selinux-init: use systemd (re)labelling

Boot loops were being seen when booting with selinux enabled, when the
init system in use is systemd. Once logs were retrieved from the
failing system the error was found to be

selinux-init.sh[284]: /sbin/restorecon: Could not set context for /sys/fs/cgroup/cpuacct:  Read-only file system
selinux-init.sh[284]: /sbin/restorecon: Could not set context for /sys/fs/cgroup/cpu:  Read-only file system

Systemd mounts /sys/fs/cgroup read-only and the (re)labelling code
used by selinux-init.sh is unable to handle this. On top of this the
system is basically presenting two methods of (re)labelling; using the
built in systemd approach via selinux-autorelabel.service *and* the
code we have in selinux-init.sh. This can get confusing especially
given that most online resources will speak to the systemd approach
using selinux-autorelabel.service and /.autorelabel.

These changes leave the current approach in place when sysvinit is the
init system used, but if systemd is being used we make use of it's
internal (re)labelling functionality. Overall the workflow remains the
same but we now avoid boot loops (systemd remounts /sys/fs/cgroup rw
during the (re)labelling procedure).

Signed-off-by: Mark Asselstine <mark.asselstine@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>

recipes-security/selinux/selinux-init/selinux-init.sh

@@ -33,18 +33,6 @@ check_rootfs()
 	/sbin/shutdown -f -h now
 }
 
-# If first booting, the security context type of init would be
-# "kernel_t", and the whole file system should be relabeled.
-if [ "`${SECON} -t --pid 1`" = "kernel_t" ]; then
-	echo "Checking SELinux security contexts:"
-	check_rootfs
-	echo " * First booting, filesystem will be relabeled..."
-	test -x /etc/init.d/auditd && /etc/init.d/auditd start
-	${SETENFORCE} 0
-	${RESTORECON} -RF /
-	${RESTORECON} -F /
-	echo " * Relabel done, rebooting the system."
-	/sbin/reboot
-fi
+# sysvinit firstboot relabel placeholder HERE
 
 exit 0

recipes-security/selinux/selinux-init/selinux-init.sh.sysvinit

@@ -0,0 +1,14 @@
+# Contents will be added to selinux-init.sh to support relabelling with sysvinit
+# If first booting, the security context type of init would be
+# "kernel_t", and the whole file system should be relabeled.
+if [ "`${SECON} -t --pid 1`" = "kernel_t" ]; then
+	echo "Checking SELinux security contexts:"
+	check_rootfs
+	echo " * First booting, filesystem will be relabeled..."
+	test -x /etc/init.d/auditd && /etc/init.d/auditd start
+	${SETENFORCE} 0
+	${RESTORECON} -RF /
+	${RESTORECON} -F /
+	echo " * Relabel done, rebooting the system."
+	/sbin/reboot
+fi

recipes-security/selinux/selinux-init_0.1.bb

@@ -14,9 +14,11 @@ ${PN}_RDEPENDS = " \
     policycoreutils-setfiles \
 "
 
-SRC_URI = "file://${BPN}.sh \
-		file://${BPN}.service \
-	"
+SRC_URI = " \
+    file://${BPN}.sh \
+    file://${BPN}.sh.sysvinit \
+    file://${BPN}.service \
+"
 
 INITSCRIPT_PARAMS = "start 01 S ."
 

recipes-security/selinux/selinux-initsh.inc

@@ -17,9 +17,15 @@ inherit update-rc.d systemd
 
 SYSTEMD_SERVICE_${PN} = "${SELINUX_SCRIPT_SRC}.service"
 
+FILES_${PN} += "/.autorelabel"
+
 do_install () {
 	install -d ${D}${sysconfdir}/init.d/
 	install -m 0755 ${WORKDIR}/${SELINUX_SCRIPT_SRC}.sh ${D}${sysconfdir}/init.d/${SELINUX_SCRIPT_DST}
+	# Insert the relabelling code which is only needed with sysvinit
+	sed -i -e '/HERE/r ${WORKDIR}/${SELINUX_SCRIPT_SRC}.sh.sysvinit' \
+	       -e '/.*HERE$/d' -e '/.*Contents.*sysvinit/d' \
+	       ${D}${sysconfdir}/init.d/${SELINUX_SCRIPT_DST}
 
 	install -d ${D}${systemd_unitdir}/system
 	install -m 0644 ${WORKDIR}/${SELINUX_SCRIPT_SRC}.service ${D}${systemd_unitdir}/system
@@ -27,6 +33,8 @@ do_install () {
 	if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then
 		install -d ${D}${bindir}
 		install -m 0755 ${WORKDIR}/${SELINUX_SCRIPT_SRC}.sh ${D}${bindir}
+		sed -i -e '/.*HERE$/d' ${D}${bindir}/${SELINUX_SCRIPT_SRC}.sh
+		echo "# first boot relabelling" > ${D}/.autorelabel
 	fi
 }