aboutsummaryrefslogtreecommitdiffstats
path: root/meta-agl-core/dynamic-layers/meta-selinux
diff options
context:
space:
mode:
Diffstat (limited to 'meta-agl-core/dynamic-layers/meta-selinux')
-rw-r--r--meta-agl-core/dynamic-layers/meta-selinux/recipes-core/systemd/files/systemd-selinux-relabel.service12
-rw-r--r--meta-agl-core/dynamic-layers/meta-selinux/recipes-core/systemd/files/systemd-selinux-relabel.sh12
-rw-r--r--meta-agl-core/dynamic-layers/meta-selinux/recipes-core/systemd/systemd-selinux-relabel_1.0.bb25
-rw-r--r--meta-agl-core/dynamic-layers/meta-selinux/recipes-platform/packagegroups/packagegroup-agl-core-selinux.bb57
-rw-r--r--meta-agl-core/dynamic-layers/meta-selinux/recipes-security/selinux-scripts/selinux-autorelabel_0.1.bbappend1
-rw-r--r--meta-agl-core/dynamic-layers/meta-selinux/recipes-security/selinux-scripts/selinux-autorelabel_aglcore.inc4
6 files changed, 111 insertions, 0 deletions
diff --git a/meta-agl-core/dynamic-layers/meta-selinux/recipes-core/systemd/files/systemd-selinux-relabel.service b/meta-agl-core/dynamic-layers/meta-selinux/recipes-core/systemd/files/systemd-selinux-relabel.service
new file mode 100644
index 000000000..b8d394068
--- /dev/null
+++ b/meta-agl-core/dynamic-layers/meta-selinux/recipes-core/systemd/files/systemd-selinux-relabel.service
@@ -0,0 +1,12 @@
+[Unit]
+Description=Generated file SELinux relabeling
+DefaultDependencies=no
+After=local-fs.target systemd-machine-id-commit.service
+Before=sysinit.target
+
+[Service]
+Type=oneshot
+ExecStart=/usr/sbin/systemd-selinux-relabel.sh
+
+[Install]
+WantedBy=sysinit.target
diff --git a/meta-agl-core/dynamic-layers/meta-selinux/recipes-core/systemd/files/systemd-selinux-relabel.sh b/meta-agl-core/dynamic-layers/meta-selinux/recipes-core/systemd/files/systemd-selinux-relabel.sh
new file mode 100644
index 000000000..b2557a8d6
--- /dev/null
+++ b/meta-agl-core/dynamic-layers/meta-selinux/recipes-core/systemd/files/systemd-selinux-relabel.sh
@@ -0,0 +1,12 @@
+#!/bin/sh
+
+# Update labels on files generated on first boot.
+/usr/sbin/restorecon -FRi /etc/systemd /etc/machine-id
+if [ $? -eq 0 ]; then
+ # Disable parent service
+ # NOTE: The service does not use the first boot functionality
+ # in systemd as /etc/machine-id is not writeable until
+ # after it is complete.
+ systemctl disable systemd-selinux-relabel.service
+fi
+exit 0
diff --git a/meta-agl-core/dynamic-layers/meta-selinux/recipes-core/systemd/systemd-selinux-relabel_1.0.bb b/meta-agl-core/dynamic-layers/meta-selinux/recipes-core/systemd/systemd-selinux-relabel_1.0.bb
new file mode 100644
index 000000000..7e4f9783c
--- /dev/null
+++ b/meta-agl-core/dynamic-layers/meta-selinux/recipes-core/systemd/systemd-selinux-relabel_1.0.bb
@@ -0,0 +1,25 @@
+SUMMARY = "System unit to relabel systemd generated files"
+LICENSE = "MIT"
+LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302"
+
+SRC_URI = "file://systemd-selinux-relabel.service \
+ file://systemd-selinux-relabel.sh \
+"
+
+inherit systemd allarch features_check
+
+SYSTEMD_SERVICE:${PN} = "${BPN}.service"
+
+REQUIRED_DISTRO_FEATURES = "systemd"
+
+do_configure[noexec] = "1"
+do_compile[noexec] = "1"
+
+do_install() {
+ install -d ${D}${systemd_system_unitdir}
+ install -m 0644 ${WORKDIR}/systemd-selinux-relabel.service ${D}${systemd_system_unitdir}/
+ install -d ${D}${sbindir}
+ install -m 0755 ${WORKDIR}/systemd-selinux-relabel.sh ${D}${sbindir}/
+}
+
+FILES:${PN} += "${systemd_system_unitdir}"
diff --git a/meta-agl-core/dynamic-layers/meta-selinux/recipes-platform/packagegroups/packagegroup-agl-core-selinux.bb b/meta-agl-core/dynamic-layers/meta-selinux/recipes-platform/packagegroups/packagegroup-agl-core-selinux.bb
new file mode 100644
index 000000000..493a46f25
--- /dev/null
+++ b/meta-agl-core/dynamic-layers/meta-selinux/recipes-platform/packagegroups/packagegroup-agl-core-selinux.bb
@@ -0,0 +1,57 @@
+SUMMARY = "SELinux packages"
+DESCRIPTION = "SELinux packages required for AGL"
+LICENSE = "MIT"
+
+inherit packagegroup features_check
+
+REQUIRED_DISTRO_FEATURES = "selinux"
+
+PACKAGES = " \
+ packagegroup-agl-core-selinux \
+ packagegroup-agl-core-selinux-devel \
+"
+
+#
+# meta-selinux's packagegroup-core-selinux includes a lot of
+# policy development tools with its inclusion of the layer's
+# packagegroup-selinux-policycoreutils, which is not really
+# desirable for a production image. Create our own base
+# packagegroup and an accompanying devel packagegroup that
+# agl-devel can trigger pulling in.
+#
+# NOTES:
+# - It seems likely we will always want auditd, so include
+# it in the base packagegroup.
+# - selinux-autorelabel seems required to handle both the
+# edge case of builds done on non-xattr capable filesystems,
+# and to allow driving relabeling after potential package
+# installation during runtime.
+# - packagegroup-selinux-policycoreutils includes a lot of
+# things that seem not useful in a lot of systems (e.g.
+# the gtk dependent selinux-gui), so for now the devel
+# packagegroup aims to include a more minimal set of tools
+# aimed at enabling checkpolicy and audit2allow use.
+# - Some thought needs to go into whether the relabeling
+# fixup packages should be handled separately, as they
+# ideally should not go into images using read-only or
+# stateless rootfs, but those are image features so we
+# cannot check for them here.
+#
+
+RDEPENDS:${PN} = " \
+ packagegroup-selinux-minimal \
+ auditd \
+ selinux-autorelabel \
+ systemd-selinux-relabel \
+"
+
+RDEPENDS:${PN}-devel = " \
+ ${BPN} \
+ libsepol-bin \
+ checkpolicy \
+ policycoreutils-loadpolicy \
+ policycoreutils-setsebool \
+ policycoreutils-hll \
+ semodule-utils-semodule-package \
+ selinux-python-audit2allow \
+"
diff --git a/meta-agl-core/dynamic-layers/meta-selinux/recipes-security/selinux-scripts/selinux-autorelabel_0.1.bbappend b/meta-agl-core/dynamic-layers/meta-selinux/recipes-security/selinux-scripts/selinux-autorelabel_0.1.bbappend
new file mode 100644
index 000000000..793b049e5
--- /dev/null
+++ b/meta-agl-core/dynamic-layers/meta-selinux/recipes-security/selinux-scripts/selinux-autorelabel_0.1.bbappend
@@ -0,0 +1 @@
+require ${@bb.utils.contains('AGL_FEATURES', 'aglcore', 'selinux-autorelabel_aglcore.inc', '', d)}
diff --git a/meta-agl-core/dynamic-layers/meta-selinux/recipes-security/selinux-scripts/selinux-autorelabel_aglcore.inc b/meta-agl-core/dynamic-layers/meta-selinux/recipes-security/selinux-scripts/selinux-autorelabel_aglcore.inc
new file mode 100644
index 000000000..67d3843f4
--- /dev/null
+++ b/meta-agl-core/dynamic-layers/meta-selinux/recipes-security/selinux-scripts/selinux-autorelabel_aglcore.inc
@@ -0,0 +1,4 @@
+do_install:append() {
+ # Do not force auto relabeling just from the package getting installed
+ rm -f ${D}/.autorelabel
+}