selinux-config: update the init script

Fix the hard-coded security type for /dev/null and /dev/console.
Check rootfs if support xattrs before do relabel.

Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>

2 files changed, 41 insertions, 11 deletions

diff --git a/recipes-security/selinux/selinux-config/selinux-init.sh b/recipes-security/selinux/selinux-config/selinux-init.sh
index 55c503f..1cdc3dd 100644
--- a/recipes-security/selinux/selinux-config/selinux-init.sh
+++ b/recipes-security/selinux/selinux-config/selinux-init.sh
@@ -2,20 +2,48 @@
 
 /usr/sbin/selinuxenabled 2>/dev/null || exit 0
 
+CHCON=/usr/bin/chcon
+MATCHPATHCON=/usr/sbin/matchpathcon
+FIXFILES=/sbin/fixfiles
+RESTORECON=/sbin/restorecon
+
+for i in ${CHCON} ${MATCHPATHCON} ${FIXFILES} ${RESTORECON} ; do
+        test -x $i && continue
+        echo "$i is missing in the system."
+        echo "Please add \"selinux=0\" in the kernel command line to disable SELinux."
+        exit 1
+done
+
+check_rootfs()
+{
+        ${CHCON} `${MATCHPATHCON} -n /` / >/dev/null 2>&1 && return 0
+        echo ""
+        echo "* SELinux requires the root '/' filesystem support extended"
+        echo "  filesystem attributes (XATTRs).  It does not appear that this"
+        echo "  filesystem has extended attribute support or it is not enabled."
+        echo ""
+        echo "  - To continue using SELinux you will need to enable extended"
+        echo "    attribute support on the root device."
+        echo ""
+        echo "  - To disable SELinux, please add \"selinux=0\" in the kernel"
+        echo "    command line."
+        echo ""
+        echo "* Halting the system now."
+        /sbin/shutdown -f -h now
+}
+
 # Because /dev/console is not relabeled by kernel, many commands
 # would can not use it, including restorecon.
-if [ -x /usr/bin/chcon ]; then
-       /usr/bin/chcon -t null_device_t /dev/null
-       /usr/bin/chcon -t console_device_t /dev/console
-fi
+${CHCON} -t `${MATCHPATHCON} -n /dev/null | cut -d: -f3` /dev/null
+${CHCON} -t `${MATCHPATHCON} -n /dev/console | cut -d: -f3` /dev/console
 
 
 # If /.autorelabel placed, the whole file system should be relabeled
-test ! -x /sbin/fixfiles ||
 if [ -f /.autorelabel ]; then
         echo "Checking SELinux security contexts:"
+        check_rootfs
         echo " * /.autorelabel placed, filesystem will be relabeled..."
-        /sbin/fixfiles -F -f relabel
+        ${FIXFILES} -F -f relabel
         /bin/rm -f /.autorelabel
         echo " * Relabel done, rebooting the system."
         /sbin/reboot -f
@@ -23,17 +51,19 @@ fi
 
 # If first booting, the security context type of init would be
 # "kernel_t", and the whole file system should be relabeled.
-test ! -x /sbin/restorecon ||
 if [ "`/usr/bin/secon -t --pid 1`" = "kernel_t" ]; then
         echo "Checking SELinux security contexts:"
+        check_rootfs
         echo " * First booting, filesystem will be relabeled..."
         test -x /etc/init.d/auditd && /etc/init.d/auditd start
         /usr/sbin/setenforce 0
-        /sbin/restorecon -R /
-        /sbin/restorecon /
+        ${RESTORECON} -R /
+        ${RESTORECON} /
         echo " * Relabel done, rebooting the system."
         /sbin/reboot -f
 fi
 
 # Now, we should relabel /dev for most services.
-test ! -x /sbin/restorecon || /sbin/restorecon -R /dev
+${RESTORECON} -R /dev
+
+exit 0
diff --git a/recipes-security/selinux/selinux-config_0.1.bb b/recipes-security/selinux/selinux-config_0.1.bb
index 48b9362..9521dcf 100644
--- a/recipes-security/selinux/selinux-config_0.1.bb
+++ b/recipes-security/selinux/selinux-config_0.1.bb
@@ -8,7 +8,7 @@ This is the configuration files for SELinux on WRLinux system.  \
 SECTION = "base"
 LICENSE = "MIT"
 LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420"
-PR = "r1"
+PR = "r2"
 
 SRC_URI = "file://selinux-init.sh"