summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorPhilip Tricca <flihp@twobit.us>2015-11-08 19:00:40 +0000
committerJoe MacDonald <joe_macdonald@mentor.com>2015-11-27 09:18:14 -0500
commitcfd609806768202a84205382bd5ed78eee161e4e (patch)
treec6669e8249d6a0cda0823ee0ed3a1481cf8bbefc
parentac8450482dcbca2944c158f8b53ce295dc3cbb04 (diff)
downloadmeta-selinux-cfd609806768202a84205382bd5ed78eee161e4e.tar.gz
selinux-init: Break handling of /.autorelabel out into separate script.
Fixup DESCRIPTION in old selinux-init recipe. Exclude this autorelabel script from the minimal packagegroup. Signed-off-by: Philip Tricca <flihp@twobit.us> Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
Diffstat
-rw-r--r--recipes-security/packagegroups/packagegroup-core-selinux.bb1
-rw-r--r--recipes-security/selinux/selinux-autorelabel/selinux-autorelabel.sh22
-rw-r--r--recipes-security/selinux/selinux-autorelabel_0.1.bb17
-rw-r--r--recipes-security/selinux/selinux-init/selinux-init.sh14
-rw-r--r--recipes-security/selinux/selinux-init_0.1.bb3
5 files changed, 43 insertions, 14 deletions
diff --git a/recipes-security/packagegroups/packagegroup-core-selinux.bb b/recipes-security/packagegroups/packagegroup-core-selinux.bb
index e46cda7..a2480a3 100644
--- a/recipes-security/packagegroups/packagegroup-core-selinux.bb
+++ b/recipes-security/packagegroups/packagegroup-core-selinux.bb
@@ -23,6 +23,7 @@ RDEPENDS_${PN} = " \
23 setools \ 23 setools \
24 setools-console \ 24 setools-console \
25 selinux-config \ 25 selinux-config \
26 selinux-autorelabel \
26 selinux-init \ 27 selinux-init \
27 selinux-labeldev \ 28 selinux-labeldev \
28 refpolicy-standard \ 29 refpolicy-standard \
diff --git a/recipes-security/selinux/selinux-autorelabel/selinux-autorelabel.sh b/recipes-security/selinux/selinux-autorelabel/selinux-autorelabel.sh
new file mode 100644
index 0000000..154dad1
--- /dev/null
+++ b/recipes-security/selinux/selinux-autorelabel/selinux-autorelabel.sh
@@ -0,0 +1,22 @@
1#!/bin/sh
2
3/usr/sbin/selinuxenabled 2>/dev/null || exit 0
4
5FIXFILES=/sbin/fixfiles
6
7if ! test -x ${FIXFILES}; then
8 echo "${FIXFILES} is missing in the system."
9 echo "Please add \"selinux=0\" in the kernel command line to disable SELinux."
10 exit 1
11fi
12
13# If /.autorelabel placed, the whole file system should be relabeled
14if [ -f /.autorelabel ]; then
15 echo "SELinux: /.autorelabel placed, filesystem will be relabeled..."
16 ${FIXFILES} -F -f relabel
17 /bin/rm -f /.autorelabel
18 echo " * Relabel done, rebooting the system."
19 /sbin/reboot
20fi
21
22exit 0
diff --git a/recipes-security/selinux/selinux-autorelabel_0.1.bb b/recipes-security/selinux/selinux-autorelabel_0.1.bb
new file mode 100644
index 0000000..2664863
--- /dev/null
+++ b/recipes-security/selinux/selinux-autorelabel_0.1.bb
@@ -0,0 +1,17 @@
1SUMMARY = "SELinux autorelabel script"
2DESCRIPTION = "\
3Script to reset SELinux labels on the root file system when /.autorelabel \
4file is present.\
5"
6
7LICENSE = "MIT"
8LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420"
9
10${PN}_RDEPENDS = " \
11 policycoreutils-setfiles \
12"
13
14SRC_URI = "file://${BPN}.sh"
15INITSCRIPT_PARAMS = "start 01 S ."
16
17require selinux-initsh.inc
diff --git a/recipes-security/selinux/selinux-init/selinux-init.sh b/recipes-security/selinux/selinux-init/selinux-init.sh
index 32c4de1..ead4f00 100644
--- a/recipes-security/selinux/selinux-init/selinux-init.sh
+++ b/recipes-security/selinux/selinux-init/selinux-init.sh
@@ -4,12 +4,11 @@
4 4
5CHCON=/usr/bin/chcon 5CHCON=/usr/bin/chcon
6MATCHPATHCON=/usr/sbin/matchpathcon 6MATCHPATHCON=/usr/sbin/matchpathcon
7FIXFILES=/sbin/fixfiles
8RESTORECON=/sbin/restorecon 7RESTORECON=/sbin/restorecon
9SECON=/usr/bin/secon 8SECON=/usr/bin/secon
10SETENFORCE=/usr/sbin/setenforce 9SETENFORCE=/usr/sbin/setenforce
11 10
12for i in ${CHCON} ${MATCHPATHCON} ${FIXFILES} ${RESTORECON} ${SECON} ${SETENFORCE}; do 11for i in ${CHCON} ${MATCHPATHCON} ${RESTORECON} ${SECON} ${SETENFORCE}; do
13 test -x $i && continue 12 test -x $i && continue
14 echo "$i is missing in the system." 13 echo "$i is missing in the system."
15 echo "Please add \"selinux=0\" in the kernel command line to disable SELinux." 14 echo "Please add \"selinux=0\" in the kernel command line to disable SELinux."
@@ -34,17 +33,6 @@ check_rootfs()
34 /sbin/shutdown -f -h now 33 /sbin/shutdown -f -h now
35} 34}
36 35
37# If /.autorelabel placed, the whole file system should be relabeled
38if [ -f /.autorelabel ]; then
39 echo "Checking SELinux security contexts:"
40 check_rootfs
41 echo " * /.autorelabel placed, filesystem will be relabeled..."
42 ${FIXFILES} -F -f relabel
43 /bin/rm -f /.autorelabel
44 echo " * Relabel done, rebooting the system."
45 /sbin/reboot
46fi
47
48# If first booting, the security context type of init would be 36# If first booting, the security context type of init would be
49# "kernel_t", and the whole file system should be relabeled. 37# "kernel_t", and the whole file system should be relabeled.
50if [ "`${SECON} -t --pid 1`" = "kernel_t" ]; then 38if [ "`${SECON} -t --pid 1`" = "kernel_t" ]; then
diff --git a/recipes-security/selinux/selinux-init_0.1.bb b/recipes-security/selinux/selinux-init_0.1.bb
index 87f8dad..54932e8 100644
--- a/recipes-security/selinux/selinux-init_0.1.bb
+++ b/recipes-security/selinux/selinux-init_0.1.bb
@@ -1,6 +1,7 @@
1SUMMARY = "SELinux init script" 1SUMMARY = "SELinux init script"
2DESCRIPTION = "\ 2DESCRIPTION = "\
3SELinux start up stuff for Yocto. \ 3Script to detect and attempt to correct a misconfigured SELinux system at \
4boot time. \
4" 5"
5 6
6LICENSE = "MIT" 7LICENSE = "MIT"
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2025-07-12 17:49:25 +0000