Add runtime dependencies for init script. Signed-off-by: Philip Tricca <fl...@twobit.us> --- .../packagegroups/packagegroup-core-selinux.bb | 1 + .../packagegroups/packagegroup-selinux-minimal.bb | 1 + .../selinux/selinux-config/selinux-init.sh | 71 ---------------------- recipes-security/selinux/selinux-config_0.1.bb | 14 +---- .../selinux/selinux-init/selinux-init.sh | 71 ++++++++++++++++++++++ recipes-security/selinux/selinux-init_0.1.bb | 37 +++++++++++ 6 files changed, 111 insertions(+), 84 deletions(-) delete mode 100644 recipes-security/selinux/selinux-config/selinux-init.sh create mode 100644 recipes-security/selinux/selinux-init/selinux-init.sh create mode 100644 recipes-security/selinux/selinux-init_0.1.bb
diff --git a/recipes-security/packagegroups/packagegroup-core-selinux.bb b/recipes-security/packagegroups/packagegroup-core-selinux.bb index 40b35d1..472bf55 100644 --- a/recipes-security/packagegroups/packagegroup-core-selinux.bb +++ b/recipes-security/packagegroups/packagegroup-core-selinux.bb @@ -23,6 +23,7 @@ RDEPENDS_${PN} = " \ setools \ setools-console \ selinux-config \ + selinux-init \ refpolicy-standard \ refpolicy-mls \ coreutils \ diff --git a/recipes-security/packagegroups/packagegroup-selinux-minimal.bb b/recipes-security/packagegroups/packagegroup-selinux-minimal.bb index 2ff16f8..42fb82d 100644 --- a/recipes-security/packagegroups/packagegroup-selinux-minimal.bb +++ b/recipes-security/packagegroups/packagegroup-selinux-minimal.bb @@ -22,5 +22,6 @@ RDEPENDS_${PN} = "\ policycoreutils-sestatus \ policycoreutils-setfiles \ selinux-config \ + selinux-init \ refpolicy-mls \ " diff --git a/recipes-security/selinux/selinux-config/selinux-init.sh b/recipes-security/selinux/selinux-config/selinux-init.sh deleted file mode 100644 index f9f0914..0000000 --- a/recipes-security/selinux/selinux-config/selinux-init.sh +++ /dev/null @@ -1,71 +0,0 @@ -#!/bin/sh - -/usr/sbin/selinuxenabled 2>/dev/null || exit 0 - -CHCON=/usr/bin/chcon -MATCHPATHCON=/usr/sbin/matchpathcon -FIXFILES=/sbin/fixfiles -RESTORECON=/sbin/restorecon -SECON=/usr/bin/secon -SETENFORCE=/usr/sbin/setenforce - -for i in ${CHCON} ${MATCHPATHCON} ${FIXFILES} ${RESTORECON} ${SECON} ${SETENFORCE}; do - test -x $i && continue - echo "$i is missing in the system." - echo "Please add \"selinux=0\" in the kernel command line to disable SELinux." - exit 1 -done - -check_rootfs() -{ - ${CHCON} `${MATCHPATHCON} -n /` / >/dev/null 2>&1 && return 0 - echo "" - echo "* SELinux requires the root '/' filesystem support extended" - echo " filesystem attributes (XATTRs). It does not appear that this" - echo " filesystem has extended attribute support or it is not enabled." - echo "" - echo " - To continue using SELinux you will need to enable extended" - echo " attribute support on the root device." - echo "" - echo " - To disable SELinux, please add \"selinux=0\" in the kernel" - echo " command line." - echo "" - echo "* Halting the system now." - /sbin/shutdown -f -h now -} - -# Because /dev/console is not relabeled by kernel, many commands -# would can not use it, including restorecon. -${CHCON} -t `${MATCHPATHCON} -n /dev/null | cut -d: -f3` /dev/null -${CHCON} -t `${MATCHPATHCON} -n /dev/console | cut -d: -f3` /dev/console - - -# If /.autorelabel placed, the whole file system should be relabeled -if [ -f /.autorelabel ]; then - echo "Checking SELinux security contexts:" - check_rootfs - echo " * /.autorelabel placed, filesystem will be relabeled..." - ${FIXFILES} -F -f relabel - /bin/rm -f /.autorelabel - echo " * Relabel done, rebooting the system." - /sbin/reboot -fi - -# If first booting, the security context type of init would be -# "kernel_t", and the whole file system should be relabeled. -if [ "`${SECON} -t --pid 1`" = "kernel_t" ]; then - echo "Checking SELinux security contexts:" - check_rootfs - echo " * First booting, filesystem will be relabeled..." - test -x /etc/init.d/auditd && /etc/init.d/auditd start - ${SETENFORCE} 0 - ${RESTORECON} -RF / - ${RESTORECON} -F / - echo " * Relabel done, rebooting the system." - /sbin/reboot -fi - -# Now, we should relabel /dev for most services. -${RESTORECON} -RF /dev - -exit 0 diff --git a/recipes-security/selinux/selinux-config_0.1.bb b/recipes-security/selinux/selinux-config_0.1.bb index f77b490..37fe4b7 100644 --- a/recipes-security/selinux/selinux-config_0.1.bb +++ b/recipes-security/selinux/selinux-config_0.1.bb @@ -13,23 +13,11 @@ PR = "r4" S = "${WORKDIR}" -SRC_URI = "file://selinux-init.sh" - -inherit update-rc.d - -INITSCRIPT_NAME = "0selinux-init" -INITSCRIPT_PARAMS = "start 00 S ." - -CONFFILES_${PN} += "${sysconfdir}/selinux/config \ - ${sysconfdir}/init.d/0selinux-init \ - " +CONFFILES_${PN} += "${sysconfdir}/selinux/config" PACKAGE_ARCH = "${MACHINE_ARCH}" do_install () { - install -d ${D}${sysconfdir}/init.d/ - install -m 0755 ${WORKDIR}/selinux-init.sh ${D}${sysconfdir}/init.d/0selinux-init - echo "\ # This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: diff --git a/recipes-security/selinux/selinux-init/selinux-init.sh b/recipes-security/selinux/selinux-init/selinux-init.sh new file mode 100644 index 0000000..f9f0914 --- /dev/null +++ b/recipes-security/selinux/selinux-init/selinux-init.sh @@ -0,0 +1,71 @@ +#!/bin/sh + +/usr/sbin/selinuxenabled 2>/dev/null || exit 0 + +CHCON=/usr/bin/chcon +MATCHPATHCON=/usr/sbin/matchpathcon +FIXFILES=/sbin/fixfiles +RESTORECON=/sbin/restorecon +SECON=/usr/bin/secon +SETENFORCE=/usr/sbin/setenforce + +for i in ${CHCON} ${MATCHPATHCON} ${FIXFILES} ${RESTORECON} ${SECON} ${SETENFORCE}; do + test -x $i && continue + echo "$i is missing in the system." + echo "Please add \"selinux=0\" in the kernel command line to disable SELinux." + exit 1 +done + +check_rootfs() +{ + ${CHCON} `${MATCHPATHCON} -n /` / >/dev/null 2>&1 && return 0 + echo "" + echo "* SELinux requires the root '/' filesystem support extended" + echo " filesystem attributes (XATTRs). It does not appear that this" + echo " filesystem has extended attribute support or it is not enabled." + echo "" + echo " - To continue using SELinux you will need to enable extended" + echo " attribute support on the root device." + echo "" + echo " - To disable SELinux, please add \"selinux=0\" in the kernel" + echo " command line." + echo "" + echo "* Halting the system now." + /sbin/shutdown -f -h now +} + +# Because /dev/console is not relabeled by kernel, many commands +# would can not use it, including restorecon. +${CHCON} -t `${MATCHPATHCON} -n /dev/null | cut -d: -f3` /dev/null +${CHCON} -t `${MATCHPATHCON} -n /dev/console | cut -d: -f3` /dev/console + + +# If /.autorelabel placed, the whole file system should be relabeled +if [ -f /.autorelabel ]; then + echo "Checking SELinux security contexts:" + check_rootfs + echo " * /.autorelabel placed, filesystem will be relabeled..." + ${FIXFILES} -F -f relabel + /bin/rm -f /.autorelabel + echo " * Relabel done, rebooting the system." + /sbin/reboot +fi + +# If first booting, the security context type of init would be +# "kernel_t", and the whole file system should be relabeled. +if [ "`${SECON} -t --pid 1`" = "kernel_t" ]; then + echo "Checking SELinux security contexts:" + check_rootfs + echo " * First booting, filesystem will be relabeled..." + test -x /etc/init.d/auditd && /etc/init.d/auditd start + ${SETENFORCE} 0 + ${RESTORECON} -RF / + ${RESTORECON} -F / + echo " * Relabel done, rebooting the system." + /sbin/reboot +fi + +# Now, we should relabel /dev for most services. +${RESTORECON} -RF /dev + +exit 0 diff --git a/recipes-security/selinux/selinux-init_0.1.bb b/recipes-security/selinux/selinux-init_0.1.bb new file mode 100644 index 0000000..d8e4944 --- /dev/null +++ b/recipes-security/selinux/selinux-init_0.1.bb @@ -0,0 +1,37 @@ +SUMMARY = "SELinux init script" +DESCRIPTION = "\ +SELinux start up stuff for Yocto. \ +" + +SECTION = "base" +LICENSE = "MIT" +LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420" + +${PN}_RDEPENDS = " \ + coreutils \ + libselinux-bin \ + policycoreutils-secon \ + policycoreutils-setfiles \ +" + +S = "${WORKDIR}" + +SRC_URI = "file://selinux-init.sh" + +inherit update-rc.d + +INITSCRIPT_NAME = "0selinux-init" +INITSCRIPT_PARAMS = "start 00 S ." + +CONFFILES_${PN} += "${sysconfdir}/init.d/0selinux-init" + +PACKAGE_ARCH = "${MACHINE_ARCH}" + +do_install () { + install -d ${D}${sysconfdir}/init.d/ + install -m 0755 ${WORKDIR}/selinux-init.sh ${D}${sysconfdir}/init.d/0selinux-init +} + +sysroot_stage_all_append () { + sysroot_stage_dir ${D}${sysconfdir} ${SYSROOT_DESTDIR}${sysconfdir} +} -- 2.1.4 -- _______________________________________________ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto