projects / buildroot.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: fde2d3b)
fs/common.mk: set SELinux file security contexts
authorAntoine Tenart <antoine.tenart@bootlin.com>
Fri, 31 Jul 2020 10:10:27 +0000 (12:10 +0200)
committerThomas Petazzoni <thomas.petazzoni@bootlin.com>
Fri, 4 Sep 2020 08:49:30 +0000 (10:49 +0200)
Set the SELinux file security contexts using setfiles when generating
root filesystem images.

Without such security contexts created at build time, they need to be
setup at first boot by running the restorecon utility on the target.
This has two drawbacks:

 - You have to special case the first boot, which cannot be done in
   enforcing mode, and will have to run restorecon, then reboot.

 - You cannot support read-only filesystems.

By setting up the security contexts at build time, we can have a
filesystem image that is immediately ready to boot an SELinux system
in enforcing mode, including if the root filesystem is read-only.

Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
fs/common.mk patch | blob | history

diff --git a/fs/common.mk b/fs/common.mk
index 842ea924a5e011d29343220842ef49a551090bce..1b44dc42badc54ef5519d4d155c9831726adcdc9 100644 (file)
--- a/fs/common.mk
+++ b/fs/common.mk
@@ -49,6 +49,16 @@ ROOTFS_COMMON_DEPENDENCIES = \
        $(BR2_TAR_HOST_DEPENDENCY) \
        $(if $(PACKAGES_USERS)$(ROOTFS_USERS_TABLES),host-mkpasswd)
 
+ifeq ($(BR2_PACKAGE_REFPOLICY),y)
+define ROOTFS_SELINUX
+       $(HOST_DIR)/sbin/setfiles -m -r $(TARGET_DIR) \
+               -c $(TARGET_DIR)/etc/selinux/targeted/policy/policy.$(BR2_PACKAGE_LIBSEPOL_POLICY_VERSION) \
+               $(TARGET_DIR)/etc/selinux/targeted/contexts/files/file_contexts \
+               $(TARGET_DIR)
+endef
+ROOTFS_COMMON_DEPENDENCIES += host-policycoreutils
+endif
+
 ROOTFS_COMMON_FINAL_RECURSIVE_DEPENDENCIES = $(sort \
        $(if $(filter undefined,$(origin ROOTFS_COMMON_FINAL_RECURSIVE_DEPENDENCIES__X)), \
                $(eval ROOTFS_COMMON_FINAL_RECURSIVE_DEPENDENCIES__X := \
@@ -172,6 +182,7 @@ $$(BINARIES_DIR)/$$(ROOTFS_$(2)_FINAL_IMAGE_NAME): $$(ROOTFS_$(2)_DEPENDENCIES)
        $$(foreach hook,$$(ROOTFS_$(2)_PRE_GEN_HOOKS),\
                $$(call PRINTF,$$($$(hook))) >> $$(FAKEROOT_SCRIPT)$$(sep))
        $$(call PRINTF,$$(ROOTFS_REPRODUCIBLE)) >> $$(FAKEROOT_SCRIPT)
+       $$(call PRINTF,$$(ROOTFS_SELINUX)) >> $$(FAKEROOT_SCRIPT)
        $$(call PRINTF,$$(ROOTFS_$(2)_CMD)) >> $$(FAKEROOT_SCRIPT)
        chmod a+x $$(FAKEROOT_SCRIPT)
        PATH=$$(BR_PATH) FAKEROOTDONTTRYCHOWN=1 $$(HOST_DIR)/bin/fakeroot -- $$(FAKEROOT_SCRIPT)