diff options
4 files changed, 55 insertions, 1 deletions
diff --git a/meta-netboot/conf/include/agl-netboot.inc b/meta-netboot/conf/include/agl-netboot.inc index 555629537..2c1307e81 100644 --- a/meta-netboot/conf/include/agl-netboot.inc +++ b/meta-netboot/conf/include/agl-netboot.inc @@ -1,3 +1,6 @@ INHERIT += "netboot" -IMAGE_INSTALL:append:netboot = " curl" +IMAGE_INSTALL:append:netboot = " \ + curl \ + ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'resolv-conf-relabel policycoreutils-loadpolicy', '', d)} \ +" diff --git a/meta-netboot/recipes-core/initramfs-netboot/files/init.sh b/meta-netboot/recipes-core/initramfs-netboot/files/init.sh index 92927df47..87a1acb80 100644 --- a/meta-netboot/recipes-core/initramfs-netboot/files/init.sh +++ b/meta-netboot/recipes-core/initramfs-netboot/files/init.sh @@ -154,6 +154,22 @@ fi rm -f /etc/resolv.conf grep -v bootserver /proc/net/pnp | sed 's/^domain/search/g' >/etc/resolv.conf +# Do SELinux relabeling if required, to avoid a reboot that would complicate CI +if [ -f /.autorelabel ]; then + # Nothing SELinux related works w/o the fs mounted + do_mount_fs selinuxfs /sys/fs/selinux + + # Labeling requires the policy to be loaded + log_info "Loading SELinux policy" + /usr/sbin/load_policy + + /usr/bin/selinux-autorelabel.sh + + # Will get remounted by systemd startup, unmount to keep that behavior + # more like the non-netboot case. + umount /sys/fs/selinux +fi + # unmount tmp and run to let systemd remount them log_info "Unmounting /tmp and /run" umount /tmp diff --git a/meta-netboot/recipes-core/systemd/files/resolv-conf-relabel.service b/meta-netboot/recipes-core/systemd/files/resolv-conf-relabel.service new file mode 100644 index 000000000..5d9216cc2 --- /dev/null +++ b/meta-netboot/recipes-core/systemd/files/resolv-conf-relabel.service @@ -0,0 +1,14 @@ +[Unit] +Description=SELinux resolv.conf relabeling +DefaultDependencies=no +ConditionKernelCommandLine=ip +ConditionKernelCommandLine=nbd.server +After=local-fs.target +Before=sysinit.target + +[Service] +Type=oneshot +ExecStart=/usr/sbin/restorecon -Fi /etc/resolv.conf + +[Install] +WantedBy=sysinit.target diff --git a/meta-netboot/recipes-core/systemd/resolv-conf-relabel.bb b/meta-netboot/recipes-core/systemd/resolv-conf-relabel.bb new file mode 100644 index 000000000..36d096b44 --- /dev/null +++ b/meta-netboot/recipes-core/systemd/resolv-conf-relabel.bb @@ -0,0 +1,21 @@ +SUMMARY = "System unit to relabel resolve.conf" +LICENSE = "MIT" +LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302" + +SRC_URI = "file://resolv-conf-relabel.service" + +inherit systemd allarch features_check + +SYSTEMD_SERVICE:${PN} = "${BPN}.service" + +REQUIRED_DISTRO_FEATURES = "systemd" + +do_configure[noexec] = "1" +do_compile[noexec] = "1" + +do_install() { + install -d ${D}${systemd_system_unitdir} + install -m 0644 ${WORKDIR}/resolv-conf-relabel.service ${D}${systemd_system_unitdir}/ +} + +FILES:${PN} += "${systemd_system_unitdir}" |