selinux-init: Break handling of /.autorelabel out into separate script.

Fixup DESCRIPTION in old selinux-init recipe. Exclude this autorelabel script from the minimal packagegroup. Signed-off-by: Philip Tricca <flihp@twobit.us> Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
2026-01-01 13:58:04 +00:00 · 2015-11-08 19:00:40 +00:00 · 2015-11-08 19:00:40 +00:00 · cfd6098067
commit cfd6098067
parent ac8450482d
5 changed files with 43 additions and 14 deletions
--- a/recipes-security/packagegroups/packagegroup-core-selinux.bb
+++ b/recipes-security/packagegroups/packagegroup-core-selinux.bb
@ -23,6 +23,7 @@ RDEPENDS_${PN} = " \
 	setools \
 	setools-console \
 	selinux-config \
+	selinux-autorelabel \
 	selinux-init \
 	selinux-labeldev \
 	refpolicy-standard \
--- a/recipes-security/selinux/selinux-autorelabel/selinux-autorelabel.sh
+++ b/recipes-security/selinux/selinux-autorelabel/selinux-autorelabel.sh
@ -0,0 +1,22 @@
+#!/bin/sh
+
+/usr/sbin/selinuxenabled 2>/dev/null || exit 0
+
+FIXFILES=/sbin/fixfiles
+
+if ! test -x ${FIXFILES}; then
+	echo "${FIXFILES} is missing in the system."
+	echo "Please add \"selinux=0\" in the kernel command line to disable SELinux."
+	exit 1
+fi
+
+# If /.autorelabel placed, the whole file system should be relabeled
+if [ -f /.autorelabel ]; then
+	echo "SELinux: /.autorelabel placed, filesystem will be relabeled..."
+	${FIXFILES} -F -f relabel
+	/bin/rm -f /.autorelabel
+	echo " * Relabel done, rebooting the system."
+	/sbin/reboot
+fi
+
+exit 0
--- a/recipes-security/selinux/selinux-autorelabel_0.1.bb
+++ b/recipes-security/selinux/selinux-autorelabel_0.1.bb
@ -0,0 +1,17 @@
+SUMMARY = "SELinux autorelabel script"
+DESCRIPTION = "\
+Script to reset SELinux labels on the root file system when /.autorelabel \
+file is present.\
+"
+
+LICENSE = "MIT"
+LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420"
+
+${PN}_RDEPENDS = " \
+    policycoreutils-setfiles \
+"
+
+SRC_URI = "file://${BPN}.sh"
+INITSCRIPT_PARAMS = "start 01 S ."
+
+require selinux-initsh.inc
--- a/recipes-security/selinux/selinux-init/selinux-init.sh
+++ b/recipes-security/selinux/selinux-init/selinux-init.sh
@ -4,12 +4,11 @@

 CHCON=/usr/bin/chcon
 MATCHPATHCON=/usr/sbin/matchpathcon
-FIXFILES=/sbin/fixfiles
 RESTORECON=/sbin/restorecon
 SECON=/usr/bin/secon
 SETENFORCE=/usr/sbin/setenforce

-for i in ${CHCON} ${MATCHPATHCON} ${FIXFILES} ${RESTORECON} ${SECON} ${SETENFORCE}; do
+for i in ${CHCON} ${MATCHPATHCON} ${RESTORECON} ${SECON} ${SETENFORCE}; do
 	test -x $i && continue
 	echo "$i is missing in the system."
 	echo "Please add \"selinux=0\" in the kernel command line to disable SELinux."
@ -34,17 +33,6 @@ check_rootfs()
 	/sbin/shutdown -f -h now
 }

-# If /.autorelabel placed, the whole file system should be relabeled
-if [ -f /.autorelabel ]; then
-	echo "Checking SELinux security contexts:"
-	check_rootfs
-	echo " * /.autorelabel placed, filesystem will be relabeled..."
-	${FIXFILES} -F -f relabel
-	/bin/rm -f /.autorelabel
-	echo " * Relabel done, rebooting the system."
-	/sbin/reboot
-fi
-
 # If first booting, the security context type of init would be
 # "kernel_t", and the whole file system should be relabeled.
 if [ "`${SECON} -t --pid 1`" = "kernel_t" ]; then
--- a/recipes-security/selinux/selinux-init_0.1.bb
+++ b/recipes-security/selinux/selinux-init_0.1.bb
@ -1,6 +1,7 @@
 SUMMARY = "SELinux init script"
 DESCRIPTION = "\
-SELinux start up stuff for Yocto. \
+Script to detect and attempt to correct a misconfigured SELinux system at \
+boot time. \
 "

 LICENSE = "MIT"