[Buildroot] [PATCH] package/policycoreutils: Add service to handle selinux autorelabel
José Pekkarinen
jose.pekkarinen at unikie.com
Wed Sep 29 11:37:31 UTC 2021
Hi,
Can I get some comments here? I'm starting
to do some tests with 2021.08 and I find unlabeled
stuff like the following ones:
[ 10.534555] SELinux: Context Default is not valid (left unmapped).
[ 10.562318] audit: type=1400 audit(1632913977.130:4): avc: denied {
read } for pid=108 comm="auditd" name="audit" dev="vda" ino=16387
scontext=system_u:system_r:auditd_t tcontext=system_u:object_r:unlabeled_t
tclass=dir permissive=1 trawcon="Default"
[ 10.579085] audit: type=1400 audit(1632913977.146:5): avc: denied {
open } for pid=108 comm="auditd" path="/var/log/audit" dev="vda" ino=16387
scontext=system_u:system_r:auditd_t tcontext=system_u:object_r:unlabeled_t
tclass=dir permissive=1 trawcon="Def"
[ 10.594226] audit: type=1400 audit(1632913977.146:6): avc: denied {
getattr } for pid=108 comm="auditd" path="/var/log/audit" dev="vda"
ino=16387 scontext=system_u:system_r:auditd_t
tcontext=system_u:object_r:unlabeled_t tclass=dir permissive=1 trawcon=""
[ 10.610371] audit: type=1400 audit(1632913977.146:7): avc: denied {
search } for pid=108 comm="auditd" name="audit" dev="vda" ino=16387
scontext=system_u:system_r:auditd_t tcontext=system_u:object_r:unlabeled_t
tclass=dir permissive=1 trawcon="Default"
[ 10.629470] audit: type=1400 audit(1632913977.197:8): avc: denied {
setattr } for pid=109 comm="auditd" name="audit" dev="vda" ino=16387
scontext=system_u:system_r:auditd_t tcontext=system_u:object_r:unlabeled_t
tclass=dir permissive=1 trawcon="Default"
[ 10.646993] audit: type=1400 audit(1632913977.214:9): avc: denied {
write } for pid=109 comm="auditd" name="audit" dev="vda" ino=16387
scontext=system_u:system_r:auditd_t tcontext=system_u:object_r:unlabeled_t
tclass=dir permissive=1 trawcon="Default"
[ 10.662781] audit: type=1400 audit(1632913977.214:10): avc: denied {
add_name } for pid=109 comm="auditd" name="audit.log"
scontext=system_u:system_r:auditd_t tcontext=system_u:object_r:unlabeled_t
tclass=dir permissive=1 trawcon="Default"
[ 10.677266] audit: type=1400 audit(1632913977.214:11): avc: denied {
create } for pid=109 comm="auditd" name="audit.log"
scontext=system_u:system_r:auditd_t tcontext=system_u:object_r:unlabeled_t
tclass=file permissive=1
These makes me think adding some via to
handle the autorelabel mechanism is still needed.
Best regards.
José.
On Tue, Sep 7, 2021 at 3:58 PM José Pekkarinen <jose.pekkarinen at unikie.com>
wrote:
> This patch adds a system service to check whether the
> autorelabel via is requested or not, and produce the
> labeling of the system under the loaded final kernel,
> including automatically populated fs by the kernel.
>
> Signed-off-by: José Pekkarinen <jose.pekkarinen at unikie.com>
> ---
> .../policycoreutils/S00selinux-autorelabel | 49 +++++++++++++++++++
> package/policycoreutils/policycoreutils.mk | 5 ++
> 2 files changed, 54 insertions(+)
> create mode 100644 package/policycoreutils/S00selinux-autorelabel
>
> diff --git a/package/policycoreutils/S00selinux-autorelabel
> b/package/policycoreutils/S00selinux-autorelabel
> new file mode 100644
> index 0000000000..7a47db891f
> --- /dev/null
> +++ b/package/policycoreutils/S00selinux-autorelabel
> @@ -0,0 +1,49 @@
> +#!/bin/sh
> +
> +DAEMON="Autorelabel check"
> +
> +start() {
> + printf 'Starting %s: ' "$DAEMON"
> +
> + if [ -f /.autorelabel ]; then
> + echo "Relabeling"
> + echo "*** Warning -- SELinux ${SELINUXTYPE} policy relabel is
> required."
> + echo "*** Relabeling could take a very long time, depending on
> file"
> + echo "*** system size and speed of hard drives."
> + mount -a
> + setfiles -m -r /
> +
> + # Remove label
> + rm -f /.autorelabel || failed "Failed to remove the autorelabel
> flag"
> +
> + # Reboot to activate relabeled file system
> + echo "Automatic reboot in progress."
> + reboot -f
> + fi
> +
> + echo "OK"
> + return 0
> +}
> +
> +stop() {
> + printf 'Stopping %s: ' "$DAEMON"
> + echo "OK"
> + return 0
> +}
> +
> +restart() {
> + stop
> + sleep 1
> + start
> +}
> +
> +case "$1" in
> + start|stop|restart)
> + "$1";;
> + reload)
> + # Restart, since there is no true "reload" feature.
> + restart;;
> + *)
> + echo "Usage: $0 {start|stop|restart|reload}"
> + exit 1
> +esac
> diff --git a/package/policycoreutils/policycoreutils.mk
> b/package/policycoreutils/policycoreutils.mk
> index 5290c5b9f8..f698698059 100644
> --- a/package/policycoreutils/policycoreutils.mk
> +++ b/package/policycoreutils/policycoreutils.mk
> @@ -93,5 +93,10 @@ define HOST_POLICYCOREUTILS_INSTALL_CMDS
> )
> endef
>
> +define POLICYCOREUTILS_INSTALL_INIT_SYSV
> + $(INSTALL) -m 0755 -D
> package/policycoreutils/S00selinux-autorelabel \
> + $(TARGET_DIR)/etc/init.d/S00selinux-autorelabel
> +endef
> +
> $(eval $(generic-package))
> $(eval $(host-generic-package))
> --
> 2.25.1
>
>
--
José.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.buildroot.org/pipermail/buildroot/attachments/20210929/623ee927/attachment.html>
More information about the buildroot
mailing list