summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--meta-netboot/conf/include/agl-netboot.inc5
-rw-r--r--meta-netboot/recipes-core/initramfs-netboot/files/init.sh16
-rw-r--r--meta-netboot/recipes-core/systemd/files/resolv-conf-relabel.service14
-rw-r--r--meta-netboot/recipes-core/systemd/resolv-conf-relabel.bb21
4 files changed, 55 insertions, 1 deletions
diff --git a/meta-netboot/conf/include/agl-netboot.inc b/meta-netboot/conf/include/agl-netboot.inc
index 555629537..2c1307e81 100644
--- a/meta-netboot/conf/include/agl-netboot.inc
+++ b/meta-netboot/conf/include/agl-netboot.inc
@@ -1,3 +1,6 @@
INHERIT += "netboot"
-IMAGE_INSTALL:append:netboot = " curl"
+IMAGE_INSTALL:append:netboot = " \
+ curl \
+ ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'resolv-conf-relabel policycoreutils-loadpolicy', '', d)} \
+"
diff --git a/meta-netboot/recipes-core/initramfs-netboot/files/init.sh b/meta-netboot/recipes-core/initramfs-netboot/files/init.sh
index 92927df47..87a1acb80 100644
--- a/meta-netboot/recipes-core/initramfs-netboot/files/init.sh
+++ b/meta-netboot/recipes-core/initramfs-netboot/files/init.sh
@@ -154,6 +154,22 @@ fi
rm -f /etc/resolv.conf
grep -v bootserver /proc/net/pnp | sed 's/^domain/search/g' >/etc/resolv.conf
+# Do SELinux relabeling if required, to avoid a reboot that would complicate CI
+if [ -f /.autorelabel ]; then
+ # Nothing SELinux related works w/o the fs mounted
+ do_mount_fs selinuxfs /sys/fs/selinux
+
+ # Labeling requires the policy to be loaded
+ log_info "Loading SELinux policy"
+ /usr/sbin/load_policy
+
+ /usr/bin/selinux-autorelabel.sh
+
+ # Will get remounted by systemd startup, unmount to keep that behavior
+ # more like the non-netboot case.
+ umount /sys/fs/selinux
+fi
+
# unmount tmp and run to let systemd remount them
log_info "Unmounting /tmp and /run"
umount /tmp
diff --git a/meta-netboot/recipes-core/systemd/files/resolv-conf-relabel.service b/meta-netboot/recipes-core/systemd/files/resolv-conf-relabel.service
new file mode 100644
index 000000000..5d9216cc2
--- /dev/null
+++ b/meta-netboot/recipes-core/systemd/files/resolv-conf-relabel.service
@@ -0,0 +1,14 @@
+[Unit]
+Description=SELinux resolv.conf relabeling
+DefaultDependencies=no
+ConditionKernelCommandLine=ip
+ConditionKernelCommandLine=nbd.server
+After=local-fs.target
+Before=sysinit.target
+
+[Service]
+Type=oneshot
+ExecStart=/usr/sbin/restorecon -Fi /etc/resolv.conf
+
+[Install]
+WantedBy=sysinit.target
diff --git a/meta-netboot/recipes-core/systemd/resolv-conf-relabel.bb b/meta-netboot/recipes-core/systemd/resolv-conf-relabel.bb
new file mode 100644
index 000000000..36d096b44
--- /dev/null
+++ b/meta-netboot/recipes-core/systemd/resolv-conf-relabel.bb
@@ -0,0 +1,21 @@
+SUMMARY = "System unit to relabel resolve.conf"
+LICENSE = "MIT"
+LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302"
+
+SRC_URI = "file://resolv-conf-relabel.service"
+
+inherit systemd allarch features_check
+
+SYSTEMD_SERVICE:${PN} = "${BPN}.service"
+
+REQUIRED_DISTRO_FEATURES = "systemd"
+
+do_configure[noexec] = "1"
+do_compile[noexec] = "1"
+
+do_install() {
+ install -d ${D}${systemd_system_unitdir}
+ install -m 0644 ${WORKDIR}/resolv-conf-relabel.service ${D}${systemd_system_unitdir}/
+}
+
+FILES:${PN} += "${systemd_system_unitdir}"