summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorScott Murray <scott.murray@konsulko.com>2022-07-25 14:49:13 -0400
committerJan-Simon Moeller <jsmoeller@linuxfoundation.org>2022-07-27 12:31:58 +0000
commita3678d3e929900078cbaec5a279b902bd7cc9244 (patch)
treee9b9ab9d7210df07e00d049029f32d21c2ec7771
parent2ea9cbefb8e0923f2f58e7e8022f3e134977a87a (diff)
meta-netboot: Add SELinux support
Changes: - Add logic to init.sh to handle autorelabeling the root filesystem if it is tagged as requiring it. In practice this should only be required when booting images built on hosts that have xattr support, or if relabeling is manually triggered on subsequent boots. There was a stated goal of avoiding the reboot from the later userspace handling of autorelabeling in CI, so this hook aims to enable that for the non-xattr build host corner case. - Add a resolv-conf-relabel recipe that installs a systemd unit to relabel /etc/resolv.conf when netbooting. This is required because the file always gets modified inside init.sh, and it does not seem worthwhile to always do the extra policy load required to relabel it in the initramfs. This may need to be revisited if it proves difficult to handle denials in early booting when netbooting. - Add the required extra packages for relabeling to IMAGE_INSTALL. Bug-AGL: SPEC-4332 Signed-off-by: Scott Murray <scott.murray@konsulko.com> Change-Id: I26b27c1cea68a029264352bd206c160cac3d451e Reviewed-on: https://gerrit.automotivelinux.org/gerrit/c/AGL/meta-agl/+/27791 Tested-by: Jenkins Job builder account ci-image-build: Jenkins Job builder account ci-image-boot-test: Jenkins Job builder account Reviewed-by: Jan-Simon Moeller <jsmoeller@linuxfoundation.org>
-rw-r--r--meta-netboot/conf/include/agl-netboot.inc5
-rw-r--r--meta-netboot/recipes-core/initramfs-netboot/files/init.sh16
-rw-r--r--meta-netboot/recipes-core/systemd/files/resolv-conf-relabel.service14
-rw-r--r--meta-netboot/recipes-core/systemd/resolv-conf-relabel.bb21
4 files changed, 55 insertions, 1 deletions
diff --git a/meta-netboot/conf/include/agl-netboot.inc b/meta-netboot/conf/include/agl-netboot.inc
index 555629537..2c1307e81 100644
--- a/meta-netboot/conf/include/agl-netboot.inc
+++ b/meta-netboot/conf/include/agl-netboot.inc
@@ -1,3 +1,6 @@
INHERIT += "netboot"
-IMAGE_INSTALL:append:netboot = " curl"
+IMAGE_INSTALL:append:netboot = " \
+ curl \
+ ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'resolv-conf-relabel policycoreutils-loadpolicy', '', d)} \
+"
diff --git a/meta-netboot/recipes-core/initramfs-netboot/files/init.sh b/meta-netboot/recipes-core/initramfs-netboot/files/init.sh
index 92927df47..87a1acb80 100644
--- a/meta-netboot/recipes-core/initramfs-netboot/files/init.sh
+++ b/meta-netboot/recipes-core/initramfs-netboot/files/init.sh
@@ -154,6 +154,22 @@ fi
rm -f /etc/resolv.conf
grep -v bootserver /proc/net/pnp | sed 's/^domain/search/g' >/etc/resolv.conf
+# Do SELinux relabeling if required, to avoid a reboot that would complicate CI
+if [ -f /.autorelabel ]; then
+ # Nothing SELinux related works w/o the fs mounted
+ do_mount_fs selinuxfs /sys/fs/selinux
+
+ # Labeling requires the policy to be loaded
+ log_info "Loading SELinux policy"
+ /usr/sbin/load_policy
+
+ /usr/bin/selinux-autorelabel.sh
+
+ # Will get remounted by systemd startup, unmount to keep that behavior
+ # more like the non-netboot case.
+ umount /sys/fs/selinux
+fi
+
# unmount tmp and run to let systemd remount them
log_info "Unmounting /tmp and /run"
umount /tmp
diff --git a/meta-netboot/recipes-core/systemd/files/resolv-conf-relabel.service b/meta-netboot/recipes-core/systemd/files/resolv-conf-relabel.service
new file mode 100644
index 000000000..5d9216cc2
--- /dev/null
+++ b/meta-netboot/recipes-core/systemd/files/resolv-conf-relabel.service
@@ -0,0 +1,14 @@
+[Unit]
+Description=SELinux resolv.conf relabeling
+DefaultDependencies=no
+ConditionKernelCommandLine=ip
+ConditionKernelCommandLine=nbd.server
+After=local-fs.target
+Before=sysinit.target
+
+[Service]
+Type=oneshot
+ExecStart=/usr/sbin/restorecon -Fi /etc/resolv.conf
+
+[Install]
+WantedBy=sysinit.target
diff --git a/meta-netboot/recipes-core/systemd/resolv-conf-relabel.bb b/meta-netboot/recipes-core/systemd/resolv-conf-relabel.bb
new file mode 100644
index 000000000..36d096b44
--- /dev/null
+++ b/meta-netboot/recipes-core/systemd/resolv-conf-relabel.bb
@@ -0,0 +1,21 @@
+SUMMARY = "System unit to relabel resolve.conf"
+LICENSE = "MIT"
+LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302"
+
+SRC_URI = "file://resolv-conf-relabel.service"
+
+inherit systemd allarch features_check
+
+SYSTEMD_SERVICE:${PN} = "${BPN}.service"
+
+REQUIRED_DISTRO_FEATURES = "systemd"
+
+do_configure[noexec] = "1"
+do_compile[noexec] = "1"
+
+do_install() {
+ install -d ${D}${systemd_system_unitdir}
+ install -m 0644 ${WORKDIR}/resolv-conf-relabel.service ${D}${systemd_system_unitdir}/
+}
+
+FILES:${PN} += "${systemd_system_unitdir}"