* [meta-selinux][PATCH] selinux-autorelabel: disable enforcing mode before relabel
@ 2019-09-05 8:57 Yi Zhao
2019-09-05 11:57 ` Joe MacDonald
0 siblings, 1 reply; 4+ messages in thread
From: Yi Zhao @ 2019-09-05 8:57 UTC (permalink / raw)
To: yocto, joe, Joe_MacDonald
The commit b0d31db104d9a4e94bc1409c2ffcc1d82f4a780f introduced an issue
when first boot with bootparams="selinux=1 enforcing=1". At first boot,
all files are unlabeled including /sbin/fixfiles. The relabel operation
is not permitted under enforcing mode. Set /sys/fs/selinux/enforce to 0
to ensure the enforcing mode is disabled before relabel.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
---
recipes-security/selinux/selinux-autorelabel/selinux-autorelabel.sh | 1 +
1 file changed, 1 insertion(+)
diff --git a/recipes-security/selinux/selinux-autorelabel/selinux-autorelabel.sh b/recipes-security/selinux/selinux-autorelabel/selinux-autorelabel.sh
index 154dad1..cb40971 100644
--- a/recipes-security/selinux/selinux-autorelabel/selinux-autorelabel.sh
+++ b/recipes-security/selinux/selinux-autorelabel/selinux-autorelabel.sh
@@ -13,6 +13,7 @@ fi
# If /.autorelabel placed, the whole file system should be relabeled
if [ -f /.autorelabel ]; then
echo "SELinux: /.autorelabel placed, filesystem will be relabeled..."
+ echo "0" > /sys/fs/selinux/enforce
${FIXFILES} -F -f relabel
/bin/rm -f /.autorelabel
echo " * Relabel done, rebooting the system."
--
2.7.4
^ permalink raw reply related [flat|nested] 4+ messages in thread* Re: [meta-selinux][PATCH] selinux-autorelabel: disable enforcing mode before relabel
2019-09-05 8:57 [meta-selinux][PATCH] selinux-autorelabel: disable enforcing mode before relabel Yi Zhao
@ 2019-09-05 11:57 ` Joe MacDonald
2019-09-06 3:31 ` Yi Zhao
0 siblings, 1 reply; 4+ messages in thread
From: Joe MacDonald @ 2019-09-05 11:57 UTC (permalink / raw)
To: Yi Zhao; +Cc: yocto
[-- Attachment #1: Type: text/plain, Size: 1666 bytes --]
[[meta-selinux][PATCH] selinux-autorelabel: disable enforcing mode before relabel] On 19.09.05 (Thu 16:57) Yi Zhao wrote:
> The commit b0d31db104d9a4e94bc1409c2ffcc1d82f4a780f introduced an issue
> when first boot with bootparams="selinux=1 enforcing=1". At first boot,
> all files are unlabeled including /sbin/fixfiles. The relabel operation
> is not permitted under enforcing mode. Set /sys/fs/selinux/enforce to 0
> to ensure the enforcing mode is disabled before relabel.
Did you try this with '/usr/sbin/setenforce 0' instead? The rationale
makes sense but going straight at sysfs like that isn't the right
approach intuitively. If that's not working, please just include a bit
of an explanation for why this is the best option.
Thanks.
-J.
>
> Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
> ---
> recipes-security/selinux/selinux-autorelabel/selinux-autorelabel.sh | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/recipes-security/selinux/selinux-autorelabel/selinux-autorelabel.sh b/recipes-security/selinux/selinux-autorelabel/selinux-autorelabel.sh
> index 154dad1..cb40971 100644
> --- a/recipes-security/selinux/selinux-autorelabel/selinux-autorelabel.sh
> +++ b/recipes-security/selinux/selinux-autorelabel/selinux-autorelabel.sh
> @@ -13,6 +13,7 @@ fi
> # If /.autorelabel placed, the whole file system should be relabeled
> if [ -f /.autorelabel ]; then
> echo "SELinux: /.autorelabel placed, filesystem will be relabeled..."
> + echo "0" > /sys/fs/selinux/enforce
> ${FIXFILES} -F -f relabel
> /bin/rm -f /.autorelabel
> echo " * Relabel done, rebooting the system."
> --
> 2.7.4
>
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 201 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread* Re: [meta-selinux][PATCH] selinux-autorelabel: disable enforcing mode before relabel
2019-09-05 11:57 ` Joe MacDonald
@ 2019-09-06 3:31 ` Yi Zhao
2019-09-06 17:05 ` Joe MacDonald
0 siblings, 1 reply; 4+ messages in thread
From: Yi Zhao @ 2019-09-06 3:31 UTC (permalink / raw)
To: Joe MacDonald; +Cc: yocto
On 9/5/19 7:57 PM, Joe MacDonald wrote:
> [[meta-selinux][PATCH] selinux-autorelabel: disable enforcing mode before relabel] On 19.09.05 (Thu 16:57) Yi Zhao wrote:
>
>> The commit b0d31db104d9a4e94bc1409c2ffcc1d82f4a780f introduced an issue
>> when first boot with bootparams="selinux=1 enforcing=1". At first boot,
>> all files are unlabeled including /sbin/fixfiles. The relabel operation
>> is not permitted under enforcing mode. Set /sys/fs/selinux/enforce to 0
>> to ensure the enforcing mode is disabled before relabel.
> Did you try this with '/usr/sbin/setenforce 0' instead? The rationale
> makes sense but going straight at sysfs like that isn't the right
> approach intuitively. If that's not working, please just include a bit
> of an explanation for why this is the best option.
It also works with setenforce.
I referred to the selinux-autorelabel script on Fedora 30, it uses `echo
"0" > /sys/fs/selinux/enforce` to disables enforcing mode:
cat /usr/libexec/selinux/selinux-autorelabel
[snip]
32 relabel_selinux() {
33 # if /sbin/init is not labeled correctly this process is
running in the
34 # wrong context, so a reboot will be required after relabel
35 AUTORELABEL=
36 . /etc/selinux/config
37 echo "0" > /sys/fs/selinux/enforce
38 [ -x /bin/plymouth ] && plymouth --quit
39
[snip]
//Yi
>
> Thanks.
> -J.
>
>> Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
>> ---
>> recipes-security/selinux/selinux-autorelabel/selinux-autorelabel.sh | 1 +
>> 1 file changed, 1 insertion(+)
>>
>> diff --git a/recipes-security/selinux/selinux-autorelabel/selinux-autorelabel.sh b/recipes-security/selinux/selinux-autorelabel/selinux-autorelabel.sh
>> index 154dad1..cb40971 100644
>> --- a/recipes-security/selinux/selinux-autorelabel/selinux-autorelabel.sh
>> +++ b/recipes-security/selinux/selinux-autorelabel/selinux-autorelabel.sh
>> @@ -13,6 +13,7 @@ fi
>> # If /.autorelabel placed, the whole file system should be relabeled
>> if [ -f /.autorelabel ]; then
>> echo "SELinux: /.autorelabel placed, filesystem will be relabeled..."
>> + echo "0" > /sys/fs/selinux/enforce
>> ${FIXFILES} -F -f relabel
>> /bin/rm -f /.autorelabel
>> echo " * Relabel done, rebooting the system."
>> --
>> 2.7.4
>>
^ permalink raw reply [flat|nested] 4+ messages in thread* Re: [meta-selinux][PATCH] selinux-autorelabel: disable enforcing mode before relabel
2019-09-06 3:31 ` Yi Zhao
@ 2019-09-06 17:05 ` Joe MacDonald
0 siblings, 0 replies; 4+ messages in thread
From: Joe MacDonald @ 2019-09-06 17:05 UTC (permalink / raw)
To: Yi Zhao; +Cc: yocto
[-- Attachment #1: Type: text/plain, Size: 3161 bytes --]
[Re: [meta-selinux][PATCH] selinux-autorelabel: disable enforcing mode before relabel] On 19.09.06 (Fri 11:31) Yi Zhao wrote:
>
> On 9/5/19 7:57 PM, Joe MacDonald wrote:
> > [[meta-selinux][PATCH] selinux-autorelabel: disable enforcing mode before relabel] On 19.09.05 (Thu 16:57) Yi Zhao wrote:
> >
> > > The commit b0d31db104d9a4e94bc1409c2ffcc1d82f4a780f introduced an issue
> > > when first boot with bootparams="selinux=1 enforcing=1". At first boot,
> > > all files are unlabeled including /sbin/fixfiles. The relabel operation
> > > is not permitted under enforcing mode. Set /sys/fs/selinux/enforce to 0
> > > to ensure the enforcing mode is disabled before relabel.
> > Did you try this with '/usr/sbin/setenforce 0' instead? The rationale
> > makes sense but going straight at sysfs like that isn't the right
> > approach intuitively. If that's not working, please just include a bit
> > of an explanation for why this is the best option.
>
> It also works with setenforce.
>
> I referred to the selinux-autorelabel script on Fedora 30, it uses `echo "0"
> > /sys/fs/selinux/enforce` to disables enforcing mode:
>
> cat /usr/libexec/selinux/selinux-autorelabel
>
> [snip]
> 32 relabel_selinux() {
> 33 # if /sbin/init is not labeled correctly this process is running
> in the
> 34 # wrong context, so a reboot will be required after relabel
> 35 AUTORELABEL=
> 36 . /etc/selinux/config
> 37 echo "0" > /sys/fs/selinux/enforce
> 38 [ -x /bin/plymouth ] && plymouth --quit
> 39
> [snip]
Okay, but our version of the script is much less complex than the Fedora
one and we already have the precedent of calling fixfiles by full path
and variable, I'd rather keep the script consistent in style. If you
want to propose replacing our selinux-autorelabel.sh with the one from
Fedora, please submit a patch for that, but for this patch I'd just
rather see the style remain consistent with what's already there.
Thanks.
-J.
>
>
> //Yi
>
>
> >
> > Thanks.
> > -J.
> >
> > > Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
> > > ---
> > > recipes-security/selinux/selinux-autorelabel/selinux-autorelabel.sh | 1 +
> > > 1 file changed, 1 insertion(+)
> > >
> > > diff --git a/recipes-security/selinux/selinux-autorelabel/selinux-autorelabel.sh b/recipes-security/selinux/selinux-autorelabel/selinux-autorelabel.sh
> > > index 154dad1..cb40971 100644
> > > --- a/recipes-security/selinux/selinux-autorelabel/selinux-autorelabel.sh
> > > +++ b/recipes-security/selinux/selinux-autorelabel/selinux-autorelabel.sh
> > > @@ -13,6 +13,7 @@ fi
> > > # If /.autorelabel placed, the whole file system should be relabeled
> > > if [ -f /.autorelabel ]; then
> > > echo "SELinux: /.autorelabel placed, filesystem will be relabeled..."
> > > + echo "0" > /sys/fs/selinux/enforce
> > > ${FIXFILES} -F -f relabel
> > > /bin/rm -f /.autorelabel
> > > echo " * Relabel done, rebooting the system."
> > > --
> > > 2.7.4
> > >
--
-Joe MacDonald.
Linux Architect | Mentor® A Siemens Business
:wq
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 201 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2019-09-06 17:05 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2019-09-05 8:57 [meta-selinux][PATCH] selinux-autorelabel: disable enforcing mode before relabel Yi Zhao
2019-09-05 11:57 ` Joe MacDonald
2019-09-06 3:31 ` Yi Zhao
2019-09-06 17:05 ` Joe MacDonald
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.