From 9daf75607f37564492584af09bcd34800ce793f6 Mon Sep 17 00:00:00 2001 From: guoxiaoqi Date: Fri, 14 Feb 2020 16:11:26 +0800 Subject: [PATCH] add selinux-autorelabel --- policycoreutils.spec | 64 +++++++++++++++++----------- selinux-autorelabel | 73 ++++++++++++++++++++++++++++++++ selinux-autorelabel-generator.sh | 29 +++++++++++++ selinux-autorelabel-mark.service | 18 ++++++++ selinux-autorelabel.service | 14 ++++++ selinux-autorelabel.target | 7 +++ 6 files changed, 180 insertions(+), 25 deletions(-) create mode 100644 selinux-autorelabel create mode 100644 selinux-autorelabel-generator.sh create mode 100644 selinux-autorelabel-mark.service create mode 100644 selinux-autorelabel.service create mode 100644 selinux-autorelabel.target diff --git a/policycoreutils.spec b/policycoreutils.spec index 44df27c..1537791 100644 --- a/policycoreutils.spec +++ b/policycoreutils.spec @@ -2,7 +2,7 @@ Name: policycoreutils Version: 2.8 -Release: 11 +Release: 12 Summary: Policy core utilities of selinux License: GPLv2 URL: https://github.com/SELinuxProject @@ -12,30 +12,35 @@ Source3: https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/r Source4: https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20180524/selinux-dbus-2.8.tar.gz Source5: https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20180524/semodule-utils-2.8.tar.gz Source6: https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20180524/restorecond-2.8.tar.gz - -Patch6000: python-sepolgen-fix-typo-in-PathChoooser-name.patch -Patch6001: policycoreutils-secon-free-scon_trans-before-returni.patch -Patch6002: python-sepolicy-fix-procotol-misspelling.patch -Patch6003: restorecond-Do-not-ignore-the-f-option.patch -Patch6004: python-sepolicy-Fix-info-to-search-aliases-as-well.patch -Patch6005: python-sepolicy-Stop-rejecting-aliases-in-sepolicy-c.patch -Patch6006: python-semanage-Stop-rejecting-aliases-in-semanage-c.patch -Patch6007: python-chcat-use-check_call-instead-of-getstatusoutp.patch -Patch6008: python-chcat-fix-removing-categories-on-users-with-F.patch -Patch6009: python-sepolicy-search-also-for-dontaudit-rules.patch -Patch6010: python-semanage-move-valid_types-initialisations-to-.patch -Patch6011: python-sepolicy-Add-sepolicy.load_store_policy-store.patch -Patch6012: python-semanage-Load-a-store-policy-and-set-the-stor.patch -Patch6013: python-sepolgen-close-etc-selinux-sepolgen.conf-afte.patch -Patch6014: python-audit2allow-allow-using-audit2why-as-non-root.patch -Patch6015: python-sepolgen-refpolicy-installs-its-Makefile-in-i.patch -Patch6016: setsebool-support-use-of-P-on-SELinux-disabled-hosts.patch -Patch6017: python-use-or-when-comparing-a-variable-with-a-strin.patch -Patch6018: python-sepolicy-fix-variable-name.patch -Patch6019: python-semanage-seobject-Fix-listing-boolean-values.patch -Patch6020: python-semanage-module-Fix-handling-of-a-e-d-r-optio.patch -Patch9021: fix-fixfiles-N-date-function.patch -Patch9022: fix-fixfiles-N-date-function-two.patch +Source7: selinux-autorelabel +Source8: selinux-autorelabel.service +Source9: selinux-autorelabel-mark.service +Source10: selinux-autorelabel.target +Source11: selinux-autorelabel-generator.sh + +Patch0: python-sepolgen-fix-typo-in-PathChoooser-name.patch +Patch1: policycoreutils-secon-free-scon_trans-before-returni.patch +Patch2: python-sepolicy-fix-procotol-misspelling.patch +Patch3: restorecond-Do-not-ignore-the-f-option.patch +Patch4: python-sepolicy-Fix-info-to-search-aliases-as-well.patch +Patch5: python-sepolicy-Stop-rejecting-aliases-in-sepolicy-c.patch +Patch6: python-semanage-Stop-rejecting-aliases-in-semanage-c.patch +Patch7: python-chcat-use-check_call-instead-of-getstatusoutp.patch +Patch8: python-chcat-fix-removing-categories-on-users-with-F.patch +Patch9: python-sepolicy-search-also-for-dontaudit-rules.patch +Patch10: python-semanage-move-valid_types-initialisations-to-.patch +Patch11: python-sepolicy-Add-sepolicy.load_store_policy-store.patch +Patch12: python-semanage-Load-a-store-policy-and-set-the-stor.patch +Patch13: python-sepolgen-close-etc-selinux-sepolgen.conf-afte.patch +Patch14: python-audit2allow-allow-using-audit2why-as-non-root.patch +Patch15: python-sepolgen-refpolicy-installs-its-Makefile-in-i.patch +Patch16: setsebool-support-use-of-P-on-SELinux-disabled-hosts.patch +Patch17: python-use-or-when-comparing-a-variable-with-a-strin.patch +Patch18: python-sepolicy-fix-variable-name.patch +Patch19: python-semanage-seobject-Fix-listing-boolean-values.patch +Patch20: python-semanage-module-Fix-handling-of-a-e-d-r-optio.patch +Patch21: fix-fixfiles-N-date-function.patch +Patch22: fix-fixfiles-N-date-function-two.patch BuildRequires: pam-devel libsepol-static libsemanage-static libselinux-devel libcap-devel audit-libs-devel gettext BuildRequires: desktop-file-utils dbus-devel dbus-glib-devel python2-devel python3-devel libcap-ng-devel @@ -179,6 +184,12 @@ rm -rf %{buildroot}%{python2_sitelib}/sepolicy/help rm -f %{buildroot}%{python3_sitelib}/sepolicy/gui.* rm -f %{buildroot}%{python3_sitelib}/sepolicy/sepolicy.glade +install -m 644 -p %{SOURCE8} %{buildroot}/%{_unitdir}/ +install -m 644 -p %{SOURCE9} %{buildroot}/%{_unitdir}/ +install -m 644 -p %{SOURCE10} %{buildroot}/%{_unitdir}/ +install -D -m 755 -p %{SOURCE11} %{buildroot}/%{_systemdgeneratordir}/%{basename:%{SOURCE11}} +install -m 755 -p %{SOURCE7} %{buildroot}/%{_libexecdir}/selinux/ + pathfix.py -i "%{__python2} -Es" -p %{buildroot}%{python2_sitelib} pathfix.py -i "%{__python3} -Es" -p %{buildroot}%{python3_sitelib} pathfix.py -i "%{__python3} -Es" -p %{buildroot}%{_sbindir}/semanage %{buildroot}%{_bindir}/sandbox \ @@ -297,6 +308,9 @@ find %{buildroot}%{python2_sitelib} %{buildroot}%{python3_sitelib} %{buildroot}% %{_mandir}/* %changelog +* Fri Feb 14 2020 openEuler Buildteam - 2.8-12 +- Add selinux-autorelabel + * Fri Dec 20 2019 openEuler Buildteam - 2.8-11 - Simplify functions diff --git a/selinux-autorelabel b/selinux-autorelabel new file mode 100644 index 0000000..22c2143 --- /dev/null +++ b/selinux-autorelabel @@ -0,0 +1,73 @@ +#!/bin/bash +# +# Do automatic relabelling +# + +# . /etc/init.d/functions + +# If the user has this (or similar) UEFI boot order: +# +# Windows | grub | Linux +# +# And decides to boot into grub/Linux, then the reboot at the end of autorelabel +# would cause the system to boot into Windows again, if the autorelabel was run. +# +# This function restores the UEFI boot order, so the user will boot into the +# previously set (and expected) partition. +efi_set_boot_next() { + # NOTE: The [ -x /usr/sbin/efibootmgr ] test is not sufficent -- it could + # succeed even on system which is not EFI-enabled... + if ! efibootmgr > /dev/null 2>&1; then + return + fi + + # NOTE: It it possible that some other services might be setting the + # 'BootNext' item for any reasons, and we shouldn't override it if so. + if ! efibootmgr | grep --quiet -e 'BootNext'; then + CURRENT_BOOT="$(efibootmgr | grep -e 'BootCurrent' | sed -re 's/(^.+:[[:space:]]*)([[:xdigit:]]+)/\2/')" + efibootmgr -n "${CURRENT_BOOT}" > /dev/null 2>&1 + fi +} + +relabel_selinux() { + # if /sbin/init is not labeled correctly this process is running in the + # wrong context, so a reboot will be required after relabel + AUTORELABEL= + . /etc/selinux/config + echo "0" > /sys/fs/selinux/enforce + [ -x /bin/plymouth ] && plymouth --quit + + if [ "$AUTORELABEL" = "0" ]; then + echo + echo $"*** Warning -- SELinux ${SELINUXTYPE} policy relabel is required. " + echo $"*** /etc/selinux/config indicates you want to manually fix labeling" + echo $"*** problems. Dropping you to a shell; the system will reboot" + echo $"*** when you leave the shell." + sulogin + + else + echo + echo $"*** Warning -- SELinux ${SELINUXTYPE} policy relabel is required." + echo $"*** Relabeling could take a very long time, depending on file" + echo $"*** system size and speed of hard drives." + + FORCE=`cat /.autorelabel` + [ -x "/usr/sbin/quotaoff" ] && /usr/sbin/quotaoff -aug + /sbin/fixfiles $FORCE restore + fi + + rm -f /.autorelabel + /usr/lib/dracut/dracut-initramfs-restore + efi_set_boot_next + if [ -x /usr/bin/grub2-editenv ]; then + grub2-editenv - incr boot_indeterminate >/dev/null 2>&1 + fi + sync + systemctl --force reboot +} + +# Check to see if a full relabel is needed +if [ "$READONLY" != "yes" ]; then + restorecon $(awk '!/^#/ && $4 !~ /noauto/ && $2 ~ /^\// { print $2 }' /etc/fstab) >/dev/null 2>&1 + relabel_selinux +fi diff --git a/selinux-autorelabel-generator.sh b/selinux-autorelabel-generator.sh new file mode 100644 index 0000000..be60487 --- /dev/null +++ b/selinux-autorelabel-generator.sh @@ -0,0 +1,29 @@ +#!/bin/sh + +# This systemd.generator(7) detects if SELinux is running and if the +# user requested an autorelabel, and if so sets the default target to +# selinux-autorelabel.target, which will cause the filesystem to be +# relabelled and then the system will reboot again and boot into the +# real default target. + +PATH=/usr/sbin:$PATH +unitdir=/usr/lib/systemd/system + +# If invoked with no arguments (for testing) write to /tmp. +earlydir="/tmp" +if [ -n "$2" ]; then + earlydir="$2" +fi + +set_target () +{ + ln -sf "$unitdir/selinux-autorelabel.target" "$earlydir/default.target" +} + +if selinuxenabled; then + if test -f /.autorelabel; then + set_target + elif grep -sqE "\bautorelabel\b" /proc/cmdline; then + set_target + fi +fi diff --git a/selinux-autorelabel-mark.service b/selinux-autorelabel-mark.service new file mode 100644 index 0000000..dc17df3 --- /dev/null +++ b/selinux-autorelabel-mark.service @@ -0,0 +1,18 @@ +[Unit] +Description=Mark the need to relabel after reboot +DefaultDependencies=no +Requires=local-fs.target +Conflicts=shutdown.target +After=local-fs.target +Before=sysinit.target shutdown.target +ConditionSecurity=!selinux +ConditionPathIsDirectory=/etc/selinux +ConditionPathExists=!/.autorelabel + +[Service] +ExecStart=-/bin/touch /.autorelabel +Type=oneshot +RemainAfterExit=yes + +[Install] +WantedBy=sysinit.target diff --git a/selinux-autorelabel.service b/selinux-autorelabel.service new file mode 100644 index 0000000..b8461e6 --- /dev/null +++ b/selinux-autorelabel.service @@ -0,0 +1,14 @@ +[Unit] +Description=Relabel all filesystems +DefaultDependencies=no +Conflicts=shutdown.target +After=sysinit.target +Before=shutdown.target +ConditionSecurity=selinux + +[Service] +ExecStart=/usr/libexec/selinux/selinux-autorelabel +Type=oneshot +TimeoutSec=0 +RemainAfterExit=yes +StandardInput=tty diff --git a/selinux-autorelabel.target b/selinux-autorelabel.target new file mode 100644 index 0000000..a4f63ab --- /dev/null +++ b/selinux-autorelabel.target @@ -0,0 +1,7 @@ +[Unit] +Description=Relabel all filesystems and reboot +DefaultDependencies=no +Requires=sysinit.target selinux-autorelabel.service +Conflicts=shutdown.target +After=sysinit.target selinux-autorelabel.service +ConditionSecurity=selinux -- Gitee