfs()
> > > 
> > >  	/sbin/shutdown -f -h now
> > >  
> > >  }
> > > 
> > > -# If first booting, the security context type of init would be
> > > -# "kernel_t", and the whole file system should be relabeled.
> > > -if [ "`${SECON} -t --pid 1`" = "kernel_t" ]; then
> > > -	echo "Checking SELinux security contexts:"
> > > -	check_rootfs
> > > -	echo " * First booting, filesystem will be relabeled..."
> > > -	test -x /etc/init.d/auditd && /etc/init.d/auditd start
> > > -	${SETENFORCE} 0
> > > -	${RESTORECON} -RF /
> > > -	${RESTORECON} -F /
> > > -	echo " * Relabel done, rebooting the system."
> > > -	/sbin/reboot
> > > -fi
> > > +# sysvinit firstboot relabel placeholder HERE
> > > 
> > >  exit 0
> > > 
> > > diff --git
> > > a/recipes-security/selinux/selinux-init/selinux-init.sh.sysvinit
> > > b/recipes-security/selinux/selinux-init/selinux-init.sh.sysvinit new
> > > file
> > > mode 100644
> > > index 0000000..d4f3f71
> > > --- /dev/null
> > > +++ b/recipes-security/selinux/selinux-init/selinux-init.sh.sysvinit
> > > @@ -0,0 +1,14 @@
> > > +# Contents will be added to selinux-init.sh to support relabelling with
> > > sysvinit +# If first booting, the security context type of init would be
> > > +# "kernel_t", and the whole file system should be relabeled.
> > > +if [ "`${SECON} -t --pid 1`" = "kernel_t" ]; then
> > > +	echo "Checking SELinux security contexts:"
> > > +	check_rootfs
> > > +	echo " * First booting, filesystem will be relabeled..."
> > > +	test -x /etc/init.d/auditd && /etc/init.d/auditd start
> > > +	${SETENFORCE} 0
> > > +	${RESTORECON} -RF /
> > > +	${RESTORECON} -F /
> > > +	echo " * Relabel done, rebooting the system."
> > > +	/sbin/reboot
> > > +fi
> > > diff --git a/recipes-security/selinux/selinux-init_0.1.bb
> > > b/recipes-security/selinux/selinux-init_0.1.bb index 38b5900..78f571c
> > > 100644
> > > --- a/recipes-security/selinux/selinux-init_0.1.bb
> > > +++ b/recipes-security/selinux/selinux-init_0.1.bb
> > > @@ -14,9 +14,11 @@ ${PN}_RDEPENDS = " \
> > > 
> > >      policycoreutils-setfiles \
> > >  
> > >  "
> > > 
> > > -SRC_URI = "file://${BPN}.sh \
> > > -		file://${BPN}.service \
> > > -	"
> > > +SRC_URI = " \
> > > +    file://${BPN}.sh \
> > > +    file://${BPN}.sh.sysvinit \
> > > +    file://${BPN}.service \
> > > +"
> > > 
> > >  INITSCRIPT_PARAMS = "start 01 S ."
> > > 
> > > diff --git a/recipes-security/selinux/selinux-initsh.inc
> > > b/recipes-security/selinux/selinux-initsh.inc index bcdd449..8e31cda
> > > 100644
> > > --- a/recipes-security/selinux/selinux-initsh.inc
> > > +++ b/recipes-security/selinux/selinux-initsh.inc
> > > @@ -17,9 +17,15 @@ inherit update-rc.d systemd
> > > 
> > >  SYSTEMD_SERVICE_${PN} = "${SELINUX_SCRIPT_SRC}.service"
> > > 
> > > +FILES_${PN} += "/.autorelabel"
> > > +
> > > 
> > >  do_install () {
> > >  
> > >  	install -d ${D}${sysconfdir}/init.d/
> > >  	install -m 0755 ${WORKDIR}/${SELINUX_SCRIPT_SRC}.sh
> > > 
> > > ${D}${sysconfdir}/init.d/${SELINUX_SCRIPT_DST} +	# Insert the
> > > relabelling
> > > code which is only needed with sysvinit +	sed -i -e '/HERE/r
> > > ${WORKDIR}/${SELINUX_SCRIPT_SRC}.sh.sysvinit' \ +	       -e 
'/.*HERE$/d'
> > > -e
> > > '/.*Contents.*sysvinit/d' \
> > > +	       ${D}${sysconfdir}/init.d/${SELINUX_SCRIPT_DST}
> > > 
> > >  	install -d ${D}${systemd_unitdir}/system
> > >  	install -m 0644 ${WORKDIR}/${SELINUX_SCRIPT_SRC}.service
> > > 
> > > ${D}${systemd_unitdir}/system @@ -27,6 +33,8 @@ do_install () {
> > > 
> > >  	if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true',
> > 
> > 'false',
> > 
> > > d)}; then install -d ${D}${bindir}
> > > 
> > >  		install -m 0755 ${WORKDIR}/${SELINUX_SCRIPT_SRC}.sh ${D}$
> > 
> > {bindir}
> > 
> > > +		sed -i -e '/.*HERE$/d' ${D}${bindir}/$
> > 
> > {SELINUX_SCRIPT_SRC}.sh
> > 
> > > +		echo "# first boot relabelling" > ${D}/.autorelabel
> > > 
> > >  	fi
> > >  
> > >  }

More information about the yocto mailing list