selinux-init: Break labeling of /dev out into separate script.

Remove selinux-init package from packagegroup-selinux-minimal. Signed-off-by: Philip Tricca <flihp@twobit.us> Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
2026-01-01 13:58:04 +00:00 · 2015-11-08 19:00:39 +00:00 · 2015-11-08 19:00:39 +00:00 · ac8450482d
commit ac8450482d
parent 766bed8304
6 changed files with 43 additions and 11 deletions
--- a/recipes-security/packagegroups/packagegroup-core-selinux.bb
+++ b/recipes-security/packagegroups/packagegroup-core-selinux.bb
@ -24,6 +24,7 @@ RDEPENDS_${PN} = " \
 	setools-console \
 	selinux-config \
 	selinux-init \
+	selinux-labeldev \
 	refpolicy-standard \
 	refpolicy-mls \
 	coreutils \
--- a/recipes-security/packagegroups/packagegroup-selinux-minimal.bb
+++ b/recipes-security/packagegroups/packagegroup-selinux-minimal.bb
@ -22,6 +22,6 @@ RDEPENDS_${PN} = "\
 	policycoreutils-sestatus \
 	policycoreutils-setfiles \
 	selinux-config \
-	selinux-init \
+	selinux-labeldev \
 	refpolicy-mls \
 "
--- a/recipes-security/selinux/selinux-init/selinux-init.sh
+++ b/recipes-security/selinux/selinux-init/selinux-init.sh
@ -34,12 +34,6 @@ check_rootfs()
 	/sbin/shutdown -f -h now
 }

-# Because /dev/console is not relabeled by kernel, many commands
-# would can not use it, including restorecon.
-${CHCON} -t `${MATCHPATHCON} -n /dev/null | cut -d: -f3` /dev/null
-${CHCON} -t `${MATCHPATHCON} -n /dev/console | cut -d: -f3` /dev/console
-
-
 # If /.autorelabel placed, the whole file system should be relabeled
 if [ -f /.autorelabel ]; then
 	echo "Checking SELinux security contexts:"
@ -65,7 +59,4 @@ if [ "`${SECON} -t --pid 1`" = "kernel_t" ]; then
 	/sbin/reboot
 fi

-# Now, we should relabel /dev for most services.
-${RESTORECON} -RF /dev
-
 exit 0
--- a/recipes-security/selinux/selinux-init_0.1.bb
+++ b/recipes-security/selinux/selinux-init_0.1.bb
@ -14,6 +14,6 @@ ${PN}_RDEPENDS = " \
 "

 SRC_URI = "file://${BPN}.sh"
-SELINUX_SCRIPT_DST = "0${BPN}"
+INITSCRIPT_PARAMS = "start 01 S ."

 require selinux-initsh.inc
--- a/recipes-security/selinux/selinux-labeldev/selinux-labeldev.sh
+++ b/recipes-security/selinux/selinux-labeldev/selinux-labeldev.sh
@ -0,0 +1,24 @@
+#!/bin/sh
+
+/usr/sbin/selinuxenabled 2>/dev/null || exit 0
+
+CHCON=/usr/bin/chcon
+MATCHPATHCON=/usr/sbin/matchpathcon
+RESTORECON=/sbin/restorecon
+
+for i in ${CHCON} ${MATCHPATHCON} ${RESTORECON}; do
+	test -x $i && continue
+	echo "$i is missing in the system."
+	echo "Please add \"selinux=0\" in the kernel command line to disable SELinux."
+	exit 1
+done
+
+# Because /dev/console is not relabeled by kernel, many commands
+# would can not use it, including restorecon.
+${CHCON} -t `${MATCHPATHCON} -n /dev/null | cut -d: -f3` /dev/null
+${CHCON} -t `${MATCHPATHCON} -n /dev/console | cut -d: -f3` /dev/console
+
+# Now, we should relabel /dev for most services.
+${RESTORECON} -RF /dev
+
+exit 0
--- a/recipes-security/selinux/selinux-labeldev_0.1.bb
+++ b/recipes-security/selinux/selinux-labeldev_0.1.bb
@ -0,0 +1,16 @@
+SUMMARY = "SELinux init script"
+DESCRIPTION = "Set SELinux labels for /dev."
+
+LICENSE = "MIT"
+LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420"
+
+${PN}_RDEPENDS = " \
+    coreutils \
+    libselinux-bin \
+    policycoreutils-setfiles \
+"
+
+SRC_URI = "file://${BPN}.sh"
+SELINUX_SCRIPT_DST = "0${BPN}"
+
+require selinux-initsh.inc