From 3b2088b2bd2d7667c6a47c07dba32ec7ddc5a3ae Mon Sep 17 00:00:00 2001 From: Xin Ouyang Date: Wed, 19 Sep 2012 16:31:24 +0800 Subject: selinux-config: add init script This script will be installed as 0selinux-init, in runlevel S and sequence number 0. It will start before any other init script. * relabel /dev for restorecon/fixfiles running * rebuild policy and relabel the rootfs if /.autorelabel placed. * relabel the rootfs if it is first booting. Signed-off-by: Xin Ouyang --- .../selinux/selinux-config/selinux-init.sh | 39 ++++++++++++++++++++++ recipes-security/selinux/selinux-config_0.1.bb | 16 +++++++-- 2 files changed, 53 insertions(+), 2 deletions(-) create mode 100644 recipes-security/selinux/selinux-config/selinux-init.sh diff --git a/recipes-security/selinux/selinux-config/selinux-init.sh b/recipes-security/selinux/selinux-config/selinux-init.sh new file mode 100644 index 0000000..55c503f --- /dev/null +++ b/recipes-security/selinux/selinux-config/selinux-init.sh @@ -0,0 +1,39 @@ +#!/bin/sh + +/usr/sbin/selinuxenabled 2>/dev/null || exit 0 + +# Because /dev/console is not relabeled by kernel, many commands +# would can not use it, including restorecon. +if [ -x /usr/bin/chcon ]; then + /usr/bin/chcon -t null_device_t /dev/null + /usr/bin/chcon -t console_device_t /dev/console +fi + + +# If /.autorelabel placed, the whole file system should be relabeled +test ! -x /sbin/fixfiles || +if [ -f /.autorelabel ]; then + echo "Checking SELinux security contexts:" + echo " * /.autorelabel placed, filesystem will be relabeled..." + /sbin/fixfiles -F -f relabel + /bin/rm -f /.autorelabel + echo " * Relabel done, rebooting the system." + /sbin/reboot -f +fi + +# If first booting, the security context type of init would be +# "kernel_t", and the whole file system should be relabeled. +test ! -x /sbin/restorecon || +if [ "`/usr/bin/secon -t --pid 1`" = "kernel_t" ]; then + echo "Checking SELinux security contexts:" + echo " * First booting, filesystem will be relabeled..." + test -x /etc/init.d/auditd && /etc/init.d/auditd start + /usr/sbin/setenforce 0 + /sbin/restorecon -R / + /sbin/restorecon / + echo " * Relabel done, rebooting the system." + /sbin/reboot -f +fi + +# Now, we should relabel /dev for most services. +test ! -x /sbin/restorecon || /sbin/restorecon -R /dev diff --git a/recipes-security/selinux/selinux-config_0.1.bb b/recipes-security/selinux/selinux-config_0.1.bb index c0ed158..48b9362 100644 --- a/recipes-security/selinux/selinux-config_0.1.bb +++ b/recipes-security/selinux/selinux-config_0.1.bb @@ -8,13 +8,25 @@ This is the configuration files for SELinux on WRLinux system. \ SECTION = "base" LICENSE = "MIT" LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420" -PR = "r0" +PR = "r1" -CONFFILES_${PN} += "${sysconfdir}/selinux/config" +SRC_URI = "file://selinux-init.sh" + +inherit update-rc.d + +INITSCRIPT_NAME = "0selinux-init" +INITSCRIPT_PARAMS = "start 00 S ." + +CONFFILES_${PN} += "${sysconfdir}/selinux/config \ + ${sysconfdir}/init.d/0selinux-init \ + " PACKAGE_ARCH = "${MACHINE_ARCH}" do_install () { + install -d ${D}${sysconfdir}/init.d/ + install -m 0755 ${WORKDIR}/selinux-init.sh ${D}${sysconfdir}/init.d/0selinux-init + echo "\ # This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: -- cgit v1.2.3-54-g00ecf