diff options
author | Scott Murray <scott.murray@konsulko.com> | 2022-07-25 14:49:13 -0400 |
---|---|---|
committer | Jan-Simon Moeller <jsmoeller@linuxfoundation.org> | 2022-07-27 12:31:58 +0000 |
commit | a3678d3e929900078cbaec5a279b902bd7cc9244 (patch) | |
tree | e9b9ab9d7210df07e00d049029f32d21c2ec7771 /meta-netboot/recipes-core | |
parent | 2ea9cbefb8e0923f2f58e7e8022f3e134977a87a (diff) |
meta-netboot: Add SELinux support
Changes:
- Add logic to init.sh to handle autorelabeling the root filesystem
if it is tagged as requiring it. In practice this should only be
required when booting images built on hosts that have xattr support,
or if relabeling is manually triggered on subsequent boots. There
was a stated goal of avoiding the reboot from the later userspace
handling of autorelabeling in CI, so this hook aims to enable that
for the non-xattr build host corner case.
- Add a resolv-conf-relabel recipe that installs a systemd unit to
relabel /etc/resolv.conf when netbooting. This is required because
the file always gets modified inside init.sh, and it does not seem
worthwhile to always do the extra policy load required to relabel it
in the initramfs. This may need to be revisited if it proves
difficult to handle denials in early booting when netbooting.
- Add the required extra packages for relabeling to IMAGE_INSTALL.
Bug-AGL: SPEC-4332
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
Change-Id: I26b27c1cea68a029264352bd206c160cac3d451e
Reviewed-on: https://gerrit.automotivelinux.org/gerrit/c/AGL/meta-agl/+/27791
Tested-by: Jenkins Job builder account
ci-image-build: Jenkins Job builder account
ci-image-boot-test: Jenkins Job builder account
Reviewed-by: Jan-Simon Moeller <jsmoeller@linuxfoundation.org>
Diffstat (limited to 'meta-netboot/recipes-core')
3 files changed, 51 insertions, 0 deletions
diff --git a/meta-netboot/recipes-core/initramfs-netboot/files/init.sh b/meta-netboot/recipes-core/initramfs-netboot/files/init.sh index 92927df47..87a1acb80 100644 --- a/meta-netboot/recipes-core/initramfs-netboot/files/init.sh +++ b/meta-netboot/recipes-core/initramfs-netboot/files/init.sh @@ -154,6 +154,22 @@ fi rm -f /etc/resolv.conf grep -v bootserver /proc/net/pnp | sed 's/^domain/search/g' >/etc/resolv.conf +# Do SELinux relabeling if required, to avoid a reboot that would complicate CI +if [ -f /.autorelabel ]; then + # Nothing SELinux related works w/o the fs mounted + do_mount_fs selinuxfs /sys/fs/selinux + + # Labeling requires the policy to be loaded + log_info "Loading SELinux policy" + /usr/sbin/load_policy + + /usr/bin/selinux-autorelabel.sh + + # Will get remounted by systemd startup, unmount to keep that behavior + # more like the non-netboot case. + umount /sys/fs/selinux +fi + # unmount tmp and run to let systemd remount them log_info "Unmounting /tmp and /run" umount /tmp diff --git a/meta-netboot/recipes-core/systemd/files/resolv-conf-relabel.service b/meta-netboot/recipes-core/systemd/files/resolv-conf-relabel.service new file mode 100644 index 000000000..5d9216cc2 --- /dev/null +++ b/meta-netboot/recipes-core/systemd/files/resolv-conf-relabel.service @@ -0,0 +1,14 @@ +[Unit] +Description=SELinux resolv.conf relabeling +DefaultDependencies=no +ConditionKernelCommandLine=ip +ConditionKernelCommandLine=nbd.server +After=local-fs.target +Before=sysinit.target + +[Service] +Type=oneshot +ExecStart=/usr/sbin/restorecon -Fi /etc/resolv.conf + +[Install] +WantedBy=sysinit.target diff --git a/meta-netboot/recipes-core/systemd/resolv-conf-relabel.bb b/meta-netboot/recipes-core/systemd/resolv-conf-relabel.bb new file mode 100644 index 000000000..36d096b44 --- /dev/null +++ b/meta-netboot/recipes-core/systemd/resolv-conf-relabel.bb @@ -0,0 +1,21 @@ +SUMMARY = "System unit to relabel resolve.conf" +LICENSE = "MIT" +LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302" + +SRC_URI = "file://resolv-conf-relabel.service" + +inherit systemd allarch features_check + +SYSTEMD_SERVICE:${PN} = "${BPN}.service" + +REQUIRED_DISTRO_FEATURES = "systemd" + +do_configure[noexec] = "1" +do_compile[noexec] = "1" + +do_install() { + install -d ${D}${systemd_system_unitdir} + install -m 0644 ${WORKDIR}/resolv-conf-relabel.service ${D}${systemd_system_unitdir}/ +} + +FILES:${PN} += "${systemd_system_unitdir}" |