selinux-init: use systemd (re)labelling

Boot loops were being seen when booting with selinux enabled, when the init system in use is systemd. Once logs were retrieved from the failing system the error was found to be selinux-init.sh[284]: /sbin/restorecon: Could not set context for /sys/fs/cgroup/cpuacct: Read-only file system selinux-init.sh[284]: /sbin/restorecon: Could not set context for /sys/fs/cgroup/cpu: Read-only file system Systemd mounts /sys/fs/cgroup read-only and the (re)labelling code used by selinux-init.sh is unable to handle this. On top of this the system is basically presenting two methods of (re)labelling; using the built in systemd approach via selinux-autorelabel.service *and* the code we have in selinux-init.sh. This can get confusing especially given that most online resources will speak to the systemd approach using selinux-autorelabel.service and /.autorelabel. These changes leave the current approach in place when sysvinit is the init system used, but if systemd is being used we make use of it's internal (re)labelling functionality. Overall the workflow remains the same but we now avoid boot loops (systemd remounts /sys/fs/cgroup rw during the (re)labelling procedure). Signed-off-by: Mark Asselstine <mark.asselstine@windriver.com> Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
author: Mark Asselstine <mark.asselstine@windriver.com> 2019-08-23 14:19:53 -0400
committer: Joe MacDonald <joe_macdonald@mentor.com> 2019-08-28 10:28:06 -0400
commit: b0d31db104d9a4e94bc1409c2ffcc1d82f4a780f (patch)
tree: efd7892420692eea1e4d9217a082b1aa1b241161 /recipes-security
parent: a41f48260654e0e444603c6a595444c450e6c3f5 (diff)
download: meta-selinux-b0d31db104d9a4e94bc1409c2ffcc1d82f4a780f.tar.gz
4 files changed, 28 insertions, 16 deletions
diff --git a/recipes-security/selinux/selinux-init/selinux-init.sh b/recipes-security/selinux/selinux-init/selinux-init.sh
index ead4f00..f93d231 100644
--- a/recipes-security/selinux/selinux-init/selinux-init.sh
+++ b/recipes-security/selinux/selinux-init/selinux-init.sh
@@ -33,18 +33,6 @@ check_rootfs()
        /sbin/shutdown -f -h now
 }
-# If first booting, the security context type of init would be
+# sysvinit firstboot relabel placeholder HERE
-# "kernel_t", and the whole file system should be relabeled.
-if [ "`${SECON} -t --pid 1`" = "kernel_t" ]; then
-        echo "Checking SELinux security contexts:"
-        check_rootfs
-        echo " * First booting, filesystem will be relabeled..."
-        test -x /etc/init.d/auditd && /etc/init.d/auditd start
-        ${SETENFORCE} 0
-        ${RESTORECON} -RF /
-        ${RESTORECON} -F /
-        echo " * Relabel done, rebooting the system."
-        /sbin/reboot
-fi
 exit 0
diff --git a/recipes-security/selinux/selinux-init/selinux-init.sh.sysvinit b/recipes-security/selinux/selinux-init/selinux-init.sh.sysvinit
new file mode 100644
index 0000000..d4f3f71
--- /dev/null
+++ b/recipes-security/selinux/selinux-init/selinux-init.sh.sysvinit
@@ -0,0 +1,14 @@
+# Contents will be added to selinux-init.sh to support relabelling with sysvinit
+# If first booting, the security context type of init would be
+# "kernel_t", and the whole file system should be relabeled.
+if [ "`${SECON} -t --pid 1`" = "kernel_t" ]; then
+        echo "Checking SELinux security contexts:"
+        check_rootfs
+        echo " * First booting, filesystem will be relabeled..."
+        test -x /etc/init.d/auditd && /etc/init.d/auditd start
+        ${SETENFORCE} 0
+        ${RESTORECON} -RF /
+        ${RESTORECON} -F /
+        echo " * Relabel done, rebooting the system."
+        /sbin/reboot
+fi
diff --git a/recipes-security/selinux/selinux-init_0.1.bb b/recipes-security/selinux/selinux-init_0.1.bb
index 38b5900..78f571c 100644
--- a/recipes-security/selinux/selinux-init_0.1.bb
+++ b/recipes-security/selinux/selinux-init_0.1.bb
@@ -14,9 +14,11 @@ ${PN}_RDEPENDS = " \
    policycoreutils-setfiles \
 "
-SRC_URI = "file://${BPN}.sh \
+SRC_URI = " \
-                file://${BPN}.service \
+    file://${BPN}.sh \
-        "
+    file://${BPN}.sh.sysvinit \
+    file://${BPN}.service \
+"
 INITSCRIPT_PARAMS = "start 01 S ."
diff --git a/recipes-security/selinux/selinux-initsh.inc b/recipes-security/selinux/selinux-initsh.inc
index bcdd449..8e31cda 100644
--- a/recipes-security/selinux/selinux-initsh.inc
+++ b/recipes-security/selinux/selinux-initsh.inc
@@ -17,9 +17,15 @@ inherit update-rc.d systemd
 SYSTEMD_SERVICE_${PN} = "${SELINUX_SCRIPT_SRC}.service"
+FILES_${PN} += "/.autorelabel"
 do_install () {
        install -d ${D}${sysconfdir}/init.d/
        install -m 0755 ${WORKDIR}/${SELINUX_SCRIPT_SRC}.sh ${D}${sysconfdir}/init.d/${SELINUX_SCRIPT_DST}
+        # Insert the relabelling code which is only needed with sysvinit
+        sed -i -e '/HERE/r ${WORKDIR}/${SELINUX_SCRIPT_SRC}.sh.sysvinit' \
+               -e '/.*HERE$/d' -e '/.*Contents.*sysvinit/d' \
+               ${D}${sysconfdir}/init.d/${SELINUX_SCRIPT_DST}
        install -d ${D}${systemd_unitdir}/system
        install -m 0644 ${WORKDIR}/${SELINUX_SCRIPT_SRC}.service ${D}${systemd_unitdir}/system
@@ -27,6 +33,8 @@ do_install () {
        if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then
                install -d ${D}${bindir}
                install -m 0755 ${WORKDIR}/${SELINUX_SCRIPT_SRC}.sh ${D}${bindir}
+                sed -i -e '/.*HERE$/d' ${D}${bindir}/${SELINUX_SCRIPT_SRC}.sh
+                echo "# first boot relabelling" > ${D}/.autorelabel
        fi
 }
author	Mark Asselstine <mark.asselstine@windriver.com>	2019-08-23 14:19:53 -0400
committer	Joe MacDonald <joe_macdonald@mentor.com>	2019-08-28 10:28:06 -0400
commit	b0d31db104d9a4e94bc1409c2ffcc1d82f4a780f (patch)
tree	efd7892420692eea1e4d9217a082b1aa1b241161 /recipes-security
parent	a41f48260654e0e444603c6a595444c450e6c3f5 (diff)
download	meta-selinux-b0d31db104d9a4e94bc1409c2ffcc1d82f4a780f.tar.gz