Fixup DESCRIPTION in old selinux-init recipe. Exclude this autorelabel script from the minimal packagegroup.
Signed-off-by: Philip Tricca <fl...@twobit.us> --- .../packagegroups/packagegroup-core-selinux.bb | 1 + .../selinux-autorelabel/selinux-autorelabel.sh | 22 ++++++++++++++++++++++ .../selinux/selinux-autorelabel_0.1.bb | 17 +++++++++++++++++ .../selinux/selinux-init/selinux-init.sh | 14 +------------- recipes-security/selinux/selinux-init_0.1.bb | 3 ++- 5 files changed, 43 insertions(+), 14 deletions(-) create mode 100644 recipes-security/selinux/selinux-autorelabel/selinux-autorelabel.sh create mode 100644 recipes-security/selinux/selinux-autorelabel_0.1.bb diff --git a/recipes-security/packagegroups/packagegroup-core-selinux.bb b/recipes-security/packagegroups/packagegroup-core-selinux.bb index e46cda7..a2480a3 100644 --- a/recipes-security/packagegroups/packagegroup-core-selinux.bb +++ b/recipes-security/packagegroups/packagegroup-core-selinux.bb @@ -23,6 +23,7 @@ RDEPENDS_${PN} = " \ setools \ setools-console \ selinux-config \ + selinux-autorelabel \ selinux-init \ selinux-labeldev \ refpolicy-standard \ diff --git a/recipes-security/selinux/selinux-autorelabel/selinux-autorelabel.sh b/recipes-security/selinux/selinux-autorelabel/selinux-autorelabel.sh new file mode 100644 index 0000000..154dad1 --- /dev/null +++ b/recipes-security/selinux/selinux-autorelabel/selinux-autorelabel.sh @@ -0,0 +1,22 @@ +#!/bin/sh + +/usr/sbin/selinuxenabled 2>/dev/null || exit 0 + +FIXFILES=/sbin/fixfiles + +if ! test -x ${FIXFILES}; then + echo "${FIXFILES} is missing in the system." + echo "Please add \"selinux=0\" in the kernel command line to disable SELinux." + exit 1 +fi + +# If /.autorelabel placed, the whole file system should be relabeled +if [ -f /.autorelabel ]; then + echo "SELinux: /.autorelabel placed, filesystem will be relabeled..." + ${FIXFILES} -F -f relabel + /bin/rm -f /.autorelabel + echo " * Relabel done, rebooting the system." + /sbin/reboot +fi + +exit 0 diff --git a/recipes-security/selinux/selinux-autorelabel_0.1.bb b/recipes-security/selinux/selinux-autorelabel_0.1.bb new file mode 100644 index 0000000..2664863 --- /dev/null +++ b/recipes-security/selinux/selinux-autorelabel_0.1.bb @@ -0,0 +1,17 @@ +SUMMARY = "SELinux autorelabel script" +DESCRIPTION = "\ +Script to reset SELinux labels on the root file system when /.autorelabel \ +file is present.\ +" + +LICENSE = "MIT" +LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420" + +${PN}_RDEPENDS = " \ + policycoreutils-setfiles \ +" + +SRC_URI = "file://${BPN}.sh" +INITSCRIPT_PARAMS = "start 01 S ." + +require selinux-initsh.inc diff --git a/recipes-security/selinux/selinux-init/selinux-init.sh b/recipes-security/selinux/selinux-init/selinux-init.sh index 32c4de1..ead4f00 100644 --- a/recipes-security/selinux/selinux-init/selinux-init.sh +++ b/recipes-security/selinux/selinux-init/selinux-init.sh @@ -4,12 +4,11 @@ CHCON=/usr/bin/chcon MATCHPATHCON=/usr/sbin/matchpathcon -FIXFILES=/sbin/fixfiles RESTORECON=/sbin/restorecon SECON=/usr/bin/secon SETENFORCE=/usr/sbin/setenforce -for i in ${CHCON} ${MATCHPATHCON} ${FIXFILES} ${RESTORECON} ${SECON} ${SETENFORCE}; do +for i in ${CHCON} ${MATCHPATHCON} ${RESTORECON} ${SECON} ${SETENFORCE}; do test -x $i && continue echo "$i is missing in the system." echo "Please add \"selinux=0\" in the kernel command line to disable SELinux." @@ -34,17 +33,6 @@ check_rootfs() /sbin/shutdown -f -h now } -# If /.autorelabel placed, the whole file system should be relabeled -if [ -f /.autorelabel ]; then - echo "Checking SELinux security contexts:" - check_rootfs - echo " * /.autorelabel placed, filesystem will be relabeled..." - ${FIXFILES} -F -f relabel - /bin/rm -f /.autorelabel - echo " * Relabel done, rebooting the system." - /sbin/reboot -fi - # If first booting, the security context type of init would be # "kernel_t", and the whole file system should be relabeled. if [ "`${SECON} -t --pid 1`" = "kernel_t" ]; then diff --git a/recipes-security/selinux/selinux-init_0.1.bb b/recipes-security/selinux/selinux-init_0.1.bb index 87f8dad..54932e8 100644 --- a/recipes-security/selinux/selinux-init_0.1.bb +++ b/recipes-security/selinux/selinux-init_0.1.bb @@ -1,6 +1,7 @@ SUMMARY = "SELinux init script" DESCRIPTION = "\ -SELinux start up stuff for Yocto. \ +Script to detect and attempt to correct a misconfigured SELinux system at \ +boot time. \ " LICENSE = "MIT" -- 2.1.4 -- _______________________________________________ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto