Boot loops were being seen when booting with selinux enabled, when the init system in use is systemd. Once logs were retrieved from the failing system the error was found to be
selinux-init.sh[284]: /sbin/restorecon: Could not set context for /sys/fs/cgroup/cpuacct: Read-only file system selinux-init.sh[284]: /sbin/restorecon: Could not set context for /sys/fs/cgroup/cpu: Read-only file system Systemd mounts /sys/fs/cgroup read-only and the (re)labelling code used by selinux-init.sh is unable to handle this. On top of this the system is basically presenting two methods of (re)labelling; using the built in systemd approach via selinux-autorelabel.service *and* the code we have in selinux-init.sh. This can get confusing especially given that most online resources will speak to the systemd approach using selinux-autorelabel.service and /.autorelabel. These changes leave the current approach in place when sysvinit is the init system used, but if systemd is being used we make use of it's internal (re)labelling functionality. Overall the workflow remains the same but we now avoid boot loops (systemd remounts /sys/fs/cgroup rw during the (re)labelling procedure). Signed-off-by: Mark Asselstine <mark.asselst...@windriver.com> --- .../selinux/selinux-init/selinux-init.sh | 14 +------------- .../selinux/selinux-init/selinux-init.sh.sysvinit | 14 ++++++++++++++ recipes-security/selinux/selinux-init_0.1.bb | 8 +++++--- recipes-security/selinux/selinux-initsh.inc | 8 ++++++++ 4 files changed, 28 insertions(+), 16 deletions(-) create mode 100644 recipes-security/selinux/selinux-init/selinux-init.sh.sysvinit diff --git a/recipes-security/selinux/selinux-init/selinux-init.sh b/recipes-security/selinux/selinux-init/selinux-init.sh index ead4f00..f93d231 100644 --- a/recipes-security/selinux/selinux-init/selinux-init.sh +++ b/recipes-security/selinux/selinux-init/selinux-init.sh @@ -33,18 +33,6 @@ check_rootfs() /sbin/shutdown -f -h now } -# If first booting, the security context type of init would be -# "kernel_t", and the whole file system should be relabeled. -if [ "`${SECON} -t --pid 1`" = "kernel_t" ]; then - echo "Checking SELinux security contexts:" - check_rootfs - echo " * First booting, filesystem will be relabeled..." - test -x /etc/init.d/auditd && /etc/init.d/auditd start - ${SETENFORCE} 0 - ${RESTORECON} -RF / - ${RESTORECON} -F / - echo " * Relabel done, rebooting the system." - /sbin/reboot -fi +# sysvinit firstboot relabel placeholder HERE exit 0 diff --git a/recipes-security/selinux/selinux-init/selinux-init.sh.sysvinit b/recipes-security/selinux/selinux-init/selinux-init.sh.sysvinit new file mode 100644 index 0000000..d4f3f71 --- /dev/null +++ b/recipes-security/selinux/selinux-init/selinux-init.sh.sysvinit @@ -0,0 +1,14 @@ +# Contents will be added to selinux-init.sh to support relabelling with sysvinit +# If first booting, the security context type of init would be +# "kernel_t", and the whole file system should be relabeled. +if [ "`${SECON} -t --pid 1`" = "kernel_t" ]; then + echo "Checking SELinux security contexts:" + check_rootfs + echo " * First booting, filesystem will be relabeled..." + test -x /etc/init.d/auditd && /etc/init.d/auditd start + ${SETENFORCE} 0 + ${RESTORECON} -RF / + ${RESTORECON} -F / + echo " * Relabel done, rebooting the system." + /sbin/reboot +fi diff --git a/recipes-security/selinux/selinux-init_0.1.bb b/recipes-security/selinux/selinux-init_0.1.bb index 38b5900..78f571c 100644 --- a/recipes-security/selinux/selinux-init_0.1.bb +++ b/recipes-security/selinux/selinux-init_0.1.bb @@ -14,9 +14,11 @@ ${PN}_RDEPENDS = " \ policycoreutils-setfiles \ " -SRC_URI = "file://${BPN}.sh \ - file://${BPN}.service \ - " +SRC_URI = " \ + file://${BPN}.sh \ + file://${BPN}.sh.sysvinit \ + file://${BPN}.service \ +" INITSCRIPT_PARAMS = "start 01 S ." diff --git a/recipes-security/selinux/selinux-initsh.inc b/recipes-security/selinux/selinux-initsh.inc index bcdd449..8e31cda 100644 --- a/recipes-security/selinux/selinux-initsh.inc +++ b/recipes-security/selinux/selinux-initsh.inc @@ -17,9 +17,15 @@ inherit update-rc.d systemd SYSTEMD_SERVICE_${PN} = "${SELINUX_SCRIPT_SRC}.service" +FILES_${PN} += "/.autorelabel" + do_install () { install -d ${D}${sysconfdir}/init.d/ install -m 0755 ${WORKDIR}/${SELINUX_SCRIPT_SRC}.sh ${D}${sysconfdir}/init.d/${SELINUX_SCRIPT_DST} + # Insert the relabelling code which is only needed with sysvinit + sed -i -e '/HERE/r ${WORKDIR}/${SELINUX_SCRIPT_SRC}.sh.sysvinit' \ + -e '/.*HERE$/d' -e '/.*Contents.*sysvinit/d' \ + ${D}${sysconfdir}/init.d/${SELINUX_SCRIPT_DST} install -d ${D}${systemd_unitdir}/system install -m 0644 ${WORKDIR}/${SELINUX_SCRIPT_SRC}.service ${D}${systemd_unitdir}/system @@ -27,6 +33,8 @@ do_install () { if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then install -d ${D}${bindir} install -m 0755 ${WORKDIR}/${SELINUX_SCRIPT_SRC}.sh ${D}${bindir} + sed -i -e '/.*HERE$/d' ${D}${bindir}/${SELINUX_SCRIPT_SRC}.sh + echo "# first boot relabelling" > ${D}/.autorelabel fi } -- 2.21.0 -- _______________________________________________ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto