Re: [Buildroot] [PATCH] package/policycoreutils: Add service to handle selinux autorelabel

From: Antoine Tenart <atenart@kernel.org>
To: José Pekkarinen <jose.pekkarinen@unikie.com>, buildroot@buildroot.org
Cc: José Pekkarinen <jose.pekkarinen@unikie.com>
Subject: Re: [Buildroot] [PATCH] package/policycoreutils: Add service to handle selinux autorelabel
Date: Thu, 30 Sep 2021 10:58:42 +0200	[thread overview]
Message-ID: <163299232288.3047.15888178110434706206@kwain> (raw)
In-Reply-To: <20210907125841.509792-1-jose.pekkarinen@unikie.com>

Hello José,

Quoting José Pekkarinen (2021-09-07 14:58:41)
> This patch adds a system service to check whether the
> autorelabel via is requested or not, and produce the
> labeling of the system under the loaded final kernel,
> including automatically populated fs by the kernel.

I don't think this is the correct fix nor it can work across reboots
without relabelling the whole system each time. Relabelling the entire
system is usually done in distros when updating the policy but here in
Buildroot the policy is tied to a given image version and an update in
the policy should come with a new image.

Now, I'm not saying there is no issue. When using devtmpfs (otherwise
/dev is already labeled at build time) device nodes have a default label
that might not match the loaded policy. The labelling has to be done by
an userspace daemon, usually udev (but restorecond could work with the
right config). This is needed as new devices might appear later.

The issue here I believe is there is a gap between devtmpfs is mounted
and udev starts, while other daemons start accessing it. What is usually
done IIRC is to run restorecon on /dev right after it is mounted. If I'm
not mistaken systemd does something similar by default.

This needs investigation but I hope the above gave some pointers.

Thanks,
Antoine
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot