selinux-config: add init script

This script will be installed as 0selinux-init, in runlevel S and sequence number 0. It will start before any other init script. * relabel /dev for restorecon/fixfiles running * rebuild policy and relabel the rootfs if /.autorelabel placed. * relabel the rootfs if it is first booting. Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
2026-01-01 13:58:04 +00:00 · 2012-09-19 16:31:24 +08:00 · 2012-09-19 16:31:24 +08:00 · 3b2088b2bd
commit 3b2088b2bd
parent ad05ee2495
2 changed files with 53 additions and 2 deletions
--- a/recipes-security/selinux/selinux-config/selinux-init.sh
+++ b/recipes-security/selinux/selinux-config/selinux-init.sh
@ -0,0 +1,39 @@
+#!/bin/sh
+
+/usr/sbin/selinuxenabled 2>/dev/null || exit 0
+
+# Because /dev/console is not relabeled by kernel, many commands
+# would can not use it, including restorecon.
+if [ -x /usr/bin/chcon ]; then
+       /usr/bin/chcon -t null_device_t /dev/null
+       /usr/bin/chcon -t console_device_t /dev/console
+fi
+
+
+# If /.autorelabel placed, the whole file system should be relabeled
+test ! -x /sbin/fixfiles ||
+if [ -f /.autorelabel ]; then
+	echo "Checking SELinux security contexts:"
+	echo " * /.autorelabel placed, filesystem will be relabeled..."
+	/sbin/fixfiles -F -f relabel
+	/bin/rm -f /.autorelabel
+	echo " * Relabel done, rebooting the system."
+	/sbin/reboot -f
+fi
+
+# If first booting, the security context type of init would be
+# "kernel_t", and the whole file system should be relabeled.
+test ! -x /sbin/restorecon ||
+if [ "`/usr/bin/secon -t --pid 1`" = "kernel_t" ]; then
+	echo "Checking SELinux security contexts:"
+	echo " * First booting, filesystem will be relabeled..."
+	test -x /etc/init.d/auditd && /etc/init.d/auditd start
+	/usr/sbin/setenforce 0
+	/sbin/restorecon -R /
+	/sbin/restorecon /
+	echo " * Relabel done, rebooting the system."
+	/sbin/reboot -f
+fi
+
+# Now, we should relabel /dev for most services.
+test ! -x /sbin/restorecon || /sbin/restorecon -R /dev
--- a/recipes-security/selinux/selinux-config_0.1.bb
+++ b/recipes-security/selinux/selinux-config_0.1.bb
@ -8,13 +8,25 @@ This is the configuration files for SELinux on WRLinux system.  \
 SECTION = "base"
 LICENSE = "MIT"
 LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420"
-PR = "r0"
+PR = "r1"

-CONFFILES_${PN} += "${sysconfdir}/selinux/config"
+SRC_URI = "file://selinux-init.sh"
+
+inherit update-rc.d
+
+INITSCRIPT_NAME = "0selinux-init"
+INITSCRIPT_PARAMS = "start 00 S ."
+
+CONFFILES_${PN} += "${sysconfdir}/selinux/config \
+	${sysconfdir}/init.d/0selinux-init \
+	"

 PACKAGE_ARCH = "${MACHINE_ARCH}"

 do_install () {
+	install -d ${D}${sysconfdir}/init.d/
+	install -m 0755 ${WORKDIR}/selinux-init.sh ${D}${sysconfdir}/init.d/0selinux-init
+
 	echo "\
 # This file controls the state of SELinux on the system.
 # SELINUX= can take one of these three values: