[Buildroot] [PATCH] Fix restorecond startup for sysvinit builds

[Buildroot] [PATCH] Fix restorecond startup for sysvinit builds

[José Pekkarinen]

Currently restorecond init script sources the
file /etc/rc.d/init.d/functions, that in some
init systems, like sysvinit, may not be available,
however, it doesn't actually uses any function
from it.

Also, the init script uses daemon, that is not
marked as a dependency. So this patches adds its
dependency to guarantee it's present in the build.

Signed-off-by: José Pekkarinen <jose.pekkarinen@unikie.com>
---
 package/restorecond/Config.in      |  2 +
 package/restorecond/S20restorecond | 86 ++++++++++++++++++++++++++++++
 package/restorecond/restorecond.mk |  4 +-
 3 files changed, 90 insertions(+), 2 deletions(-)
 create mode 100644 package/restorecond/S20restorecond

diff --git a/package/restorecond/Config.in b/package/restorecond/Config.in
index 31f85f2882..c2e773eace 100644
--- a/package/restorecond/Config.in
+++ b/package/restorecond/Config.in
@@ -4,11 +4,13 @@ config BR2_PACKAGE_RESTORECOND
 	depends on BR2_USE_WCHAR # libglib2
 	depends on BR2_TOOLCHAIN_HAS_THREADS # libglib2
 	depends on !BR2_STATIC_LIBS # libselinux
+	depends on BR2_PACKAGE_DAEMON # daemon
 	select BR2_PACKAGE_DBUS
 	select BR2_PACKAGE_DBUS_GLIB
 	select BR2_PACKAGE_LIBGLIB2
 	select BR2_PACKAGE_LIBSELINUX
 	select BR2_PACKAGE_LIBSEPOL
+	select BR2_PACKAGE_DAEMON
 	help
 	  restorecond is a daemon that watches for file creation and
 	  then sets the default SELinux file context for that file.
diff --git a/package/restorecond/S20restorecond b/package/restorecond/S20restorecond
new file mode 100644
index 0000000000..df6f53fe3f
--- /dev/null
+++ b/package/restorecond/S20restorecond
@@ -0,0 +1,86 @@
+#!/bin/sh
+#
+# restorecond:		Daemon used to maintain path file context
+#
+# chkconfig:	- 12 87
+# description:	restorecond uses inotify to look for creation of new files \
+# listed in the /etc/selinux/restorecond.conf file, and restores the \
+# correct security context.
+#
+# processname: /usr/sbin/restorecond
+# config: /etc/selinux/restorecond.conf
+# pidfile: /run/restorecond.pid
+#
+# Return values according to LSB for all commands but status:
+# 0 - success
+# 1 - generic or unspecified error
+# 2 - invalid or excess argument(s)
+# 3 - unimplemented feature (e.g. "reload")
+# 4 - insufficient privilege
+# 5 - program is not installed
+# 6 - program is not configured
+# 7 - program is not running
+
+PATH=/sbin:/bin:/usr/bin:/usr/sbin
+
+[ -x /usr/sbin/selinuxenabled ] && /usr/sbin/selinuxenabled || exit 7
+
+# Check that we are root ... so non-root users stop here
+test $EUID = 0  || exit 4
+
+test -x /usr/sbin/restorecond  || exit 5
+test -f /etc/selinux/restorecond.conf  || exit 6
+
+RETVAL=0
+
+start()
+{
+        echo -n $"Starting restorecond: "
+	unset HOME MAIL USER USERNAME
+        daemon /usr/sbin/restorecond
+	RETVAL=$?
+	touch /var/lock/subsys/restorecond
+        echo
+	return $RETVAL
+}
+
+stop()
+{
+        echo -n $"Shutting down restorecond: "
+	killproc restorecond
+	RETVAL=$?
+	rm -f  /var/lock/subsys/restorecond
+        echo
+	return $RETVAL
+}
+
+restart()
+{
+    stop
+    start
+}
+
+# See how we were called.
+case "$1" in
+  start)
+	start
+        ;;
+  stop)
+	stop
+        ;;
+  status)
+	status restorecond
+	RETVAL=$?
+	;;
+  force-reload|restart|reload)
+	restart
+	;;
+  condrestart)
+	[ -e /var/lock/subsys/restorecond ] && restart || :
+	;;
+  *)
+        echo $"Usage: $0 {start|stop|restart|force-reload|status|condrestart}"
+        RETVAL=3
+esac
+
+exit $RETVAL
diff --git a/package/restorecond/restorecond.mk b/package/restorecond/restorecond.mk
index 7ab7e978dd..1546661baf 100644
--- a/package/restorecond/restorecond.mk
+++ b/package/restorecond/restorecond.mk
@@ -9,7 +9,7 @@ RESTORECOND_SITE = https://github.com/SELinuxProject/selinux/releases/download/2
 RESTORECOND_LICENSE = GPL-2.0
 RESTORECOND_LICENSE_FILES = COPYING
 
-RESTORECOND_DEPENDENCIES = libglib2 libsepol libselinux dbus-glib
+RESTORECOND_DEPENDENCIES = libglib2 libsepol libselinux dbus-glib daemon
 
 # Undefining _FILE_OFFSET_BITS here because of a "bug" with glibc fts.h
 # large file support.
@@ -27,7 +27,7 @@ define RESTORECOND_BUILD_CMDS
 endef
 
 define RESTORECOND_INSTALL_INIT_SYSV
-	$(INSTALL) -m 0755 -D $(@D)/restorecond.init \
+	$(INSTALL) -m 0755 -D package/restorecond/S20restorecond \
 		$(TARGET_DIR)/etc/init.d/S20restorecond
 endef
 
-- 
2.25.1

_______________________________________________
buildroot mailing list
buildroot@busybox.net
http://lists.busybox.net/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH] Fix restorecond startup for sysvinit builds

[Baruch Siach]

Hi José,

On Fri, Jul 23 2021, José Pekkarinen wrote:
> Currently restorecond init script sources the
> file /etc/rc.d/init.d/functions, that in some
> init systems, like sysvinit, may not be available,
> however, it doesn't actually uses any function
> from it.
>
> Also, the init script uses daemon, that is not
> marked as a dependency. So this patches adds its
> dependency to guarantee it's present in the build.
>
> Signed-off-by: José Pekkarinen <jose.pekkarinen@unikie.com>
> ---
>  package/restorecond/Config.in      |  2 +
>  package/restorecond/S20restorecond | 86 ++++++++++++++++++++++++++++++
>  package/restorecond/restorecond.mk |  4 +-
>  3 files changed, 90 insertions(+), 2 deletions(-)
>  create mode 100644 package/restorecond/S20restorecond
>
> diff --git a/package/restorecond/Config.in b/package/restorecond/Config.in
> index 31f85f2882..c2e773eace 100644
> --- a/package/restorecond/Config.in
> +++ b/package/restorecond/Config.in
> @@ -4,11 +4,13 @@ config BR2_PACKAGE_RESTORECOND
>  	depends on BR2_USE_WCHAR # libglib2
>  	depends on BR2_TOOLCHAIN_HAS_THREADS # libglib2
>  	depends on !BR2_STATIC_LIBS # libselinux
> +	depends on BR2_PACKAGE_DAEMON # daemon

No need to depend on package you select.

>  	select BR2_PACKAGE_DBUS
>  	select BR2_PACKAGE_DBUS_GLIB
>  	select BR2_PACKAGE_LIBGLIB2
>  	select BR2_PACKAGE_LIBSELINUX
>  	select BR2_PACKAGE_LIBSEPOL
> +	select BR2_PACKAGE_DAEMON

Since BR2_PACKAGE_RESTORECOND depends on MMU and THREADS already, there
is no need to add dependencies. But it would be nice to add "daemon"
in the comment next to these dependencies above.

>  	help
>  	  restorecond is a daemon that watches for file creation and
>  	  then sets the default SELinux file context for that file.

[...]

> diff --git a/package/restorecond/restorecond.mk b/package/restorecond/restorecond.mk
> index 7ab7e978dd..1546661baf 100644
> --- a/package/restorecond/restorecond.mk
> +++ b/package/restorecond/restorecond.mk
> @@ -9,7 +9,7 @@ RESTORECOND_SITE = https://github.com/SELinuxProject/selinux/releases/download/2
>  RESTORECOND_LICENSE = GPL-2.0
>  RESTORECOND_LICENSE_FILES = COPYING
>  
> -RESTORECOND_DEPENDENCIES = libglib2 libsepol libselinux dbus-glib
> +RESTORECOND_DEPENDENCIES = libglib2 libsepol libselinux dbus-glib daemon

This is a run-time dependency, right? If so there is no need for daemon
to build before restorecond. But add a "runtime" comment next to
select BR2_PACKAGE_DAEMON.

baruch

>  
>  # Undefining _FILE_OFFSET_BITS here because of a "bug" with glibc fts.h
>  # large file support.
> @@ -27,7 +27,7 @@ define RESTORECOND_BUILD_CMDS
>  endef
>  
>  define RESTORECOND_INSTALL_INIT_SYSV
> -	$(INSTALL) -m 0755 -D $(@D)/restorecond.init \
> +	$(INSTALL) -m 0755 -D package/restorecond/S20restorecond \
>  		$(TARGET_DIR)/etc/init.d/S20restorecond
>  endef


-- 
                                                     ~. .~   Tk Open Systems
=}------------------------------------------------ooO--U--Ooo------------{=
   - baruch@tkos.co.il - tel: +972.52.368.4656, http://www.tkos.co.il -
_______________________________________________
buildroot mailing list
buildroot@busybox.net
http://lists.busybox.net/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH] Fix restorecond startup for sysvinit builds

[Thomas Petazzoni]

On Fri, 23 Jul 2021 15:47:54 +0300
José Pekkarinen <jose.pekkarinen@unikie.com> wrote:

> Currently restorecond init script sources the
> file /etc/rc.d/init.d/functions, that in some
> init systems, like sysvinit, may not be available,
> however, it doesn't actually uses any function
> from it.
> 
> Also, the init script uses daemon, that is not
> marked as a dependency. So this patches adds its
> dependency to guarantee it's present in the build.
> 
> Signed-off-by: José Pekkarinen <jose.pekkarinen@unikie.com>

Thanks for this patch. However, if we are going to use our own init
script for restorecond, it should follow our "model" for init scripts,
package/busybox/S01syslogd. This means it should use start-stop-daemon,
instead of daemon, if possible.

Thanks a lot!

Thomas
-- 
Thomas Petazzoni, co-owner and CEO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
_______________________________________________
buildroot mailing list
buildroot@busybox.net
http://lists.busybox.net/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH] Fix restorecond startup for sysvinit builds

[José Pekkarinen]

[-- Attachment #1.1: Type: text/plain, Size: 1098 bytes --]

On Fri, Jul 23, 2021 at 5:42 PM Baruch Siach <baruch@tkos.co.il> wrote:

> [...]
>
> > diff --git a/package/restorecond/restorecond.mk b/package/restorecond/
> restorecond.mk
> > index 7ab7e978dd..1546661baf 100644
> > --- a/package/restorecond/restorecond.mk
> > +++ b/package/restorecond/restorecond.mk
> > @@ -9,7 +9,7 @@ RESTORECOND_SITE =
> https://github.com/SELinuxProject/selinux/releases/download/2
> >  RESTORECOND_LICENSE = GPL-2.0
> >  RESTORECOND_LICENSE_FILES = COPYING
> >
> > -RESTORECOND_DEPENDENCIES = libglib2 libsepol libselinux dbus-glib
> > +RESTORECOND_DEPENDENCIES = libglib2 libsepol libselinux dbus-glib daemon
>
> This is a run-time dependency, right? If so there is no need for daemon
> to build before restorecond. But add a "runtime" comment next to
> select BR2_PACKAGE_DAEMON.
>

Hi,

Yes, this is a runtime dependency as it comes from the

original source code, the init script provided from upstream calls
it in. If we want it to work out-of-the-box we have to automatically
select it at least.

Thanks for the comments!


José.

[-- Attachment #1.2: Type: text/html, Size: 2388 bytes --]

[-- Attachment #2: Type: text/plain, Size: 145 bytes --]

_______________________________________________
buildroot mailing list
buildroot@busybox.net
http://lists.busybox.net/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH] Fix restorecond startup for sysvinit builds

[José Pekkarinen]

[-- Attachment #1.1: Type: text/plain, Size: 1157 bytes --]

On Sun, Jul 25, 2021 at 12:36 AM Thomas Petazzoni <
thomas.petazzoni@bootlin.com> wrote:

> On Fri, 23 Jul 2021 15:47:54 +0300
> José Pekkarinen <jose.pekkarinen@unikie.com> wrote:
>
> > Currently restorecond init script sources the
> > file /etc/rc.d/init.d/functions, that in some
> > init systems, like sysvinit, may not be available,
> > however, it doesn't actually uses any function
> > from it.
> >
> > Also, the init script uses daemon, that is not
> > marked as a dependency. So this patches adds its
> > dependency to guarantee it's present in the build.
> >
> > Signed-off-by: José Pekkarinen <jose.pekkarinen@unikie.com>
>
> Thanks for this patch. However, if we are going to use our own init
> script for restorecond, it should follow our "model" for init scripts,
> package/busybox/S01syslogd. This means it should use start-stop-daemon,
> instead of daemon, if possible.
>

Thanks for the comment, this is the minor effort approach to

make the upstream init script work, rewriting in with start-stop-daemon
is certainly something possible, I'll see what I can do in that direction.

Best regards.


José.

[-- Attachment #1.2: Type: text/html, Size: 2097 bytes --]

[-- Attachment #2: Type: text/plain, Size: 145 bytes --]

_______________________________________________
buildroot mailing list
buildroot@busybox.net
http://lists.busybox.net/mailman/listinfo/buildroot