From 19089953e2a2ce8d68f92fb51b1ca3922ea66966 Mon Sep 17 00:00:00 2001 From: Yi Zhao Date: Wed, 8 Dec 2021 15:33:44 +0800 Subject: selinux: move selinux scripts to selinux-scripts There are too many recipes in recipes-security/selinux. Keep the selinux userspace recipes and move selinux scripts to selinux-scripts directory to make the directory hierarchy clearer. Signed-off-by: Yi Zhao Signed-off-by: Joe MacDonald --- .../selinux-autorelabel.service | 11 ++++++ .../selinux-autorelabel/selinux-autorelabel.sh | 25 +++++++++++++ .../selinux-scripts/selinux-autorelabel_0.1.bb | 26 ++++++++++++++ .../selinux-init/selinux-init.service | 12 +++++++ .../selinux-scripts/selinux-init/selinux-init.sh | 38 ++++++++++++++++++++ .../selinux-init/selinux-init.sh.sysvinit | 14 ++++++++ .../selinux-scripts/selinux-init_0.1.bb | 25 +++++++++++++ .../selinux-scripts/selinux-initsh.inc | 41 ++++++++++++++++++++++ .../selinux-labeldev/selinux-labeldev.service | 11 ++++++ .../selinux-labeldev/selinux-labeldev.sh | 24 +++++++++++++ .../selinux-scripts/selinux-labeldev_0.1.bb | 19 ++++++++++ .../selinux-autorelabel.service | 11 ------ .../selinux-autorelabel/selinux-autorelabel.sh | 25 ------------- .../selinux/selinux-autorelabel_0.1.bb | 26 -------------- .../selinux/selinux-init/selinux-init.service | 12 ------- .../selinux/selinux-init/selinux-init.sh | 38 -------------------- .../selinux/selinux-init/selinux-init.sh.sysvinit | 14 -------- recipes-security/selinux/selinux-init_0.1.bb | 25 ------------- recipes-security/selinux/selinux-initsh.inc | 41 ---------------------- .../selinux-labeldev/selinux-labeldev.service | 11 ------ .../selinux/selinux-labeldev/selinux-labeldev.sh | 24 ------------- recipes-security/selinux/selinux-labeldev_0.1.bb | 19 ---------- 22 files changed, 246 insertions(+), 246 deletions(-) create mode 100644 recipes-security/selinux-scripts/selinux-autorelabel/selinux-autorelabel.service create mode 100644 recipes-security/selinux-scripts/selinux-autorelabel/selinux-autorelabel.sh create mode 100644 recipes-security/selinux-scripts/selinux-autorelabel_0.1.bb create mode 100644 recipes-security/selinux-scripts/selinux-init/selinux-init.service create mode 100644 recipes-security/selinux-scripts/selinux-init/selinux-init.sh create mode 100644 recipes-security/selinux-scripts/selinux-init/selinux-init.sh.sysvinit create mode 100644 recipes-security/selinux-scripts/selinux-init_0.1.bb create mode 100644 recipes-security/selinux-scripts/selinux-initsh.inc create mode 100644 recipes-security/selinux-scripts/selinux-labeldev/selinux-labeldev.service create mode 100644 recipes-security/selinux-scripts/selinux-labeldev/selinux-labeldev.sh create mode 100644 recipes-security/selinux-scripts/selinux-labeldev_0.1.bb delete mode 100644 recipes-security/selinux/selinux-autorelabel/selinux-autorelabel.service delete mode 100644 recipes-security/selinux/selinux-autorelabel/selinux-autorelabel.sh delete mode 100644 recipes-security/selinux/selinux-autorelabel_0.1.bb delete mode 100644 recipes-security/selinux/selinux-init/selinux-init.service delete mode 100644 recipes-security/selinux/selinux-init/selinux-init.sh delete mode 100644 recipes-security/selinux/selinux-init/selinux-init.sh.sysvinit delete mode 100644 recipes-security/selinux/selinux-init_0.1.bb delete mode 100644 recipes-security/selinux/selinux-initsh.inc delete mode 100644 recipes-security/selinux/selinux-labeldev/selinux-labeldev.service delete mode 100644 recipes-security/selinux/selinux-labeldev/selinux-labeldev.sh delete mode 100644 recipes-security/selinux/selinux-labeldev_0.1.bb diff --git a/recipes-security/selinux-scripts/selinux-autorelabel/selinux-autorelabel.service b/recipes-security/selinux-scripts/selinux-autorelabel/selinux-autorelabel.service new file mode 100644 index 0000000..3c2a576 --- /dev/null +++ b/recipes-security/selinux-scripts/selinux-autorelabel/selinux-autorelabel.service @@ -0,0 +1,11 @@ +[Unit] +Description=SELinux autorelabel service loading +DefaultDependencies=no +Before=sysinit.target + +[Service] +Type=oneshot +ExecStart=/usr/bin/selinux-autorelabel.sh + +[Install] +WantedBy=sysinit.target diff --git a/recipes-security/selinux-scripts/selinux-autorelabel/selinux-autorelabel.sh b/recipes-security/selinux-scripts/selinux-autorelabel/selinux-autorelabel.sh new file mode 100644 index 0000000..25b6921 --- /dev/null +++ b/recipes-security/selinux-scripts/selinux-autorelabel/selinux-autorelabel.sh @@ -0,0 +1,25 @@ +#!/bin/sh + +/usr/sbin/selinuxenabled 2>/dev/null || exit 0 + +FIXFILES=/sbin/fixfiles +SETENFORCE=/usr/sbin/setenforce + +for i in ${FIXFILES} ${SETENFORCE}; do + test -x $i && continue + echo "$i is missing in the system." + echo "Please add \"selinux=0\" in the kernel command line to disable SELinux." + exit 1 +done + +# If /.autorelabel placed, the whole file system should be relabeled +if [ -f /.autorelabel ]; then + echo "SELinux: /.autorelabel placed, filesystem will be relabeled..." + ${SETENFORCE} 0 + ${FIXFILES} -F -f relabel + /bin/rm -f /.autorelabel + echo " * Relabel done, rebooting the system." + /sbin/reboot +fi + +exit 0 diff --git a/recipes-security/selinux-scripts/selinux-autorelabel_0.1.bb b/recipes-security/selinux-scripts/selinux-autorelabel_0.1.bb new file mode 100644 index 0000000..a919445 --- /dev/null +++ b/recipes-security/selinux-scripts/selinux-autorelabel_0.1.bb @@ -0,0 +1,26 @@ +SUMMARY = "SELinux autorelabel script" +DESCRIPTION = "\ +Script to reset SELinux labels on the root file system when /.autorelabel \ +file is present.\ +" + +LICENSE = "MIT" +LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420" + +RDEPENDS:${PN} = " \ + policycoreutils-setfiles \ +" + +SRC_URI = "file://${BPN}.sh \ + file://${BPN}.service \ + " + +INITSCRIPT_PARAMS = "start 01 S ." + +require selinux-initsh.inc + +do_install:append() { + if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then + echo "# first boot relabelling" > ${D}/.autorelabel + fi +} diff --git a/recipes-security/selinux-scripts/selinux-init/selinux-init.service b/recipes-security/selinux-scripts/selinux-init/selinux-init.service new file mode 100644 index 0000000..91b3e72 --- /dev/null +++ b/recipes-security/selinux-scripts/selinux-init/selinux-init.service @@ -0,0 +1,12 @@ +[Unit] +Description=SELinux init service loading +DefaultDependencies=no +After=local-fs.target +Before=sysinit.target + +[Service] +Type=oneshot +ExecStart=/usr/bin/selinux-init.sh + +[Install] +WantedBy=sysinit.target diff --git a/recipes-security/selinux-scripts/selinux-init/selinux-init.sh b/recipes-security/selinux-scripts/selinux-init/selinux-init.sh new file mode 100644 index 0000000..f93d231 --- /dev/null +++ b/recipes-security/selinux-scripts/selinux-init/selinux-init.sh @@ -0,0 +1,38 @@ +#!/bin/sh + +/usr/sbin/selinuxenabled 2>/dev/null || exit 0 + +CHCON=/usr/bin/chcon +MATCHPATHCON=/usr/sbin/matchpathcon +RESTORECON=/sbin/restorecon +SECON=/usr/bin/secon +SETENFORCE=/usr/sbin/setenforce + +for i in ${CHCON} ${MATCHPATHCON} ${RESTORECON} ${SECON} ${SETENFORCE}; do + test -x $i && continue + echo "$i is missing in the system." + echo "Please add \"selinux=0\" in the kernel command line to disable SELinux." + exit 1 +done + +check_rootfs() +{ + ${CHCON} `${MATCHPATHCON} -n /` / >/dev/null 2>&1 && return 0 + echo "" + echo "* SELinux requires the root '/' filesystem support extended" + echo " filesystem attributes (XATTRs). It does not appear that this" + echo " filesystem has extended attribute support or it is not enabled." + echo "" + echo " - To continue using SELinux you will need to enable extended" + echo " attribute support on the root device." + echo "" + echo " - To disable SELinux, please add \"selinux=0\" in the kernel" + echo " command line." + echo "" + echo "* Halting the system now." + /sbin/shutdown -f -h now +} + +# sysvinit firstboot relabel placeholder HERE + +exit 0 diff --git a/recipes-security/selinux-scripts/selinux-init/selinux-init.sh.sysvinit b/recipes-security/selinux-scripts/selinux-init/selinux-init.sh.sysvinit new file mode 100644 index 0000000..d4f3f71 --- /dev/null +++ b/recipes-security/selinux-scripts/selinux-init/selinux-init.sh.sysvinit @@ -0,0 +1,14 @@ +# Contents will be added to selinux-init.sh to support relabelling with sysvinit +# If first booting, the security context type of init would be +# "kernel_t", and the whole file system should be relabeled. +if [ "`${SECON} -t --pid 1`" = "kernel_t" ]; then + echo "Checking SELinux security contexts:" + check_rootfs + echo " * First booting, filesystem will be relabeled..." + test -x /etc/init.d/auditd && /etc/init.d/auditd start + ${SETENFORCE} 0 + ${RESTORECON} -RF / + ${RESTORECON} -F / + echo " * Relabel done, rebooting the system." + /sbin/reboot +fi diff --git a/recipes-security/selinux-scripts/selinux-init_0.1.bb b/recipes-security/selinux-scripts/selinux-init_0.1.bb new file mode 100644 index 0000000..c97316e --- /dev/null +++ b/recipes-security/selinux-scripts/selinux-init_0.1.bb @@ -0,0 +1,25 @@ +SUMMARY = "SELinux init script" +DESCRIPTION = "\ +Script to detect and attempt to correct a misconfigured SELinux system at \ +boot time. \ +" + +LICENSE = "MIT" +LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420" + +RDEPENDS:${PN} = " \ + coreutils \ + libselinux-bin \ + policycoreutils-secon \ + policycoreutils-setfiles \ +" + +SRC_URI = " \ + file://${BPN}.sh \ + file://${BPN}.sh.sysvinit \ + file://${BPN}.service \ +" + +INITSCRIPT_PARAMS = "start 01 S ." + +require selinux-initsh.inc diff --git a/recipes-security/selinux-scripts/selinux-initsh.inc b/recipes-security/selinux-scripts/selinux-initsh.inc new file mode 100644 index 0000000..f6a3d85 --- /dev/null +++ b/recipes-security/selinux-scripts/selinux-initsh.inc @@ -0,0 +1,41 @@ +S ?= "${WORKDIR}" +SECTION ?= "base" + +# Default is for script name to be the same as the recipe name. +# Script must have .sh suffix. +SELINUX_SCRIPT_SRC ?= "${BPN}" +SELINUX_SCRIPT_DST ?= "${SELINUX_SCRIPT_SRC}" + +INITSCRIPT_NAME ?= "${SELINUX_SCRIPT_DST}" +INITSCRIPT_PARAMS ?= "start 00 S ." + +CONFFILES:${PN} += "${sysconfdir}/init.d/${SELINUX_SCRIPT_DST}" + +PACKAGE_ARCH ?= "${MACHINE_ARCH}" + +inherit update-rc.d systemd + +SYSTEMD_SERVICE:${PN} = "${SELINUX_SCRIPT_SRC}.service" + +FILES:${PN} += "/.autorelabel" + +do_install () { + install -d ${D}${sysconfdir}/init.d/ + install -m 0755 ${WORKDIR}/${SELINUX_SCRIPT_SRC}.sh ${D}${sysconfdir}/init.d/${SELINUX_SCRIPT_DST} + # Insert the relabelling code which is only needed with sysvinit + sed -i -e '/HERE/r ${WORKDIR}/${SELINUX_SCRIPT_SRC}.sh.sysvinit' \ + -e '/.*HERE$/d' -e '/.*Contents.*sysvinit/d' \ + ${D}${sysconfdir}/init.d/${SELINUX_SCRIPT_DST} + + if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then + install -d ${D}${systemd_unitdir}/system + install -m 0644 ${WORKDIR}/${SELINUX_SCRIPT_SRC}.service ${D}${systemd_unitdir}/system + install -d ${D}${bindir} + install -m 0755 ${WORKDIR}/${SELINUX_SCRIPT_SRC}.sh ${D}${bindir} + sed -i -e '/.*HERE$/d' ${D}${bindir}/${SELINUX_SCRIPT_SRC}.sh + fi +} + +sysroot_stage_all:append () { + sysroot_stage_dir ${D}${sysconfdir} ${SYSROOT_DESTDIR}${sysconfdir} +} diff --git a/recipes-security/selinux-scripts/selinux-labeldev/selinux-labeldev.service b/recipes-security/selinux-scripts/selinux-labeldev/selinux-labeldev.service new file mode 100644 index 0000000..96142a3 --- /dev/null +++ b/recipes-security/selinux-scripts/selinux-labeldev/selinux-labeldev.service @@ -0,0 +1,11 @@ +[Unit] +Description=SELinux init for /dev service loading +DefaultDependencies=no +Before=sysinit.target + +[Service] +Type=oneshot +ExecStart=/usr/bin/selinux-labeldev.sh + +[Install] +WantedBy=sysinit.target diff --git a/recipes-security/selinux-scripts/selinux-labeldev/selinux-labeldev.sh b/recipes-security/selinux-scripts/selinux-labeldev/selinux-labeldev.sh new file mode 100644 index 0000000..62e7a42 --- /dev/null +++ b/recipes-security/selinux-scripts/selinux-labeldev/selinux-labeldev.sh @@ -0,0 +1,24 @@ +#!/bin/sh + +/usr/sbin/selinuxenabled 2>/dev/null || exit 0 + +CHCON=/usr/bin/chcon +MATCHPATHCON=/usr/sbin/matchpathcon +RESTORECON=/sbin/restorecon + +for i in ${CHCON} ${MATCHPATHCON} ${RESTORECON}; do + test -x $i && continue + echo "$i is missing in the system." + echo "Please add \"selinux=0\" in the kernel command line to disable SELinux." + exit 1 +done + +# Because /dev/console is not relabeled by kernel, many commands +# would can not use it, including restorecon. +${CHCON} -t `${MATCHPATHCON} -n /dev/null | cut -d: -f3` /dev/null +${CHCON} -t `${MATCHPATHCON} -n /dev/console | cut -d: -f3` /dev/console + +# Now, we should relabel /dev for most services. +${RESTORECON} -RF /dev + +exit 0 diff --git a/recipes-security/selinux-scripts/selinux-labeldev_0.1.bb b/recipes-security/selinux-scripts/selinux-labeldev_0.1.bb new file mode 100644 index 0000000..d29efec --- /dev/null +++ b/recipes-security/selinux-scripts/selinux-labeldev_0.1.bb @@ -0,0 +1,19 @@ +SUMMARY = "SELinux init script" +DESCRIPTION = "Set SELinux labels for /dev." + +LICENSE = "MIT" +LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420" + +RDEPENDS:${PN} = " \ + coreutils \ + libselinux-bin \ + policycoreutils-setfiles \ +" + +SRC_URI = "file://${BPN}.sh \ + file://${BPN}.service \ + " + +SELINUX_SCRIPT_DST = "0${BPN}" + +require selinux-initsh.inc diff --git a/recipes-security/selinux/selinux-autorelabel/selinux-autorelabel.service b/recipes-security/selinux/selinux-autorelabel/selinux-autorelabel.service deleted file mode 100644 index 3c2a576..0000000 --- a/recipes-security/selinux/selinux-autorelabel/selinux-autorelabel.service +++ /dev/null @@ -1,11 +0,0 @@ -[Unit] -Description=SELinux autorelabel service loading -DefaultDependencies=no -Before=sysinit.target - -[Service] -Type=oneshot -ExecStart=/usr/bin/selinux-autorelabel.sh - -[Install] -WantedBy=sysinit.target diff --git a/recipes-security/selinux/selinux-autorelabel/selinux-autorelabel.sh b/recipes-security/selinux/selinux-autorelabel/selinux-autorelabel.sh deleted file mode 100644 index 25b6921..0000000 --- a/recipes-security/selinux/selinux-autorelabel/selinux-autorelabel.sh +++ /dev/null @@ -1,25 +0,0 @@ -#!/bin/sh - -/usr/sbin/selinuxenabled 2>/dev/null || exit 0 - -FIXFILES=/sbin/fixfiles -SETENFORCE=/usr/sbin/setenforce - -for i in ${FIXFILES} ${SETENFORCE}; do - test -x $i && continue - echo "$i is missing in the system." - echo "Please add \"selinux=0\" in the kernel command line to disable SELinux." - exit 1 -done - -# If /.autorelabel placed, the whole file system should be relabeled -if [ -f /.autorelabel ]; then - echo "SELinux: /.autorelabel placed, filesystem will be relabeled..." - ${SETENFORCE} 0 - ${FIXFILES} -F -f relabel - /bin/rm -f /.autorelabel - echo " * Relabel done, rebooting the system." - /sbin/reboot -fi - -exit 0 diff --git a/recipes-security/selinux/selinux-autorelabel_0.1.bb b/recipes-security/selinux/selinux-autorelabel_0.1.bb deleted file mode 100644 index a919445..0000000 --- a/recipes-security/selinux/selinux-autorelabel_0.1.bb +++ /dev/null @@ -1,26 +0,0 @@ -SUMMARY = "SELinux autorelabel script" -DESCRIPTION = "\ -Script to reset SELinux labels on the root file system when /.autorelabel \ -file is present.\ -" - -LICENSE = "MIT" -LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420" - -RDEPENDS:${PN} = " \ - policycoreutils-setfiles \ -" - -SRC_URI = "file://${BPN}.sh \ - file://${BPN}.service \ - " - -INITSCRIPT_PARAMS = "start 01 S ." - -require selinux-initsh.inc - -do_install:append() { - if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then - echo "# first boot relabelling" > ${D}/.autorelabel - fi -} diff --git a/recipes-security/selinux/selinux-init/selinux-init.service b/recipes-security/selinux/selinux-init/selinux-init.service deleted file mode 100644 index 91b3e72..0000000 --- a/recipes-security/selinux/selinux-init/selinux-init.service +++ /dev/null @@ -1,12 +0,0 @@ -[Unit] -Description=SELinux init service loading -DefaultDependencies=no -After=local-fs.target -Before=sysinit.target - -[Service] -Type=oneshot -ExecStart=/usr/bin/selinux-init.sh - -[Install] -WantedBy=sysinit.target diff --git a/recipes-security/selinux/selinux-init/selinux-init.sh b/recipes-security/selinux/selinux-init/selinux-init.sh deleted file mode 100644 index f93d231..0000000 --- a/recipes-security/selinux/selinux-init/selinux-init.sh +++ /dev/null @@ -1,38 +0,0 @@ -#!/bin/sh - -/usr/sbin/selinuxenabled 2>/dev/null || exit 0 - -CHCON=/usr/bin/chcon -MATCHPATHCON=/usr/sbin/matchpathcon -RESTORECON=/sbin/restorecon -SECON=/usr/bin/secon -SETENFORCE=/usr/sbin/setenforce - -for i in ${CHCON} ${MATCHPATHCON} ${RESTORECON} ${SECON} ${SETENFORCE}; do - test -x $i && continue - echo "$i is missing in the system." - echo "Please add \"selinux=0\" in the kernel command line to disable SELinux." - exit 1 -done - -check_rootfs() -{ - ${CHCON} `${MATCHPATHCON} -n /` / >/dev/null 2>&1 && return 0 - echo "" - echo "* SELinux requires the root '/' filesystem support extended" - echo " filesystem attributes (XATTRs). It does not appear that this" - echo " filesystem has extended attribute support or it is not enabled." - echo "" - echo " - To continue using SELinux you will need to enable extended" - echo " attribute support on the root device." - echo "" - echo " - To disable SELinux, please add \"selinux=0\" in the kernel" - echo " command line." - echo "" - echo "* Halting the system now." - /sbin/shutdown -f -h now -} - -# sysvinit firstboot relabel placeholder HERE - -exit 0 diff --git a/recipes-security/selinux/selinux-init/selinux-init.sh.sysvinit b/recipes-security/selinux/selinux-init/selinux-init.sh.sysvinit deleted file mode 100644 index d4f3f71..0000000 --- a/recipes-security/selinux/selinux-init/selinux-init.sh.sysvinit +++ /dev/null @@ -1,14 +0,0 @@ -# Contents will be added to selinux-init.sh to support relabelling with sysvinit -# If first booting, the security context type of init would be -# "kernel_t", and the whole file system should be relabeled. -if [ "`${SECON} -t --pid 1`" = "kernel_t" ]; then - echo "Checking SELinux security contexts:" - check_rootfs - echo " * First booting, filesystem will be relabeled..." - test -x /etc/init.d/auditd && /etc/init.d/auditd start - ${SETENFORCE} 0 - ${RESTORECON} -RF / - ${RESTORECON} -F / - echo " * Relabel done, rebooting the system." - /sbin/reboot -fi diff --git a/recipes-security/selinux/selinux-init_0.1.bb b/recipes-security/selinux/selinux-init_0.1.bb deleted file mode 100644 index c97316e..0000000 --- a/recipes-security/selinux/selinux-init_0.1.bb +++ /dev/null @@ -1,25 +0,0 @@ -SUMMARY = "SELinux init script" -DESCRIPTION = "\ -Script to detect and attempt to correct a misconfigured SELinux system at \ -boot time. \ -" - -LICENSE = "MIT" -LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420" - -RDEPENDS:${PN} = " \ - coreutils \ - libselinux-bin \ - policycoreutils-secon \ - policycoreutils-setfiles \ -" - -SRC_URI = " \ - file://${BPN}.sh \ - file://${BPN}.sh.sysvinit \ - file://${BPN}.service \ -" - -INITSCRIPT_PARAMS = "start 01 S ." - -require selinux-initsh.inc diff --git a/recipes-security/selinux/selinux-initsh.inc b/recipes-security/selinux/selinux-initsh.inc deleted file mode 100644 index f6a3d85..0000000 --- a/recipes-security/selinux/selinux-initsh.inc +++ /dev/null @@ -1,41 +0,0 @@ -S ?= "${WORKDIR}" -SECTION ?= "base" - -# Default is for script name to be the same as the recipe name. -# Script must have .sh suffix. -SELINUX_SCRIPT_SRC ?= "${BPN}" -SELINUX_SCRIPT_DST ?= "${SELINUX_SCRIPT_SRC}" - -INITSCRIPT_NAME ?= "${SELINUX_SCRIPT_DST}" -INITSCRIPT_PARAMS ?= "start 00 S ." - -CONFFILES:${PN} += "${sysconfdir}/init.d/${SELINUX_SCRIPT_DST}" - -PACKAGE_ARCH ?= "${MACHINE_ARCH}" - -inherit update-rc.d systemd - -SYSTEMD_SERVICE:${PN} = "${SELINUX_SCRIPT_SRC}.service" - -FILES:${PN} += "/.autorelabel" - -do_install () { - install -d ${D}${sysconfdir}/init.d/ - install -m 0755 ${WORKDIR}/${SELINUX_SCRIPT_SRC}.sh ${D}${sysconfdir}/init.d/${SELINUX_SCRIPT_DST} - # Insert the relabelling code which is only needed with sysvinit - sed -i -e '/HERE/r ${WORKDIR}/${SELINUX_SCRIPT_SRC}.sh.sysvinit' \ - -e '/.*HERE$/d' -e '/.*Contents.*sysvinit/d' \ - ${D}${sysconfdir}/init.d/${SELINUX_SCRIPT_DST} - - if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then - install -d ${D}${systemd_unitdir}/system - install -m 0644 ${WORKDIR}/${SELINUX_SCRIPT_SRC}.service ${D}${systemd_unitdir}/system - install -d ${D}${bindir} - install -m 0755 ${WORKDIR}/${SELINUX_SCRIPT_SRC}.sh ${D}${bindir} - sed -i -e '/.*HERE$/d' ${D}${bindir}/${SELINUX_SCRIPT_SRC}.sh - fi -} - -sysroot_stage_all:append () { - sysroot_stage_dir ${D}${sysconfdir} ${SYSROOT_DESTDIR}${sysconfdir} -} diff --git a/recipes-security/selinux/selinux-labeldev/selinux-labeldev.service b/recipes-security/selinux/selinux-labeldev/selinux-labeldev.service deleted file mode 100644 index 96142a3..0000000 --- a/recipes-security/selinux/selinux-labeldev/selinux-labeldev.service +++ /dev/null @@ -1,11 +0,0 @@ -[Unit] -Description=SELinux init for /dev service loading -DefaultDependencies=no -Before=sysinit.target - -[Service] -Type=oneshot -ExecStart=/usr/bin/selinux-labeldev.sh - -[Install] -WantedBy=sysinit.target diff --git a/recipes-security/selinux/selinux-labeldev/selinux-labeldev.sh b/recipes-security/selinux/selinux-labeldev/selinux-labeldev.sh deleted file mode 100644 index 62e7a42..0000000 --- a/recipes-security/selinux/selinux-labeldev/selinux-labeldev.sh +++ /dev/null @@ -1,24 +0,0 @@ -#!/bin/sh - -/usr/sbin/selinuxenabled 2>/dev/null || exit 0 - -CHCON=/usr/bin/chcon -MATCHPATHCON=/usr/sbin/matchpathcon -RESTORECON=/sbin/restorecon - -for i in ${CHCON} ${MATCHPATHCON} ${RESTORECON}; do - test -x $i && continue - echo "$i is missing in the system." - echo "Please add \"selinux=0\" in the kernel command line to disable SELinux." - exit 1 -done - -# Because /dev/console is not relabeled by kernel, many commands -# would can not use it, including restorecon. -${CHCON} -t `${MATCHPATHCON} -n /dev/null | cut -d: -f3` /dev/null -${CHCON} -t `${MATCHPATHCON} -n /dev/console | cut -d: -f3` /dev/console - -# Now, we should relabel /dev for most services. -${RESTORECON} -RF /dev - -exit 0 diff --git a/recipes-security/selinux/selinux-labeldev_0.1.bb b/recipes-security/selinux/selinux-labeldev_0.1.bb deleted file mode 100644 index d29efec..0000000 --- a/recipes-security/selinux/selinux-labeldev_0.1.bb +++ /dev/null @@ -1,19 +0,0 @@ -SUMMARY = "SELinux init script" -DESCRIPTION = "Set SELinux labels for /dev." - -LICENSE = "MIT" -LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420" - -RDEPENDS:${PN} = " \ - coreutils \ - libselinux-bin \ - policycoreutils-setfiles \ -" - -SRC_URI = "file://${BPN}.sh \ - file://${BPN}.service \ - " - -SELINUX_SCRIPT_DST = "0${BPN}" - -require selinux-initsh.inc -- cgit v1.2.3-54-g00ecf