[Re: [yocto] [meta-selinux][PATCH] selinux-init: use systemd (re)labelling] On 19.09.05 (Thu 13:55) Mark Asselstine wrote:
> On Friday, August 23, 2019 2:19:53 P.M. EDT Mark Asselstine wrote: > > Boot loops were being seen when booting with selinux enabled, when the > > init system in use is systemd. Once logs were retrieved from the > > failing system the error was found to be > > > > selinux-init.sh[284]: /sbin/restorecon: Could not set context for > > /sys/fs/cgroup/cpuacct: Read-only file system selinux-init.sh[284]: > > /sbin/restorecon: Could not set context for /sys/fs/cgroup/cpu: Read-only > > file system > > > > Systemd mounts /sys/fs/cgroup read-only and the (re)labelling code > > used by selinux-init.sh is unable to handle this. On top of this the > > system is basically presenting two methods of (re)labelling; using the > > built in systemd approach via selinux-autorelabel.service *and* the > > code we have in selinux-init.sh. This can get confusing especially > > given that most online resources will speak to the systemd approach > > using selinux-autorelabel.service and /.autorelabel. > > > > These changes leave the current approach in place when sysvinit is the > > init system used, but if systemd is being used we make use of it's > > internal (re)labelling functionality. Overall the workflow remains the > > same but we now avoid boot loops (systemd remounts /sys/fs/cgroup rw > > during the (re)labelling procedure). > > > > Signed-off-by: Mark Asselstine <mark.asselst...@windriver.com> > > --- > > Joe, any thoughts on this change? Not especially, it sounded good to me, seemed to work on a quick test for my use-case, and I merged it: http://git.yoctoproject.org/cgit/cgit.cgi/meta-selinux/commit/?id=b0d31db104d9a4e94bc1409c2ffcc1d82f4a780f Is there something else I should've considered? Or did you want it on a different branch too? -J. > > MarkA > > > .../selinux/selinux-init/selinux-init.sh | 14 +------------- > > .../selinux/selinux-init/selinux-init.sh.sysvinit | 14 ++++++++++++++ > > recipes-security/selinux/selinux-init_0.1.bb | 8 +++++--- > > recipes-security/selinux/selinux-initsh.inc | 8 ++++++++ > > 4 files changed, 28 insertions(+), 16 deletions(-) > > create mode 100644 > > recipes-security/selinux/selinux-init/selinux-init.sh.sysvinit > > > > diff --git a/recipes-security/selinux/selinux-init/selinux-init.sh > > b/recipes-security/selinux/selinux-init/selinux-init.sh index > > ead4f00..f93d231 100644 > > --- a/recipes-security/selinux/selinux-init/selinux-init.sh > > +++ b/recipes-security/selinux/selinux-init/selinux-init.sh > > @@ -33,18 +33,6 @@ check_rootfs() > > /sbin/shutdown -f -h now > > } > > > > -# If first booting, the security context type of init would be > > -# "kernel_t", and the whole file system should be relabeled. > > -if [ "`${SECON} -t --pid 1`" = "kernel_t" ]; then > > - echo "Checking SELinux security contexts:" > > - check_rootfs > > - echo " * First booting, filesystem will be relabeled..." > > - test -x /etc/init.d/auditd && /etc/init.d/auditd start > > - ${SETENFORCE} 0 > > - ${RESTORECON} -RF / > > - ${RESTORECON} -F / > > - echo " * Relabel done, rebooting the system." > > - /sbin/reboot > > -fi > > +# sysvinit firstboot relabel placeholder HERE > > > > exit 0 > > diff --git a/recipes-security/selinux/selinux-init/selinux-init.sh.sysvinit > > b/recipes-security/selinux/selinux-init/selinux-init.sh.sysvinit new file > > mode 100644 > > index 0000000..d4f3f71 > > --- /dev/null > > +++ b/recipes-security/selinux/selinux-init/selinux-init.sh.sysvinit > > @@ -0,0 +1,14 @@ > > +# Contents will be added to selinux-init.sh to support relabelling with > > sysvinit +# If first booting, the security context type of init would be > > +# "kernel_t", and the whole file system should be relabeled. > > +if [ "`${SECON} -t --pid 1`" = "kernel_t" ]; then > > + echo "Checking SELinux security contexts:" > > + check_rootfs > > + echo " * First booting, filesystem will be relabeled..." > > + test -x /etc/init.d/auditd && /etc/init.d/auditd start > > + ${SETENFORCE} 0 > > + ${RESTORECON} -RF / > > + ${RESTORECON} -F / > > + echo " * Relabel done, rebooting the system." > > + /sbin/reboot > > +fi > > diff --git a/recipes-security/selinux/selinux-init_0.1.bb > > b/recipes-security/selinux/selinux-init_0.1.bb index 38b5900..78f571c > > 100644 > > --- a/recipes-security/selinux/selinux-init_0.1.bb > > +++ b/recipes-security/selinux/selinux-init_0.1.bb > > @@ -14,9 +14,11 @@ ${PN}_RDEPENDS = " \ > > policycoreutils-setfiles \ > > " > > > > -SRC_URI = "file://${BPN}.sh \ > > - file://${BPN}.service \ > > - " > > +SRC_URI = " \ > > + file://${BPN}.sh \ > > + file://${BPN}.sh.sysvinit \ > > + file://${BPN}.service \ > > +" > > > > INITSCRIPT_PARAMS = "start 01 S ." > > > > diff --git a/recipes-security/selinux/selinux-initsh.inc > > b/recipes-security/selinux/selinux-initsh.inc index bcdd449..8e31cda 100644 > > --- a/recipes-security/selinux/selinux-initsh.inc > > +++ b/recipes-security/selinux/selinux-initsh.inc > > @@ -17,9 +17,15 @@ inherit update-rc.d systemd > > > > SYSTEMD_SERVICE_${PN} = "${SELINUX_SCRIPT_SRC}.service" > > > > +FILES_${PN} += "/.autorelabel" > > + > > do_install () { > > install -d ${D}${sysconfdir}/init.d/ > > install -m 0755 ${WORKDIR}/${SELINUX_SCRIPT_SRC}.sh > > ${D}${sysconfdir}/init.d/${SELINUX_SCRIPT_DST} + # Insert the relabelling > > code which is only needed with sysvinit + sed -i -e '/HERE/r > > ${WORKDIR}/${SELINUX_SCRIPT_SRC}.sh.sysvinit' \ + -e '/.*HERE$/d' > > -e > > '/.*Contents.*sysvinit/d' \ > > + ${D}${sysconfdir}/init.d/${SELINUX_SCRIPT_DST} > > > > install -d ${D}${systemd_unitdir}/system > > install -m 0644 ${WORKDIR}/${SELINUX_SCRIPT_SRC}.service > > ${D}${systemd_unitdir}/system @@ -27,6 +33,8 @@ do_install () { > > if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', > 'false', > > d)}; then install -d ${D}${bindir} > > install -m 0755 ${WORKDIR}/${SELINUX_SCRIPT_SRC}.sh ${D}$ > {bindir} > > + sed -i -e '/.*HERE$/d' ${D}${bindir}/$ > {SELINUX_SCRIPT_SRC}.sh > > + echo "# first boot relabelling" > ${D}/.autorelabel > > fi > > } > > > > -- -Joe MacDonald. Linux Architect | MentorĀ® A Siemens Business :wq -- _______________________________________________ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto