[Buildroot] [PATCH] package/policycoreutils: Add service to handle selinux autorelabel

José Pekkarinen jose.pekkarinen at unikie.com
Wed Sep 29 11:37:31 UTC 2021


Hi,

Can I get some comments here? I'm starting

to do some tests with 2021.08 and I find unlabeled
stuff like the following ones:

[   10.534555] SELinux:  Context Default is not valid (left unmapped).
[   10.562318] audit: type=1400 audit(1632913977.130:4): avc:  denied  {
read } for  pid=108 comm="auditd" name="audit" dev="vda" ino=16387
scontext=system_u:system_r:auditd_t tcontext=system_u:object_r:unlabeled_t
tclass=dir permissive=1 trawcon="Default"
[   10.579085] audit: type=1400 audit(1632913977.146:5): avc:  denied  {
open } for  pid=108 comm="auditd" path="/var/log/audit" dev="vda" ino=16387
scontext=system_u:system_r:auditd_t tcontext=system_u:object_r:unlabeled_t
tclass=dir permissive=1 trawcon="Def"
[   10.594226] audit: type=1400 audit(1632913977.146:6): avc:  denied  {
getattr } for  pid=108 comm="auditd" path="/var/log/audit" dev="vda"
ino=16387 scontext=system_u:system_r:auditd_t
tcontext=system_u:object_r:unlabeled_t tclass=dir permissive=1 trawcon=""
[   10.610371] audit: type=1400 audit(1632913977.146:7): avc:  denied  {
search } for  pid=108 comm="auditd" name="audit" dev="vda" ino=16387
scontext=system_u:system_r:auditd_t tcontext=system_u:object_r:unlabeled_t
tclass=dir permissive=1 trawcon="Default"
[   10.629470] audit: type=1400 audit(1632913977.197:8): avc:  denied  {
setattr } for  pid=109 comm="auditd" name="audit" dev="vda" ino=16387
scontext=system_u:system_r:auditd_t tcontext=system_u:object_r:unlabeled_t
tclass=dir permissive=1 trawcon="Default"
[   10.646993] audit: type=1400 audit(1632913977.214:9): avc:  denied  {
write } for  pid=109 comm="auditd" name="audit" dev="vda" ino=16387
scontext=system_u:system_r:auditd_t tcontext=system_u:object_r:unlabeled_t
tclass=dir permissive=1 trawcon="Default"
[   10.662781] audit: type=1400 audit(1632913977.214:10): avc:  denied  {
add_name } for  pid=109 comm="auditd" name="audit.log"
scontext=system_u:system_r:auditd_t tcontext=system_u:object_r:unlabeled_t
tclass=dir permissive=1 trawcon="Default"
[   10.677266] audit: type=1400 audit(1632913977.214:11): avc:  denied  {
create } for  pid=109 comm="auditd" name="audit.log"
scontext=system_u:system_r:auditd_t tcontext=system_u:object_r:unlabeled_t
tclass=file permissive=1

These makes me think adding some via to

handle the autorelabel mechanism is still needed.

Best regards.

José.


On Tue, Sep 7, 2021 at 3:58 PM José Pekkarinen <jose.pekkarinen at unikie.com>
wrote:

> This patch adds a system service to check whether the
> autorelabel via is requested or not, and produce the
> labeling of the system under the loaded final kernel,
> including automatically populated fs by the kernel.
>
> Signed-off-by: José Pekkarinen <jose.pekkarinen at unikie.com>
> ---
>  .../policycoreutils/S00selinux-autorelabel    | 49 +++++++++++++++++++
>  package/policycoreutils/policycoreutils.mk    |  5 ++
>  2 files changed, 54 insertions(+)
>  create mode 100644 package/policycoreutils/S00selinux-autorelabel
>
> diff --git a/package/policycoreutils/S00selinux-autorelabel
> b/package/policycoreutils/S00selinux-autorelabel
> new file mode 100644
> index 0000000000..7a47db891f
> --- /dev/null
> +++ b/package/policycoreutils/S00selinux-autorelabel
> @@ -0,0 +1,49 @@
> +#!/bin/sh
> +
> +DAEMON="Autorelabel check"
> +
> +start() {
> +    printf 'Starting %s: ' "$DAEMON"
> +
> +    if [ -f /.autorelabel ]; then
> +        echo "Relabeling"
> +        echo "*** Warning -- SELinux ${SELINUXTYPE} policy relabel is
> required."
> +        echo "*** Relabeling could take a very long time, depending on
> file"
> +        echo "*** system size and speed of hard drives."
> +        mount -a
> +        setfiles -m -r /
> +
> +        # Remove label
> +        rm -f  /.autorelabel || failed "Failed to remove the autorelabel
> flag"
> +
> +        # Reboot to activate relabeled file system
> +        echo "Automatic reboot in progress."
> +        reboot -f
> +    fi
> +
> +    echo "OK"
> +    return 0
> +}
> +
> +stop() {
> +    printf 'Stopping %s: ' "$DAEMON"
> +    echo "OK"
> +    return 0
> +}
> +
> +restart() {
> +       stop
> +       sleep 1
> +       start
> +}
> +
> +case "$1" in
> +       start|stop|restart)
> +               "$1";;
> +       reload)
> +               # Restart, since there is no true "reload" feature.
> +               restart;;
> +       *)
> +               echo "Usage: $0 {start|stop|restart|reload}"
> +               exit 1
> +esac
> diff --git a/package/policycoreutils/policycoreutils.mk
> b/package/policycoreutils/policycoreutils.mk
> index 5290c5b9f8..f698698059 100644
> --- a/package/policycoreutils/policycoreutils.mk
> +++ b/package/policycoreutils/policycoreutils.mk
> @@ -93,5 +93,10 @@ define HOST_POLICYCOREUTILS_INSTALL_CMDS
>         )
>  endef
>
> +define POLICYCOREUTILS_INSTALL_INIT_SYSV
> +       $(INSTALL) -m 0755 -D
> package/policycoreutils/S00selinux-autorelabel \
> +               $(TARGET_DIR)/etc/init.d/S00selinux-autorelabel
> +endef
> +
>  $(eval $(generic-package))
>  $(eval $(host-generic-package))
> --
> 2.25.1
>
>

-- 

José.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.buildroot.org/pipermail/buildroot/attachments/20210929/623ee927/attachment.html>


More information about the buildroot mailing list