Hi,

Can I get some comments here? I'm starting
to do some tests with 2021.08 and I find unlabeled
stuff like the following ones:

[   10.534555] SELinux:  Context Default is not valid (left unmapped).
[   10.562318] audit: type=1400 audit(1632913977.130:4): avc:  denied  { read } for  pid=108 comm="auditd" name="audit" dev="vda" ino=16387 scontext=system_u:system_r:auditd_t tcontext=system_u:object_r:unlabeled_t tclass=dir permissive=1 trawcon="Default"
[   10.579085] audit: type=1400 audit(1632913977.146:5): avc:  denied  { open } for  pid=108 comm="auditd" path="/var/log/audit" dev="vda" ino=16387 scontext=system_u:system_r:auditd_t tcontext=system_u:object_r:unlabeled_t tclass=dir permissive=1 trawcon="Def"
[   10.594226] audit: type=1400 audit(1632913977.146:6): avc:  denied  { getattr } for  pid=108 comm="auditd" path="/var/log/audit" dev="vda" ino=16387 scontext=system_u:system_r:auditd_t tcontext=system_u:object_r:unlabeled_t tclass=dir permissive=1 trawcon=""
[   10.610371] audit: type=1400 audit(1632913977.146:7): avc:  denied  { search } for  pid=108 comm="auditd" name="audit" dev="vda" ino=16387 scontext=system_u:system_r:auditd_t tcontext=system_u:object_r:unlabeled_t tclass=dir permissive=1 trawcon="Default"
[   10.629470] audit: type=1400 audit(1632913977.197:8): avc:  denied  { setattr } for  pid=109 comm="auditd" name="audit" dev="vda" ino=16387 scontext=system_u:system_r:auditd_t tcontext=system_u:object_r:unlabeled_t tclass=dir permissive=1 trawcon="Default"
[   10.646993] audit: type=1400 audit(1632913977.214:9): avc:  denied  { write } for  pid=109 comm="auditd" name="audit" dev="vda" ino=16387 scontext=system_u:system_r:auditd_t tcontext=system_u:object_r:unlabeled_t tclass=dir permissive=1 trawcon="Default"
[   10.662781] audit: type=1400 audit(1632913977.214:10): avc:  denied  { add_name } for  pid=109 comm="auditd" name="audit.log" scontext=system_u:system_r:auditd_t tcontext=system_u:object_r:unlabeled_t tclass=dir permissive=1 trawcon="Default"
[   10.677266] audit: type=1400 audit(1632913977.214:11): avc:  denied  { create } for  pid=109 comm="auditd" name="audit.log" scontext=system_u:system_r:auditd_t tcontext=system_u:object_r:unlabeled_t tclass=file permissive=1

These makes me think adding some via to
handle the autorelabel mechanism is still needed.

Best regards.

José.

On Tue, Sep 7, 2021 at 3:58 PM José Pekkarinen <jose.pekkarinen@unikie.com> wrote:
This patch adds a system service to check whether the
autorelabel via is requested or not, and produce the
labeling of the system under the loaded final kernel,
including automatically populated fs by the kernel.

Signed-off-by: José Pekkarinen <jose.pekkarinen@unikie.com>
---
 .../policycoreutils/S00selinux-autorelabel    | 49 +++++++++++++++++++
 package/policycoreutils/policycoreutils.mk    |  5 ++
 2 files changed, 54 insertions(+)
 create mode 100644 package/policycoreutils/S00selinux-autorelabel

diff --git a/package/policycoreutils/S00selinux-autorelabel b/package/policycoreutils/S00selinux-autorelabel
new file mode 100644
index 0000000000..7a47db891f
--- /dev/null
+++ b/package/policycoreutils/S00selinux-autorelabel
@@ -0,0 +1,49 @@
+#!/bin/sh
+
+DAEMON="Autorelabel check"
+
+start() {
+    printf 'Starting %s: ' "$DAEMON"
+
+    if [ -f /.autorelabel ]; then
+        echo "Relabeling"
+        echo "*** Warning -- SELinux ${SELINUXTYPE} policy relabel is required."
+        echo "*** Relabeling could take a very long time, depending on file"
+        echo "*** system size and speed of hard drives."
+        mount -a
+        setfiles -m -r /
+
+        # Remove label
+        rm -f  /.autorelabel || failed "Failed to remove the autorelabel flag"
+
+        # Reboot to activate relabeled file system
+        echo "Automatic reboot in progress."
+        reboot -f
+    fi
+
+    echo "OK"
+    return 0
+}
+
+stop() {
+    printf 'Stopping %s: ' "$DAEMON"
+    echo "OK"
+    return 0
+}
+
+restart() {
+       stop
+       sleep 1
+       start
+}
+
+case "$1" in
+       start|stop|restart)
+               "$1";;
+       reload)
+               # Restart, since there is no true "reload" feature.
+               restart;;
+       *)
+               echo "Usage: $0 {start|stop|restart|reload}"
+               exit 1
+esac
diff --git a/package/policycoreutils/policycoreutils.mk b/package/policycoreutils/policycoreutils.mk
index 5290c5b9f8..f698698059 100644
--- a/package/policycoreutils/policycoreutils.mk
+++ b/package/policycoreutils/policycoreutils.mk
@@ -93,5 +93,10 @@ define HOST_POLICYCOREUTILS_INSTALL_CMDS
        )
 endef

+define POLICYCOREUTILS_INSTALL_INIT_SYSV
+       $(INSTALL) -m 0755 -D package/policycoreutils/S00selinux-autorelabel \
+               $(TARGET_DIR)/etc/init.d/S00selinux-autorelabel
+endef
+
 $(eval $(generic-package))
 $(eval $(host-generic-package))
--
2.25.1



--
José.