diff options
| author | Philip Tricca <flihp@twobit.us> | 2015-11-08 19:00:39 +0000 |
|---|---|---|
| committer | Joe MacDonald <joe_macdonald@mentor.com> | 2015-11-27 09:18:14 -0500 |
| commit | ac8450482dcbca2944c158f8b53ce295dc3cbb04 (patch) | |
| tree | a751c450584cd4e58e351f70ba8a7ba11def2fcf | |
| parent | 766bed8304ae123646232e0799c865d3af6db22c (diff) | |
| download | meta-selinux-ac8450482dcbca2944c158f8b53ce295dc3cbb04.tar.gz | |
selinux-init: Break labeling of /dev out into separate script.
Remove selinux-init package from packagegroup-selinux-minimal.
Signed-off-by: Philip Tricca <flihp@twobit.us>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
6 files changed, 43 insertions, 11 deletions
diff --git a/recipes-security/packagegroups/packagegroup-core-selinux.bb b/recipes-security/packagegroups/packagegroup-core-selinux.bb index 472bf55..e46cda7 100644 --- a/recipes-security/packagegroups/packagegroup-core-selinux.bb +++ b/recipes-security/packagegroups/packagegroup-core-selinux.bb | |||
| @@ -24,6 +24,7 @@ RDEPENDS_${PN} = " \ | |||
| 24 | setools-console \ | 24 | setools-console \ |
| 25 | selinux-config \ | 25 | selinux-config \ |
| 26 | selinux-init \ | 26 | selinux-init \ |
| 27 | selinux-labeldev \ | ||
| 27 | refpolicy-standard \ | 28 | refpolicy-standard \ |
| 28 | refpolicy-mls \ | 29 | refpolicy-mls \ |
| 29 | coreutils \ | 30 | coreutils \ |
diff --git a/recipes-security/packagegroups/packagegroup-selinux-minimal.bb b/recipes-security/packagegroups/packagegroup-selinux-minimal.bb index 42fb82d..34c5f7c 100644 --- a/recipes-security/packagegroups/packagegroup-selinux-minimal.bb +++ b/recipes-security/packagegroups/packagegroup-selinux-minimal.bb | |||
| @@ -22,6 +22,6 @@ RDEPENDS_${PN} = "\ | |||
| 22 | policycoreutils-sestatus \ | 22 | policycoreutils-sestatus \ |
| 23 | policycoreutils-setfiles \ | 23 | policycoreutils-setfiles \ |
| 24 | selinux-config \ | 24 | selinux-config \ |
| 25 | selinux-init \ | 25 | selinux-labeldev \ |
| 26 | refpolicy-mls \ | 26 | refpolicy-mls \ |
| 27 | " | 27 | " |
diff --git a/recipes-security/selinux/selinux-init/selinux-init.sh b/recipes-security/selinux/selinux-init/selinux-init.sh index f9f0914..32c4de1 100644 --- a/recipes-security/selinux/selinux-init/selinux-init.sh +++ b/recipes-security/selinux/selinux-init/selinux-init.sh | |||
| @@ -34,12 +34,6 @@ check_rootfs() | |||
| 34 | /sbin/shutdown -f -h now | 34 | /sbin/shutdown -f -h now |
| 35 | } | 35 | } |
| 36 | 36 | ||
| 37 | # Because /dev/console is not relabeled by kernel, many commands | ||
| 38 | # would can not use it, including restorecon. | ||
| 39 | ${CHCON} -t `${MATCHPATHCON} -n /dev/null | cut -d: -f3` /dev/null | ||
| 40 | ${CHCON} -t `${MATCHPATHCON} -n /dev/console | cut -d: -f3` /dev/console | ||
| 41 | |||
| 42 | |||
| 43 | # If /.autorelabel placed, the whole file system should be relabeled | 37 | # If /.autorelabel placed, the whole file system should be relabeled |
| 44 | if [ -f /.autorelabel ]; then | 38 | if [ -f /.autorelabel ]; then |
| 45 | echo "Checking SELinux security contexts:" | 39 | echo "Checking SELinux security contexts:" |
| @@ -65,7 +59,4 @@ if [ "`${SECON} -t --pid 1`" = "kernel_t" ]; then | |||
| 65 | /sbin/reboot | 59 | /sbin/reboot |
| 66 | fi | 60 | fi |
| 67 | 61 | ||
| 68 | # Now, we should relabel /dev for most services. | ||
| 69 | ${RESTORECON} -RF /dev | ||
| 70 | |||
| 71 | exit 0 | 62 | exit 0 |
diff --git a/recipes-security/selinux/selinux-init_0.1.bb b/recipes-security/selinux/selinux-init_0.1.bb index cde142d..87f8dad 100644 --- a/recipes-security/selinux/selinux-init_0.1.bb +++ b/recipes-security/selinux/selinux-init_0.1.bb | |||
| @@ -14,6 +14,6 @@ ${PN}_RDEPENDS = " \ | |||
| 14 | " | 14 | " |
| 15 | 15 | ||
| 16 | SRC_URI = "file://${BPN}.sh" | 16 | SRC_URI = "file://${BPN}.sh" |
| 17 | SELINUX_SCRIPT_DST = "0${BPN}" | 17 | INITSCRIPT_PARAMS = "start 01 S ." |
| 18 | 18 | ||
| 19 | require selinux-initsh.inc | 19 | require selinux-initsh.inc |
diff --git a/recipes-security/selinux/selinux-labeldev/selinux-labeldev.sh b/recipes-security/selinux/selinux-labeldev/selinux-labeldev.sh new file mode 100644 index 0000000..62e7a42 --- /dev/null +++ b/recipes-security/selinux/selinux-labeldev/selinux-labeldev.sh | |||
| @@ -0,0 +1,24 @@ | |||
| 1 | #!/bin/sh | ||
| 2 | |||
| 3 | /usr/sbin/selinuxenabled 2>/dev/null || exit 0 | ||
| 4 | |||
| 5 | CHCON=/usr/bin/chcon | ||
| 6 | MATCHPATHCON=/usr/sbin/matchpathcon | ||
| 7 | RESTORECON=/sbin/restorecon | ||
| 8 | |||
| 9 | for i in ${CHCON} ${MATCHPATHCON} ${RESTORECON}; do | ||
| 10 | test -x $i && continue | ||
| 11 | echo "$i is missing in the system." | ||
| 12 | echo "Please add \"selinux=0\" in the kernel command line to disable SELinux." | ||
| 13 | exit 1 | ||
| 14 | done | ||
| 15 | |||
| 16 | # Because /dev/console is not relabeled by kernel, many commands | ||
| 17 | # would can not use it, including restorecon. | ||
| 18 | ${CHCON} -t `${MATCHPATHCON} -n /dev/null | cut -d: -f3` /dev/null | ||
| 19 | ${CHCON} -t `${MATCHPATHCON} -n /dev/console | cut -d: -f3` /dev/console | ||
| 20 | |||
| 21 | # Now, we should relabel /dev for most services. | ||
| 22 | ${RESTORECON} -RF /dev | ||
| 23 | |||
| 24 | exit 0 | ||
diff --git a/recipes-security/selinux/selinux-labeldev_0.1.bb b/recipes-security/selinux/selinux-labeldev_0.1.bb new file mode 100644 index 0000000..b692bb2 --- /dev/null +++ b/recipes-security/selinux/selinux-labeldev_0.1.bb | |||
| @@ -0,0 +1,16 @@ | |||
| 1 | SUMMARY = "SELinux init script" | ||
| 2 | DESCRIPTION = "Set SELinux labels for /dev." | ||
| 3 | |||
| 4 | LICENSE = "MIT" | ||
| 5 | LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420" | ||
| 6 | |||
| 7 | ${PN}_RDEPENDS = " \ | ||
| 8 | coreutils \ | ||
| 9 | libselinux-bin \ | ||
| 10 | policycoreutils-setfiles \ | ||
| 11 | " | ||
| 12 | |||
| 13 | SRC_URI = "file://${BPN}.sh" | ||
| 14 | SELINUX_SCRIPT_DST = "0${BPN}" | ||
| 15 | |||
| 16 | require selinux-initsh.inc | ||