Re: [yocto] [meta-selinux][PATCH] selinux-autorelabel: disable enforcing mode before relabel

Thu, 05 Sep 2019 20:33:04 -0700 


On 9/5/19 7:57 PM, Joe MacDonald wrote:

[[meta-selinux][PATCH] selinux-autorelabel: disable enforcing mode before 
relabel] On 19.09.05 (Thu 16:57) Yi Zhao wrote:


The commit b0d31db104d9a4e94bc1409c2ffcc1d82f4a780f introduced an issue
when first boot with bootparams="selinux=1 enforcing=1". At first boot,
all files are unlabeled including /sbin/fixfiles. The relabel operation
is not permitted under enforcing mode. Set /sys/fs/selinux/enforce to 0
to ensure the enforcing mode is disabled before relabel.

Did you try this with '/usr/sbin/setenforce 0' instead?  The rationale
makes sense but going straight at sysfs like that isn't the right
approach intuitively.  If that's not working, please just include a bit
of an explanation for why this is the best option.


It also works with setenforce.


I referred to the selinux-autorelabel script on Fedora 30, it uses `echo 
"0" > /sys/fs/selinux/enforce` to disables enforcing mode:


cat /usr/libexec/selinux/selinux-autorelabel

[snip]
     32 relabel_selinux() {

     33     # if /sbin/init is not labeled correctly this process is 
running in the

     34     # wrong context, so a reboot will be required after relabel
     35     AUTORELABEL=
     36     . /etc/selinux/config
     37     echo "0" > /sys/fs/selinux/enforce
     38     [ -x /bin/plymouth ] && plymouth --quit
     39
[snip]


//Yi




Thanks.
-J.


Signed-off-by: Yi Zhao <yi.z...@windriver.com>
---
  recipes-security/selinux/selinux-autorelabel/selinux-autorelabel.sh | 1 +
  1 file changed, 1 insertion(+)

diff --git 
a/recipes-security/selinux/selinux-autorelabel/selinux-autorelabel.sh 
b/recipes-security/selinux/selinux-autorelabel/selinux-autorelabel.sh
index 154dad1..cb40971 100644
--- a/recipes-security/selinux/selinux-autorelabel/selinux-autorelabel.sh
+++ b/recipes-security/selinux/selinux-autorelabel/selinux-autorelabel.sh
@@ -13,6 +13,7 @@ fi
  # If /.autorelabel placed, the whole file system should be relabeled
  if [ -f /.autorelabel ]; then
        echo "SELinux: /.autorelabel placed, filesystem will be relabeled..."
+       echo "0" > /sys/fs/selinux/enforce
        ${FIXFILES} -F -f relabel
        /bin/rm -f /.autorelabel
        echo " * Relabel done, rebooting the system."
--
2.7.4


--
_______________________________________________
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto






















					Reply via email to