From d2711cfdb2d1872b9c12512112f086bf4561ffdd Mon Sep 17 00:00:00 2001 From: Xin Ouyang Date: Fri, 16 Nov 2012 15:31:38 +0800 Subject: selinux-config: update the init script Fix the hard-coded security type for /dev/null and /dev/console. Check rootfs if support xattrs before do relabel. Signed-off-by: Xin Ouyang --- .../selinux/selinux-config/selinux-init.sh | 50 +++++++++++++++++----- recipes-security/selinux/selinux-config_0.1.bb | 2 +- 2 files changed, 41 insertions(+), 11 deletions(-) diff --git a/recipes-security/selinux/selinux-config/selinux-init.sh b/recipes-security/selinux/selinux-config/selinux-init.sh index 55c503f..1cdc3dd 100644 --- a/recipes-security/selinux/selinux-config/selinux-init.sh +++ b/recipes-security/selinux/selinux-config/selinux-init.sh @@ -2,20 +2,48 @@ /usr/sbin/selinuxenabled 2>/dev/null || exit 0 +CHCON=/usr/bin/chcon +MATCHPATHCON=/usr/sbin/matchpathcon +FIXFILES=/sbin/fixfiles +RESTORECON=/sbin/restorecon + +for i in ${CHCON} ${MATCHPATHCON} ${FIXFILES} ${RESTORECON} ; do + test -x $i && continue + echo "$i is missing in the system." + echo "Please add \"selinux=0\" in the kernel command line to disable SELinux." + exit 1 +done + +check_rootfs() +{ + ${CHCON} `${MATCHPATHCON} -n /` / >/dev/null 2>&1 && return 0 + echo "" + echo "* SELinux requires the root '/' filesystem support extended" + echo " filesystem attributes (XATTRs). It does not appear that this" + echo " filesystem has extended attribute support or it is not enabled." + echo "" + echo " - To continue using SELinux you will need to enable extended" + echo " attribute support on the root device." + echo "" + echo " - To disable SELinux, please add \"selinux=0\" in the kernel" + echo " command line." + echo "" + echo "* Halting the system now." + /sbin/shutdown -f -h now +} + # Because /dev/console is not relabeled by kernel, many commands # would can not use it, including restorecon. -if [ -x /usr/bin/chcon ]; then - /usr/bin/chcon -t null_device_t /dev/null - /usr/bin/chcon -t console_device_t /dev/console -fi +${CHCON} -t `${MATCHPATHCON} -n /dev/null | cut -d: -f3` /dev/null +${CHCON} -t `${MATCHPATHCON} -n /dev/console | cut -d: -f3` /dev/console # If /.autorelabel placed, the whole file system should be relabeled -test ! -x /sbin/fixfiles || if [ -f /.autorelabel ]; then echo "Checking SELinux security contexts:" + check_rootfs echo " * /.autorelabel placed, filesystem will be relabeled..." - /sbin/fixfiles -F -f relabel + ${FIXFILES} -F -f relabel /bin/rm -f /.autorelabel echo " * Relabel done, rebooting the system." /sbin/reboot -f @@ -23,17 +51,19 @@ fi # If first booting, the security context type of init would be # "kernel_t", and the whole file system should be relabeled. -test ! -x /sbin/restorecon || if [ "`/usr/bin/secon -t --pid 1`" = "kernel_t" ]; then echo "Checking SELinux security contexts:" + check_rootfs echo " * First booting, filesystem will be relabeled..." test -x /etc/init.d/auditd && /etc/init.d/auditd start /usr/sbin/setenforce 0 - /sbin/restorecon -R / - /sbin/restorecon / + ${RESTORECON} -R / + ${RESTORECON} / echo " * Relabel done, rebooting the system." /sbin/reboot -f fi # Now, we should relabel /dev for most services. -test ! -x /sbin/restorecon || /sbin/restorecon -R /dev +${RESTORECON} -R /dev + +exit 0 diff --git a/recipes-security/selinux/selinux-config_0.1.bb b/recipes-security/selinux/selinux-config_0.1.bb index 48b9362..9521dcf 100644 --- a/recipes-security/selinux/selinux-config_0.1.bb +++ b/recipes-security/selinux/selinux-config_0.1.bb @@ -8,7 +8,7 @@ This is the configuration files for SELinux on WRLinux system. \ SECTION = "base" LICENSE = "MIT" LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420" -PR = "r1" +PR = "r2" SRC_URI = "file://selinux-init.sh" -- cgit v1.2.3-54-g00ecf