[meta-selinux][PATCH 0/2] dhcp: restorecon for dhcpd*.leases from initscript

[meta-selinux][PATCH 0/2] dhcp: restorecon for dhcpd*.leases from initscript

[wenzong.fan]

From: Wenzong Fan <wenzong.fan@windriver.com>

dhcp-server fails to start since /var/lib/dhcpd.leases has incorrect
contexts: dhcp_state_t, it should be: dhcpd_state_t.

* make a local copy of init-server
* update init-server to restorecon for dhcpd*.lesses before starting dhcp server.

The following changes since commit 7984856ca2c6ef7a1c8d5bee3f8ec3e8031ee971:

  setools: Add bison-native and flex-native to DEPENDS (2014-06-02 09:16:33 -0500)

are available in the git repository at:

  git://git.pokylinux.org/poky-contrib wenzong/dhcp
  http://git.pokylinux.org/cgit.cgi/poky-contrib/log/?h=wenzong/dhcp

Wenzong Fan (2):
  dhcp: make a copy of init-server
  dhcp/init-server: restorecon for dhcpd*.leases

 recipes-connectivity/dhcp/dhcp_4.2.5-P1.bbappend |    3 ++
 recipes-connectivity/dhcp/files/init-server      |   52 ++++++++++++++++++++++
 2 files changed, 55 insertions(+)
 create mode 100644 recipes-connectivity/dhcp/dhcp_4.2.5-P1.bbappend
 create mode 100644 recipes-connectivity/dhcp/files/init-server

-- 
1.7.9.5

[meta-selinux][PATCH 1/2] dhcp: make a copy of init-server

[wenzong.fan]

From: Wenzong Fan <wenzong.fan@windriver.com>

Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
---
 recipes-connectivity/dhcp/dhcp_4.2.5-P1.bbappend |    3 ++
 recipes-connectivity/dhcp/files/init-server      |   44 ++++++++++++++++++++++
 2 files changed, 47 insertions(+)
 create mode 100644 recipes-connectivity/dhcp/dhcp_4.2.5-P1.bbappend
 create mode 100644 recipes-connectivity/dhcp/files/init-server

diff --git a/recipes-connectivity/dhcp/dhcp_4.2.5-P1.bbappend b/recipes-connectivity/dhcp/dhcp_4.2.5-P1.bbappend
new file mode 100644
index 0000000..900c2aa
--- /dev/null
+++ b/recipes-connectivity/dhcp/dhcp_4.2.5-P1.bbappend
@@ -0,0 +1,3 @@
+inherit with-selinux
+
+FILESEXTRAPATHS_prepend := "${@target_selinux(d, '${THISDIR}/files:')}"
diff --git a/recipes-connectivity/dhcp/files/init-server b/recipes-connectivity/dhcp/files/init-server
new file mode 100644
index 0000000..34c2085
--- /dev/null
+++ b/recipes-connectivity/dhcp/files/init-server
@@ -0,0 +1,44 @@
+#!/bin/sh
+#
+# $Id: dhcp3-server.init.d,v 1.4 2003/07/13 19:12:41 mdz Exp $
+#
+
+test -f /usr/sbin/dhcpd || exit 0
+
+# It is not safe to start if we don't have a default configuration...
+if [ ! -f /etc/default/dhcp-server ]; then
+	echo "/etc/default/dhcp-server does not exist! - Aborting..."
+	exit 0
+fi
+
+# Read init script configuration (so far only interfaces the daemon
+# should listen on.)
+. /etc/default/dhcp-server
+
+case "$1" in
+	start)
+		echo -n "Starting DHCP server: "
+		test -d /var/lib/dhcp/ || mkdir -p /var/lib/dhcp/
+		test -f /var/lib/dhcp/dhcpd.leases || touch /var/lib/dhcp/dhcpd.leases	
+		start-stop-daemon -S -x /usr/sbin/dhcpd -- -q $INTERFACES
+		echo "."
+		;;
+	stop)
+		echo -n "Stopping DHCP server: dhcpd3"
+		start-stop-daemon -K -x /usr/sbin/dhcpd
+		echo "."
+		;;
+	restart | force-reload)
+		$0 stop
+		sleep 2
+		$0 start
+		if [ "$?" != "0" ]; then
+			exit 1
+		fi
+		;;
+	*)
+		echo "Usage: /etc/init.d/dhcp-server {start|stop|restart|force-reload}"
+		exit 1 
+esac
+
+exit 0
-- 
1.7.9.5

[meta-selinux][PATCH 2/2] dhcp/init-server: restorecon for dhcpd*.leases

[wenzong.fan]

From: Wenzong Fan <wenzong.fan@windriver.com>

dhcp-server fails to start with avc denied error:

  avc: denied { read } for pid=571 comm="dhcpd" \
  name="dhcpd.leases" dev="hda" ino=63911 \
  scontext=system_u:system_r:dhcpd_t:s0-s15:c0.c1023 \
  tcontext=system_u:object_r:dhcp_state_t:s0 tclass=file

The type for dhcpd.leases is not correct, just fix it before dhcp-
server started.

Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
---
 recipes-connectivity/dhcp/files/init-server |    8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/recipes-connectivity/dhcp/files/init-server b/recipes-connectivity/dhcp/files/init-server
index 34c2085..1d03d7e 100644
--- a/recipes-connectivity/dhcp/files/init-server
+++ b/recipes-connectivity/dhcp/files/init-server
@@ -15,11 +15,19 @@ fi
 # should listen on.)
 . /etc/default/dhcp-server
 
+# Restorecon for /var/lib/dhcp/{dhcpd.leases,dhcpd6.leases}
+restorecon_dhcpd_leases(){
+	test ! -x /sbin/restorecon || for x in dhcpd.leases dhcpd6.leases; do
+		[ -f /var/lib/dhcp/$x ] && /sbin/restorecon -F /var/lib/dhcp/$x
+	done
+}
+
 case "$1" in
 	start)
 		echo -n "Starting DHCP server: "
 		test -d /var/lib/dhcp/ || mkdir -p /var/lib/dhcp/
 		test -f /var/lib/dhcp/dhcpd.leases || touch /var/lib/dhcp/dhcpd.leases	
+		restorecon_dhcpd_leases
 		start-stop-daemon -S -x /usr/sbin/dhcpd -- -q $INTERFACES
 		echo "."
 		;;
-- 
1.7.9.5

Re: [meta-selinux][PATCH 0/2] dhcp: restorecon for dhcpd*.leases from initscript

[wenzong fan]

Recall this patch since the dhcp in oe-core has been updated to 4.3.0.

I'll send v2 after fixed the version number for bbappend.

Sorry for the inconvenience.

// Wenzong

On 06/06/2014 06:00 PM, wenzong.fan@windriver.com wrote:
> From: Wenzong Fan <wenzong.fan@windriver.com>
>
> dhcp-server fails to start since /var/lib/dhcpd.leases has incorrect
> contexts: dhcp_state_t, it should be: dhcpd_state_t.
>
> * make a local copy of init-server
> * update init-server to restorecon for dhcpd*.lesses before starting dhcp server.
>
> The following changes since commit 7984856ca2c6ef7a1c8d5bee3f8ec3e8031ee971:
>
>    setools: Add bison-native and flex-native to DEPENDS (2014-06-02 09:16:33 -0500)
>
> are available in the git repository at:
>
>    git://git.pokylinux.org/poky-contrib wenzong/dhcp
>    http://git.pokylinux.org/cgit.cgi/poky-contrib/log/?h=wenzong/dhcp
>
> Wenzong Fan (2):
>    dhcp: make a copy of init-server
>    dhcp/init-server: restorecon for dhcpd*.leases
>
>   recipes-connectivity/dhcp/dhcp_4.2.5-P1.bbappend |    3 ++
>   recipes-connectivity/dhcp/files/init-server      |   52 ++++++++++++++++++++++
>   2 files changed, 55 insertions(+)
>   create mode 100644 recipes-connectivity/dhcp/dhcp_4.2.5-P1.bbappend
>   create mode 100644 recipes-connectivity/dhcp/files/init-server
>