From: "Yann E. MORIN" <yann.morin.1998@free.fr>
To: "José Pekkarinen" <jose.pekkarinen@unikie.com>
Cc: buildroot@buildroot.org
Subject: Re: [Buildroot] [PATCH v2] package/libselinux: Add autorelabel for first boot
Date: Thu, 19 Aug 2021 23:05:17 +0200 [thread overview]
Message-ID: <20210819210517.GF27036@scaer> (raw)
In-Reply-To: <20210819092904.2942827-1-jose.pekkarinen@unikie.com>
José, All,
On 2021-08-19 12:29 +0300, José Pekkarinen spake thusly:
> Currently buildroot ship libselinux without triggering
> this option, which often shows inconsistencies between
> what the refpolicy defines as a label for a file and
> what the actual file has. Triggering an initial relabel
> would help activating enforcing state right away without
> requiring to enter it once in permissive and tweak the
> labels.
>
> Signed-off-by: José Pekkarinen <jose.pekkarinen@unikie.com>
> ---
> [ v1 -> v2 ] Fix if statement in libselinux recipe
>
> package/libselinux/Config.in | 7 +++++++
> package/libselinux/libselinux.mk | 3 +++
> 2 files changed, 10 insertions(+)
>
> diff --git a/package/libselinux/Config.in b/package/libselinux/Config.in
> index 62070c8d59..df8bd7ffd0 100644
> --- a/package/libselinux/Config.in
> +++ b/package/libselinux/Config.in
> @@ -18,3 +18,10 @@ config BR2_PACKAGE_LIBSELINUX
>
> comment "libselinux needs a toolchain w/ threads, dynamic library"
> depends on !BR2_TOOLCHAIN_HAS_THREADS || BR2_STATIC_LIBS
> +
> +config BR2_PACKAGE_LIBSELINUX_AUTORELABEL
> + bool
> + depends on BR2_PACKAGE_LIBSELINUX
> + depends on BR2_PACKAGE_FINDUTILS
> + depends on BR2_PACKAGE_GREP
> + default y
> diff --git a/package/libselinux/libselinux.mk b/package/libselinux/libselinux.mk
> index fdd13aa942..adf4b3d6f6 100644
> --- a/package/libselinux/libselinux.mk
> +++ b/package/libselinux/libselinux.mk
> @@ -71,6 +71,9 @@ define LIBSELINUX_INSTALL_TARGET_CMDS
> $(TARGET_MAKE_ENV) $(MAKE) -C $(@D) \
> $(LIBSELINUX_MAKE_OPTS) DESTDIR=$(TARGET_DIR) \
> $(LIBSELINUX_MAKE_INSTALL_TARGETS)
> + $(if $(BR2_PACKAGE_LIBSELINUX_AUTORELABEL),
> + echo "-F" > $(TARGET_DIR)/.autorelabel
> + mkdir $(TARGET_DIR)/var/lib/selinux)
Isn't this going to fail on read-only filesystems? Relabelling suposedly
requires that extended attributes be added/updated/removed, and that
requires a read-write filesystem...
Can't we do the re-labelling at the time we create the filesystem, i.e.
in fs/common.mk?
And it seems we already have that:
52 ifeq ($(BR2_PACKAGE_REFPOLICY),y)
53 define ROOTFS_SELINUX
54 $(HOST_DIR)/sbin/setfiles -m -r $(TARGET_DIR) \
55 -c $(TARGET_DIR)/etc/selinux/targeted/policy/policy.$(BR2_PACKAGE_LIBSEPOL_POLICY_VERSION) \
56 $(TARGET_DIR)/etc/selinux/targeted/contexts/files/file_contexts \
57 $(TARGET_DIR)
58 endef
59 ROOTFS_COMMON_DEPENDENCIES += host-policycoreutils
60 endif
So why is the labelling wrong? Can't we fix it right there rather than
at runtime?
Regards,
Yann E. MORIN.
> if ! grep -q "selinuxfs" $(TARGET_DIR)/etc/fstab; then \
> echo "none /sys/fs/selinux selinuxfs noauto 0 0" >> $(TARGET_DIR)/etc/fstab ; fi
> endef
> --
> 2.25.1
>
> _______________________________________________
> buildroot mailing list
> buildroot@busybox.net
> http://lists.busybox.net/mailman/listinfo/buildroot
--
.-----------------.--------------------.------------------.--------------------.
| Yann E. MORIN | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software Designer | \ / CAMPAIGN | ___ |
| +33 561 099 427 `------------.-------: X AGAINST | \e/ There is no |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL | v conspiracy. |
'------------------------------^-------^------------------^--------------------'
_______________________________________________
buildroot mailing list
buildroot@busybox.net
http://lists.busybox.net/mailman/listinfo/buildroot
next prev parent reply other threads:[~2021-08-19 21:05 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-08-19 9:29 [Buildroot] [PATCH v2] package/libselinux: Add autorelabel for first boot José Pekkarinen
2021-08-19 21:05 ` Yann E. MORIN [this message]
2021-08-20 12:19 ` José Pekkarinen
2021-08-20 19:15 ` Yann E. MORIN
2021-08-20 19:16 ` Yann E. MORIN
2021-08-23 5:43 ` José Pekkarinen
2021-08-23 14:19 ` [Buildroot] [External] " Weber, Matthew L Collins via buildroot
2021-08-25 11:33 ` José Pekkarinen
2021-09-03 6:53 ` José Pekkarinen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210819210517.GF27036@scaer \
--to=yann.morin.1998@free.fr \
--cc=buildroot@buildroot.org \
--cc=jose.pekkarinen@unikie.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.