[yocto] [meta-selinux][PATCH 1/4] selinux-config: Separate init script into new recipe.

Philip Tricca Sun, 08 Nov 2015 11:04:54 -0800

Add runtime dependencies for init script.

Signed-off-by: Philip Tricca <fl...@twobit.us>
---
 .../packagegroups/packagegroup-core-selinux.bb     |  1 +
 .../packagegroups/packagegroup-selinux-minimal.bb  |  1 +
 .../selinux/selinux-config/selinux-init.sh         | 71 ----------------------
 recipes-security/selinux/selinux-config_0.1.bb     | 14 +----
 .../selinux/selinux-init/selinux-init.sh           | 71 ++++++++++++++++++++++
 recipes-security/selinux/selinux-init_0.1.bb       | 37 +++++++++++
 6 files changed, 111 insertions(+), 84 deletions(-)
 delete mode 100644 recipes-security/selinux/selinux-config/selinux-init.sh
 create mode 100644 recipes-security/selinux/selinux-init/selinux-init.sh
 create mode 100644 recipes-security/selinux/selinux-init_0.1.bb


diff --git a/recipes-security/packagegroups/packagegroup-core-selinux.bb 
b/recipes-security/packagegroups/packagegroup-core-selinux.bb
index 40b35d1..472bf55 100644
--- a/recipes-security/packagegroups/packagegroup-core-selinux.bb
+++ b/recipes-security/packagegroups/packagegroup-core-selinux.bb
@@ -23,6 +23,7 @@ RDEPENDS_${PN} = " \
        setools \
        setools-console \
        selinux-config \
+       selinux-init \
        refpolicy-standard \
        refpolicy-mls \
        coreutils \
diff --git a/recipes-security/packagegroups/packagegroup-selinux-minimal.bb 
b/recipes-security/packagegroups/packagegroup-selinux-minimal.bb
index 2ff16f8..42fb82d 100644
--- a/recipes-security/packagegroups/packagegroup-selinux-minimal.bb
+++ b/recipes-security/packagegroups/packagegroup-selinux-minimal.bb
@@ -22,5 +22,6 @@ RDEPENDS_${PN} = "\
        policycoreutils-sestatus \
        policycoreutils-setfiles \
        selinux-config \
+       selinux-init \
        refpolicy-mls \
 "
diff --git a/recipes-security/selinux/selinux-config/selinux-init.sh 
b/recipes-security/selinux/selinux-config/selinux-init.sh
deleted file mode 100644
index f9f0914..0000000
--- a/recipes-security/selinux/selinux-config/selinux-init.sh
+++ /dev/null
@@ -1,71 +0,0 @@
-#!/bin/sh
-
-/usr/sbin/selinuxenabled 2>/dev/null || exit 0
-
-CHCON=/usr/bin/chcon
-MATCHPATHCON=/usr/sbin/matchpathcon
-FIXFILES=/sbin/fixfiles
-RESTORECON=/sbin/restorecon
-SECON=/usr/bin/secon
-SETENFORCE=/usr/sbin/setenforce
-
-for i in ${CHCON} ${MATCHPATHCON} ${FIXFILES} ${RESTORECON} ${SECON} 
${SETENFORCE}; do
-       test -x $i && continue
-       echo "$i is missing in the system."
-       echo "Please add \"selinux=0\" in the kernel command line to disable 
SELinux."
-       exit 1
-done
-
-check_rootfs()
-{
-       ${CHCON} `${MATCHPATHCON} -n /` / >/dev/null 2>&1 && return 0
-       echo ""
-       echo "* SELinux requires the root '/' filesystem support extended"
-       echo "  filesystem attributes (XATTRs).  It does not appear that this"
-       echo "  filesystem has extended attribute support or it is not enabled."
-       echo ""
-       echo "  - To continue using SELinux you will need to enable extended"
-       echo "    attribute support on the root device."
-       echo ""
-       echo "  - To disable SELinux, please add \"selinux=0\" in the kernel"
-       echo "    command line."
-       echo ""
-       echo "* Halting the system now."
-       /sbin/shutdown -f -h now
-}
-
-# Because /dev/console is not relabeled by kernel, many commands
-# would can not use it, including restorecon.
-${CHCON} -t `${MATCHPATHCON} -n /dev/null | cut -d: -f3` /dev/null
-${CHCON} -t `${MATCHPATHCON} -n /dev/console | cut -d: -f3` /dev/console
-
-
-# If /.autorelabel placed, the whole file system should be relabeled
-if [ -f /.autorelabel ]; then
-       echo "Checking SELinux security contexts:"
-       check_rootfs
-       echo " * /.autorelabel placed, filesystem will be relabeled..."
-       ${FIXFILES} -F -f relabel
-       /bin/rm -f /.autorelabel
-       echo " * Relabel done, rebooting the system."
-       /sbin/reboot
-fi
-
-# If first booting, the security context type of init would be
-# "kernel_t", and the whole file system should be relabeled.
-if [ "`${SECON} -t --pid 1`" = "kernel_t" ]; then
-       echo "Checking SELinux security contexts:"
-       check_rootfs
-       echo " * First booting, filesystem will be relabeled..."
-       test -x /etc/init.d/auditd && /etc/init.d/auditd start
-       ${SETENFORCE} 0
-       ${RESTORECON} -RF /
-       ${RESTORECON} -F /
-       echo " * Relabel done, rebooting the system."
-       /sbin/reboot
-fi
-
-# Now, we should relabel /dev for most services.
-${RESTORECON} -RF /dev
-
-exit 0
diff --git a/recipes-security/selinux/selinux-config_0.1.bb 
b/recipes-security/selinux/selinux-config_0.1.bb
index f77b490..37fe4b7 100644
--- a/recipes-security/selinux/selinux-config_0.1.bb
+++ b/recipes-security/selinux/selinux-config_0.1.bb
@@ -13,23 +13,11 @@ PR = "r4"
 
 S = "${WORKDIR}"
 
-SRC_URI = "file://selinux-init.sh"
-
-inherit update-rc.d
-
-INITSCRIPT_NAME = "0selinux-init"
-INITSCRIPT_PARAMS = "start 00 S ."
-
-CONFFILES_${PN} += "${sysconfdir}/selinux/config \
-       ${sysconfdir}/init.d/0selinux-init \
-       "
+CONFFILES_${PN} += "${sysconfdir}/selinux/config"
 
 PACKAGE_ARCH = "${MACHINE_ARCH}"
 
 do_install () {
-       install -d ${D}${sysconfdir}/init.d/
-       install -m 0755 ${WORKDIR}/selinux-init.sh 
${D}${sysconfdir}/init.d/0selinux-init
-
        echo "\
 # This file controls the state of SELinux on the system.
 # SELINUX= can take one of these three values:
diff --git a/recipes-security/selinux/selinux-init/selinux-init.sh 
b/recipes-security/selinux/selinux-init/selinux-init.sh
new file mode 100644
index 0000000..f9f0914
--- /dev/null
+++ b/recipes-security/selinux/selinux-init/selinux-init.sh
@@ -0,0 +1,71 @@
+#!/bin/sh
+
+/usr/sbin/selinuxenabled 2>/dev/null || exit 0
+
+CHCON=/usr/bin/chcon
+MATCHPATHCON=/usr/sbin/matchpathcon
+FIXFILES=/sbin/fixfiles
+RESTORECON=/sbin/restorecon
+SECON=/usr/bin/secon
+SETENFORCE=/usr/sbin/setenforce
+
+for i in ${CHCON} ${MATCHPATHCON} ${FIXFILES} ${RESTORECON} ${SECON} 
${SETENFORCE}; do
+       test -x $i && continue
+       echo "$i is missing in the system."
+       echo "Please add \"selinux=0\" in the kernel command line to disable 
SELinux."
+       exit 1
+done
+
+check_rootfs()
+{
+       ${CHCON} `${MATCHPATHCON} -n /` / >/dev/null 2>&1 && return 0
+       echo ""
+       echo "* SELinux requires the root '/' filesystem support extended"
+       echo "  filesystem attributes (XATTRs).  It does not appear that this"
+       echo "  filesystem has extended attribute support or it is not enabled."
+       echo ""
+       echo "  - To continue using SELinux you will need to enable extended"
+       echo "    attribute support on the root device."
+       echo ""
+       echo "  - To disable SELinux, please add \"selinux=0\" in the kernel"
+       echo "    command line."
+       echo ""
+       echo "* Halting the system now."
+       /sbin/shutdown -f -h now
+}
+
+# Because /dev/console is not relabeled by kernel, many commands
+# would can not use it, including restorecon.
+${CHCON} -t `${MATCHPATHCON} -n /dev/null | cut -d: -f3` /dev/null
+${CHCON} -t `${MATCHPATHCON} -n /dev/console | cut -d: -f3` /dev/console
+
+
+# If /.autorelabel placed, the whole file system should be relabeled
+if [ -f /.autorelabel ]; then
+       echo "Checking SELinux security contexts:"
+       check_rootfs
+       echo " * /.autorelabel placed, filesystem will be relabeled..."
+       ${FIXFILES} -F -f relabel
+       /bin/rm -f /.autorelabel
+       echo " * Relabel done, rebooting the system."
+       /sbin/reboot
+fi
+
+# If first booting, the security context type of init would be
+# "kernel_t", and the whole file system should be relabeled.
+if [ "`${SECON} -t --pid 1`" = "kernel_t" ]; then
+       echo "Checking SELinux security contexts:"
+       check_rootfs
+       echo " * First booting, filesystem will be relabeled..."
+       test -x /etc/init.d/auditd && /etc/init.d/auditd start
+       ${SETENFORCE} 0
+       ${RESTORECON} -RF /
+       ${RESTORECON} -F /
+       echo " * Relabel done, rebooting the system."
+       /sbin/reboot
+fi
+
+# Now, we should relabel /dev for most services.
+${RESTORECON} -RF /dev
+
+exit 0
diff --git a/recipes-security/selinux/selinux-init_0.1.bb 
b/recipes-security/selinux/selinux-init_0.1.bb
new file mode 100644
index 0000000..d8e4944
--- /dev/null
+++ b/recipes-security/selinux/selinux-init_0.1.bb
@@ -0,0 +1,37 @@
+SUMMARY = "SELinux init script"
+DESCRIPTION = "\
+SELinux start up stuff for Yocto. \
+"
+
+SECTION = "base"
+LICENSE = "MIT"
+LIC_FILES_CHKSUM = 
"file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420"
+
+${PN}_RDEPENDS = " \
+    coreutils \
+    libselinux-bin \
+    policycoreutils-secon \
+    policycoreutils-setfiles \
+"
+
+S = "${WORKDIR}"
+
+SRC_URI = "file://selinux-init.sh"
+
+inherit update-rc.d
+
+INITSCRIPT_NAME = "0selinux-init"
+INITSCRIPT_PARAMS = "start 00 S ."
+
+CONFFILES_${PN} += "${sysconfdir}/init.d/0selinux-init"
+
+PACKAGE_ARCH = "${MACHINE_ARCH}"
+
+do_install () {
+       install -d ${D}${sysconfdir}/init.d/
+       install -m 0755 ${WORKDIR}/selinux-init.sh 
${D}${sysconfdir}/init.d/0selinux-init
+}
+
+sysroot_stage_all_append () {
+       sysroot_stage_dir ${D}${sysconfdir} ${SYSROOT_DESTDIR}${sysconfdir}
+}
-- 
2.1.4

-- 
_______________________________________________
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto

[yocto] [meta-selinux][PATCH 1/4] selinux-config: Separate init script into new recipe.

Reply via email to