selinux-config: add init script

This script will be installed as 0selinux-init, in runlevel S and sequence number 0. It will start before any other init script. * relabel /dev for restorecon/fixfiles running * rebuild policy and relabel the rootfs if /.autorelabel placed. * relabel the rootfs if it is first booting. Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
author: Xin Ouyang <Xin.Ouyang@windriver.com> 2012-09-19 16:31:24 +0800
committer: Xin Ouyang <Xin.Ouyang@windriver.com> 2012-10-18 11:07:45 +0800
commit: 3b2088b2bd2d7667c6a47c07dba32ec7ddc5a3ae (patch)
tree: ba0ccddd8b662bceeda021892f2b6fca8ea94684
parent: ad05ee24950baaf4c97aba374662065361d15908 (diff)
download: meta-selinux-3b2088b2bd2d7667c6a47c07dba32ec7ddc5a3ae.tar.gz
2 files changed, 53 insertions, 2 deletions
diff --git a/recipes-security/selinux/selinux-config/selinux-init.sh b/recipes-security/selinux/selinux-config/selinux-init.sh
new file mode 100644
index 0000000..55c503f
--- /dev/null
+++ b/recipes-security/selinux/selinux-config/selinux-init.sh
@@ -0,0 +1,39 @@
+#!/bin/sh
+/usr/sbin/selinuxenabled 2>/dev/null || exit 0
+# Because /dev/console is not relabeled by kernel, many commands
+# would can not use it, including restorecon.
+if [ -x /usr/bin/chcon ]; then
+       /usr/bin/chcon -t null_device_t /dev/null
+       /usr/bin/chcon -t console_device_t /dev/console
+fi
+# If /.autorelabel placed, the whole file system should be relabeled
+test ! -x /sbin/fixfiles ||
+if [ -f /.autorelabel ]; then
+        echo "Checking SELinux security contexts:"
+        echo " * /.autorelabel placed, filesystem will be relabeled..."
+        /sbin/fixfiles -F -f relabel
+        /bin/rm -f /.autorelabel
+        echo " * Relabel done, rebooting the system."
+        /sbin/reboot -f
+fi
+# If first booting, the security context type of init would be
+# "kernel_t", and the whole file system should be relabeled.
+test ! -x /sbin/restorecon ||
+if [ "`/usr/bin/secon -t --pid 1`" = "kernel_t" ]; then
+        echo "Checking SELinux security contexts:"
+        echo " * First booting, filesystem will be relabeled..."
+        test -x /etc/init.d/auditd && /etc/init.d/auditd start
+        /usr/sbin/setenforce 0
+        /sbin/restorecon -R /
+        /sbin/restorecon /
+        echo " * Relabel done, rebooting the system."
+        /sbin/reboot -f
+fi
+# Now, we should relabel /dev for most services.
+test ! -x /sbin/restorecon || /sbin/restorecon -R /dev
diff --git a/recipes-security/selinux/selinux-config_0.1.bb b/recipes-security/selinux/selinux-config_0.1.bb
index c0ed158..48b9362 100644
--- a/recipes-security/selinux/selinux-config_0.1.bb
+++ b/recipes-security/selinux/selinux-config_0.1.bb
@@ -8,13 +8,25 @@ This is the configuration files for SELinux on WRLinux system.  \
 SECTION = "base"
 LICENSE = "MIT"
 LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420"
-PR = "r0"
+PR = "r1"
-CONFFILES_${PN} += "${sysconfdir}/selinux/config"
+SRC_URI = "file://selinux-init.sh"
+inherit update-rc.d
+INITSCRIPT_NAME = "0selinux-init"
+INITSCRIPT_PARAMS = "start 00 S ."
+CONFFILES_${PN} += "${sysconfdir}/selinux/config \
+        ${sysconfdir}/init.d/0selinux-init \
+        "
 PACKAGE_ARCH = "${MACHINE_ARCH}"
 do_install () {
+        install -d ${D}${sysconfdir}/init.d/
+        install -m 0755 ${WORKDIR}/selinux-init.sh ${D}${sysconfdir}/init.d/0selinux-init
        echo "\
 # This file controls the state of SELinux on the system.
 # SELINUX= can take one of these three values:
author	Xin Ouyang <Xin.Ouyang@windriver.com>	2012-09-19 16:31:24 +0800
committer	Xin Ouyang <Xin.Ouyang@windriver.com>	2012-10-18 11:07:45 +0800
commit	3b2088b2bd2d7667c6a47c07dba32ec7ddc5a3ae (patch)
tree	ba0ccddd8b662bceeda021892f2b6fca8ea94684
parent	ad05ee24950baaf4c97aba374662065361d15908 (diff)
download	meta-selinux-3b2088b2bd2d7667c6a47c07dba32ec7ddc5a3ae.tar.gz

diff --git a/recipes-security/selinux/selinux-config/selinux-init.sh b/recipes-security/selinux/selinux-config/selinux-init.sh new file mode 100644 index 0000000..55c503f --- /dev/null +++ b/recipes-security/selinux/selinux-config/selinux-init.sh
@@ -0,0 +1,39 @@
		1	#!/bin/sh
		2
		3	/usr/sbin/selinuxenabled 2>/dev/null \|\| exit 0
		4
		5	# Because /dev/console is not relabeled by kernel, many commands
		6	# would can not use it, including restorecon.
		7	if [ -x /usr/bin/chcon ]; then
		8	/usr/bin/chcon -t null_device_t /dev/null
		9	/usr/bin/chcon -t console_device_t /dev/console
		10	fi
		11
		12
		13	# If /.autorelabel placed, the whole file system should be relabeled
		14	test ! -x /sbin/fixfiles \|\|
		15	if [ -f /.autorelabel ]; then
		16	echo "Checking SELinux security contexts:"
		17	echo " * /.autorelabel placed, filesystem will be relabeled..."
		18	/sbin/fixfiles -F -f relabel
		19	/bin/rm -f /.autorelabel
		20	echo " * Relabel done, rebooting the system."
		21	/sbin/reboot -f
		22	fi
		23
		24	# If first booting, the security context type of init would be
		25	# "kernel_t", and the whole file system should be relabeled.
		26	test ! -x /sbin/restorecon \|\|
		27	if [ "`/usr/bin/secon -t --pid 1`" = "kernel_t" ]; then
		28	echo "Checking SELinux security contexts:"
		29	echo " * First booting, filesystem will be relabeled..."
		30	test -x /etc/init.d/auditd && /etc/init.d/auditd start
		31	/usr/sbin/setenforce 0
		32	/sbin/restorecon -R /
		33	/sbin/restorecon /
		34	echo " * Relabel done, rebooting the system."
		35	/sbin/reboot -f
		36	fi
		37
		38	# Now, we should relabel /dev for most services.
		39	test ! -x /sbin/restorecon \|\| /sbin/restorecon -R /dev


diff --git a/recipes-security/selinux/selinux-config_0.1.bb b/recipes-security/selinux/selinux-config_0.1.bb index c0ed158..48b9362 100644 --- a/recipes-security/selinux/selinux-config_0.1.bb +++ b/recipes-security/selinux/selinux-config_0.1.bb
@@ -8,13 +8,25 @@ This is the configuration files for SELinux on WRLinux system. \
8	SECTION = "base"	8	SECTION = "base"
9	LICENSE = "MIT"	9	LICENSE = "MIT"
10	LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420"	10	LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420"
11	PR = "r0"	11	PR = "r1"
12		12
13	CONFFILES_${PN} += "${sysconfdir}/selinux/config"	13	SRC_URI = "file://selinux-init.sh"
		14
		15	inherit update-rc.d
		16
		17	INITSCRIPT_NAME = "0selinux-init"
		18	INITSCRIPT_PARAMS = "start 00 S ."
		19
		20	CONFFILES_${PN} += "${sysconfdir}/selinux/config \
		21	${sysconfdir}/init.d/0selinux-init \
		22	"
14		23
15	PACKAGE_ARCH = "${MACHINE_ARCH}"	24	PACKAGE_ARCH = "${MACHINE_ARCH}"
16		25
17	do_install () {	26	do_install () {
		27	install -d ${D}${sysconfdir}/init.d/
		28	install -m 0755 ${WORKDIR}/selinux-init.sh ${D}${sysconfdir}/init.d/0selinux-init
		29
18	echo "\	30	echo "\
19	# This file controls the state of SELinux on the system.	31	# This file controls the state of SELinux on the system.
20	# SELINUX= can take one of these three values:	32	# SELINUX= can take one of these three values: