On Thursday, September 5, 2019 4:02:11 P.M. EDT Joe MacDonald wrote: > [Re: [yocto] [meta-selinux][PATCH] selinux-init: use systemd (re)labelling] On 19.09.05 (Thu 13:55) Mark Asselstine wrote: > > On Friday, August 23, 2019 2:19:53 P.M. EDT Mark Asselstine wrote: > > > Boot loops were being seen when booting with selinux enabled, when the > > > init system in use is systemd. Once logs were retrieved from the > > > failing system the error was found to be > > > > > > selinux-init.sh[284]: /sbin/restorecon: Could not set context for > > > /sys/fs/cgroup/cpuacct: Read-only file system selinux-init.sh[284]: > > > /sbin/restorecon: Could not set context for /sys/fs/cgroup/cpu: > > > Read-only > > > file system > > > > > > Systemd mounts /sys/fs/cgroup read-only and the (re)labelling code > > > used by selinux-init.sh is unable to handle this. On top of this the > > > system is basically presenting two methods of (re)labelling; using the > > > built in systemd approach via selinux-autorelabel.service *and* the > > > code we have in selinux-init.sh. This can get confusing especially > > > given that most online resources will speak to the systemd approach > > > using selinux-autorelabel.service and /.autorelabel. > > > > > > These changes leave the current approach in place when sysvinit is the > > > init system used, but if systemd is being used we make use of it's > > > internal (re)labelling functionality. Overall the workflow remains the > > > same but we now avoid boot loops (systemd remounts /sys/fs/cgroup rw > > > during the (re)labelling procedure). > > > > > > Signed-off-by: Mark Asselstine <mark.asselst...@windriver.com> > > > --- > > > > Joe, any thoughts on this change? > > Not especially, it sounded good to me, seemed to work on a quick test > for my use-case, and I merged it: > > http://git.yoctoproject.org/cgit/cgit.cgi/meta-selinux/commit/?id=b0d31db104 > d9a4e94bc1409c2ffcc1d82f4a780f > > Is there something else I should've considered? Or did you want it on a > different branch too?
Nope, nope. I figure I should take git off my resume as I just screwed up and so didn't see that it was merged. I see it now. Sorry for the churn, we'll have to meetup for a beer for retribution. MarkA > > -J. > > > MarkA > > > > > .../selinux/selinux-init/selinux-init.sh | 14 +------------- > > > .../selinux/selinux-init/selinux-init.sh.sysvinit | 14 ++++++++++++++ > > > recipes-security/selinux/selinux-init_0.1.bb | 8 +++++--- > > > recipes-security/selinux/selinux-initsh.inc | 8 ++++++++ > > > 4 files changed, 28 insertions(+), 16 deletions(-) > > > create mode 100644 > > > > > > recipes-security/selinux/selinux-init/selinux-init.sh.sysvinit > > > > > > diff --git a/recipes-security/selinux/selinux-init/selinux-init.sh > > > b/recipes-security/selinux/selinux-init/selinux-init.sh index > > > ead4f00..f93d231 100644 > > > --- a/recipes-security/selinux/selinux-init/selinux-init.sh > > > +++ b/recipes-security/selinux/selinux-init/selinux-init.sh > > > @@ -33,18 +33,6 @@ check_rootfs() > > > > > > /sbin/shutdown -f -h now > > > > > > } > > > > > > -# If first booting, the security context type of init would be > > > -# "kernel_t", and the whole file system should be relabeled. > > > -if [ "`${SECON} -t --pid 1`" = "kernel_t" ]; then > > > - echo "Checking SELinux security contexts:" > > > - check_rootfs > > > - echo " * First booting, filesystem will be relabeled..." > > > - test -x /etc/init.d/auditd && /etc/init.d/auditd start > > > - ${SETENFORCE} 0 > > > - ${RESTORECON} -RF / > > > - ${RESTORECON} -F / > > > - echo " * Relabel done, rebooting the system." > > > - /sbin/reboot > > > -fi > > > +# sysvinit firstboot relabel placeholder HERE > > > > > > exit 0 > > > > > > diff --git > > > a/recipes-security/selinux/selinux-init/selinux-init.sh.sysvinit > > > b/recipes-security/selinux/selinux-init/selinux-init.sh.sysvinit new > > > file > > > mode 100644 > > > index 0000000..d4f3f71 > > > --- /dev/null > > > +++ b/recipes-security/selinux/selinux-init/selinux-init.sh.sysvinit > > > @@ -0,0 +1,14 @@ > > > +# Contents will be added to selinux-init.sh to support relabelling with > > > sysvinit +# If first booting, the security context type of init would be > > > +# "kernel_t", and the whole file system should be relabeled. > > > +if [ "`${SECON} -t --pid 1`" = "kernel_t" ]; then > > > + echo "Checking SELinux security contexts:" > > > + check_rootfs > > > + echo " * First booting, filesystem will be relabeled..." > > > + test -x /etc/init.d/auditd && /etc/init.d/auditd start > > > + ${SETENFORCE} 0 > > > + ${RESTORECON} -RF / > > > + ${RESTORECON} -F / > > > + echo " * Relabel done, rebooting the system." > > > + /sbin/reboot > > > +fi > > > diff --git a/recipes-security/selinux/selinux-init_0.1.bb > > > b/recipes-security/selinux/selinux-init_0.1.bb index 38b5900..78f571c > > > 100644 > > > --- a/recipes-security/selinux/selinux-init_0.1.bb > > > +++ b/recipes-security/selinux/selinux-init_0.1.bb > > > @@ -14,9 +14,11 @@ ${PN}_RDEPENDS = " \ > > > > > > policycoreutils-setfiles \ > > > > > > " > > > > > > -SRC_URI = "file://${BPN}.sh \ > > > - file://${BPN}.service \ > > > - " > > > +SRC_URI = " \ > > > + file://${BPN}.sh \ > > > + file://${BPN}.sh.sysvinit \ > > > + file://${BPN}.service \ > > > +" > > > > > > INITSCRIPT_PARAMS = "start 01 S ." > > > > > > diff --git a/recipes-security/selinux/selinux-initsh.inc > > > b/recipes-security/selinux/selinux-initsh.inc index bcdd449..8e31cda > > > 100644 > > > --- a/recipes-security/selinux/selinux-initsh.inc > > > +++ b/recipes-security/selinux/selinux-initsh.inc > > > @@ -17,9 +17,15 @@ inherit update-rc.d systemd > > > > > > SYSTEMD_SERVICE_${PN} = "${SELINUX_SCRIPT_SRC}.service" > > > > > > +FILES_${PN} += "/.autorelabel" > > > + > > > > > > do_install () { > > > > > > install -d ${D}${sysconfdir}/init.d/ > > > install -m 0755 ${WORKDIR}/${SELINUX_SCRIPT_SRC}.sh > > > > > > ${D}${sysconfdir}/init.d/${SELINUX_SCRIPT_DST} + # Insert the > > > relabelling > > > code which is only needed with sysvinit + sed -i -e '/HERE/r > > > ${WORKDIR}/${SELINUX_SCRIPT_SRC}.sh.sysvinit' \ + -e '/.*HERE$/d' > > > -e > > > '/.*Contents.*sysvinit/d' \ > > > + ${D}${sysconfdir}/init.d/${SELINUX_SCRIPT_DST} > > > > > > install -d ${D}${systemd_unitdir}/system > > > install -m 0644 ${WORKDIR}/${SELINUX_SCRIPT_SRC}.service > > > > > > ${D}${systemd_unitdir}/system @@ -27,6 +33,8 @@ do_install () { > > > > > > if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', > > > > 'false', > > > > > d)}; then install -d ${D}${bindir} > > > > > > install -m 0755 ${WORKDIR}/${SELINUX_SCRIPT_SRC}.sh ${D}$ > > > > {bindir} > > > > > + sed -i -e '/.*HERE$/d' ${D}${bindir}/$ > > > > {SELINUX_SCRIPT_SRC}.sh > > > > > + echo "# first boot relabelling" > ${D}/.autorelabel > > > > > > fi > > > > > > } -- _______________________________________________ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto