summaryrefslogtreecommitdiffstats
path: root/meta-agl-core/dynamic-layers/meta-selinux/recipes-core
diff options
context:
space:
mode:
authorScott Murray <scott.murray@konsulko.com>2022-07-25 14:23:13 -0400
committerJan-Simon Moeller <jsmoeller@linuxfoundation.org>2022-07-27 12:31:58 +0000
commit2ea9cbefb8e0923f2f58e7e8022f3e134977a87a (patch)
treed9440b8d8ccfaa496086842eef5ca7d588b58a17 /meta-agl-core/dynamic-layers/meta-selinux/recipes-core
parent6c9fa75459cf86576c47411fc239e0d7896d483c (diff)
Add SELinux feature
Add agl-selinux feature to enable SELinux support. Notes: - SELinux is in permissive mode by default for now, and using the targeted policy by default. - The linux-yocto specific bbappend in meta-selinux is masked out in favor of adding a more universal kernel configuration fragment with AGL's own scheme. - SELinux specific recipes and bbappends are added via a meta-selinux dynamic-layers addition in meta-agl-core to keep using meta-selinux optional. This will avoid issues with the Yocto autobuilder testing of meta-agl-core. - To avoid the effectively hard-coded autorelabel on first boot, a bbappend is added to the selinux-autorelabel recipe to remove the flag creation. In the off chance that a build happens on a filesystem without xattr support, the logic in the selinux-image bbclass will still touch the /.autorelabel flag and trigger relabeling. - A systemd unit and script are added with a new systemd-selinux-relabel recipe to handle relabeling of some systemd generated files that do not get handled during root filesystem construction. Some of these can be addressed by some upstream tweaks, but /etc/machine-id will always need special handling unless there is a shift to using read-only or stateless root by default. With this workaround we still avoid doing a full relabel and reboot on first boot, which helps simplify CI. Bug-AGL: SPEC-4332 Signed-off-by: Scott Murray <scott.murray@konsulko.com> Change-Id: Ibf469e11eb3a67709074cc6794b3d12cd5071a90 Reviewed-on: https://gerrit.automotivelinux.org/gerrit/c/AGL/meta-agl/+/27790 Tested-by: Jenkins Job builder account ci-image-build: Jenkins Job builder account ci-image-boot-test: Jenkins Job builder account Reviewed-by: Jan-Simon Moeller <jsmoeller@linuxfoundation.org>
Diffstat (limited to 'meta-agl-core/dynamic-layers/meta-selinux/recipes-core')
-rw-r--r--meta-agl-core/dynamic-layers/meta-selinux/recipes-core/systemd/files/systemd-selinux-relabel.service12
-rw-r--r--meta-agl-core/dynamic-layers/meta-selinux/recipes-core/systemd/files/systemd-selinux-relabel.sh12
-rw-r--r--meta-agl-core/dynamic-layers/meta-selinux/recipes-core/systemd/systemd-selinux-relabel_1.0.bb25
3 files changed, 49 insertions, 0 deletions
diff --git a/meta-agl-core/dynamic-layers/meta-selinux/recipes-core/systemd/files/systemd-selinux-relabel.service b/meta-agl-core/dynamic-layers/meta-selinux/recipes-core/systemd/files/systemd-selinux-relabel.service
new file mode 100644
index 000000000..b8d394068
--- /dev/null
+++ b/meta-agl-core/dynamic-layers/meta-selinux/recipes-core/systemd/files/systemd-selinux-relabel.service
@@ -0,0 +1,12 @@
+[Unit]
+Description=Generated file SELinux relabeling
+DefaultDependencies=no
+After=local-fs.target systemd-machine-id-commit.service
+Before=sysinit.target
+
+[Service]
+Type=oneshot
+ExecStart=/usr/sbin/systemd-selinux-relabel.sh
+
+[Install]
+WantedBy=sysinit.target
diff --git a/meta-agl-core/dynamic-layers/meta-selinux/recipes-core/systemd/files/systemd-selinux-relabel.sh b/meta-agl-core/dynamic-layers/meta-selinux/recipes-core/systemd/files/systemd-selinux-relabel.sh
new file mode 100644
index 000000000..b2557a8d6
--- /dev/null
+++ b/meta-agl-core/dynamic-layers/meta-selinux/recipes-core/systemd/files/systemd-selinux-relabel.sh
@@ -0,0 +1,12 @@
+#!/bin/sh
+
+# Update labels on files generated on first boot.
+/usr/sbin/restorecon -FRi /etc/systemd /etc/machine-id
+if [ $? -eq 0 ]; then
+ # Disable parent service
+ # NOTE: The service does not use the first boot functionality
+ # in systemd as /etc/machine-id is not writeable until
+ # after it is complete.
+ systemctl disable systemd-selinux-relabel.service
+fi
+exit 0
diff --git a/meta-agl-core/dynamic-layers/meta-selinux/recipes-core/systemd/systemd-selinux-relabel_1.0.bb b/meta-agl-core/dynamic-layers/meta-selinux/recipes-core/systemd/systemd-selinux-relabel_1.0.bb
new file mode 100644
index 000000000..7e4f9783c
--- /dev/null
+++ b/meta-agl-core/dynamic-layers/meta-selinux/recipes-core/systemd/systemd-selinux-relabel_1.0.bb
@@ -0,0 +1,25 @@
+SUMMARY = "System unit to relabel systemd generated files"
+LICENSE = "MIT"
+LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302"
+
+SRC_URI = "file://systemd-selinux-relabel.service \
+ file://systemd-selinux-relabel.sh \
+"
+
+inherit systemd allarch features_check
+
+SYSTEMD_SERVICE:${PN} = "${BPN}.service"
+
+REQUIRED_DISTRO_FEATURES = "systemd"
+
+do_configure[noexec] = "1"
+do_compile[noexec] = "1"
+
+do_install() {
+ install -d ${D}${systemd_system_unitdir}
+ install -m 0644 ${WORKDIR}/systemd-selinux-relabel.service ${D}${systemd_system_unitdir}/
+ install -d ${D}${sbindir}
+ install -m 0755 ${WORKDIR}/systemd-selinux-relabel.sh ${D}${sbindir}/
+}
+
+FILES:${PN} += "${systemd_system_unitdir}"