From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 32369C433F5 for ; Wed, 29 Sep 2021 11:37:51 +0000 (UTC) Received: from smtp1.osuosl.org (smtp1.osuosl.org [140.211.166.138]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 6CF1B61409 for ; Wed, 29 Sep 2021 11:37:50 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org 6CF1B61409 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=unikie.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=buildroot.org Received: from localhost (localhost [127.0.0.1]) by smtp1.osuosl.org (Postfix) with ESMTP id 0D34481A34; Wed, 29 Sep 2021 11:37:50 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp1.osuosl.org ([127.0.0.1]) by localhost (smtp1.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id X1-6FMAjURxz; Wed, 29 Sep 2021 11:37:48 +0000 (UTC) Received: from ash.osuosl.org (ash.osuosl.org [140.211.166.34]) by smtp1.osuosl.org (Postfix) with ESMTP id 0437A81D2D; Wed, 29 Sep 2021 11:37:48 +0000 (UTC) Received: from smtp3.osuosl.org (smtp3.osuosl.org [140.211.166.136]) by ash.osuosl.org (Postfix) with ESMTP id 8587B1BF951 for ; Wed, 29 Sep 2021 11:37:46 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp3.osuosl.org (Postfix) with ESMTP id 6BC246069B for ; Wed, 29 Sep 2021 11:37:46 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Authentication-Results: smtp3.osuosl.org (amavisd-new); dkim=pass (2048-bit key) header.d=unikie-com.20210112.gappssmtp.com Received: from smtp3.osuosl.org ([127.0.0.1]) by localhost (smtp3.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HE16mzrLF1Kj for ; Wed, 29 Sep 2021 11:37:44 +0000 (UTC) X-Greylist: whitelisted by SQLgrey-1.8.0 Received: from mail-ed1-x536.google.com (mail-ed1-x536.google.com [IPv6:2a00:1450:4864:20::536]) by smtp3.osuosl.org (Postfix) with ESMTPS id 23DAA60634 for ; Wed, 29 Sep 2021 11:37:44 +0000 (UTC) Received: by mail-ed1-x536.google.com with SMTP id y35so7486271ede.3 for ; Wed, 29 Sep 2021 04:37:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=unikie-com.20210112.gappssmtp.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=VEEgN2kNRjIDbF8F7E9KZijXozD0GGkqHUOxzWZbL0Y=; b=ljHOPT2E6pVTEdYjcYYcS9TewtwDXFDGCkrJqsO6JNpga7x2UQVvchoCwRoRPvxKBK Ov1/7UxvXMeRAFk33QUb73dfyzHD21iaKd1HQGr2wdlcJxRFDd0VBxP5XQAye287PI5S mdaivl97bdV+6vmVEqwo8vdtAV57C1ry23evKDqQMdsHJXH/r656RL+/D9TBfepzSbI7 NJulgA2lX/QmztzWx1r0Hi646FmKY7nbKhiMvkK61+s86bpEedHIIj/8HznCet38CPkP KKyJGK8/E31cDpX/+nrACBqR5M3rWwOcr9dMEQTRup+Et6Ru7I8Z/sDAqsVNXIlA0Ptb jzwg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=VEEgN2kNRjIDbF8F7E9KZijXozD0GGkqHUOxzWZbL0Y=; b=3GVQpKO4pr3jgJQze9UDt2mr0hgY2/otCmUOmHKqLULGCcLPHOFeP4/7MrmrcrDhQv lnA6gBh/nDD1uyxWeYCsb9WETbD/YOLSVda9l1sjF7QcRC1LVn5wjLrvu3znbGrsuDDr wdeV/Vh0fyeD3c31EoNiFRIj0bbgDwJCIKWAbwbSAY8zqlmAEE2ptT/yIHH0dveNCI04 gQSzHdiLjxbz+ECA+KD9Sib2it3gJ0W8oZtTjt3kapG9/Ll1aYTC9chJYfN11bJe2aWi eowE3lzDdqKF3n0CESphWn+WKFyn2tjrs1DD4uSeb7D5zpL/sgRAPC5F8p/BH8XEPqdh 2asQ== X-Gm-Message-State: AOAM530w9bYIyGoz+ogCMUK9Tn1his7O/Aef9EEWyjbrJnRbofnNpa0r zG9jljc0HtkIKlWZWbV1/xkw74yEsNAb92XKY7QsSR8v1yaRx3bT X-Google-Smtp-Source: ABdhPJwO0Ry5Nbdsy6Npa/xB/tww7BYfZqI/PXTVa25A5WvyrBZfXL+TMKoWxEQM9JsZK4i0FbOElKyU4ZMA7OGWk6w= X-Received: by 2002:a50:da0a:: with SMTP id z10mr13910479edj.298.1632915462104; Wed, 29 Sep 2021 04:37:42 -0700 (PDT) MIME-Version: 1.0 References: <20210907125841.509792-1-jose.pekkarinen@unikie.com> In-Reply-To: <20210907125841.509792-1-jose.pekkarinen@unikie.com> From: =?UTF-8?Q?Jos=C3=A9_Pekkarinen?= Date: Wed, 29 Sep 2021 14:37:31 +0300 Message-ID: To: buildroot@buildroot.org Subject: Re: [Buildroot] [PATCH] package/policycoreutils: Add service to handle selinux autorelabel X-BeenThere: buildroot@buildroot.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Discussion and development of buildroot List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: multipart/mixed; boundary="===============8109033389265613310==" Errors-To: buildroot-bounces@buildroot.org Sender: "buildroot" --===============8109033389265613310== Content-Type: multipart/alternative; boundary="000000000000113f4905cd20c251" --000000000000113f4905cd20c251 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Hi, Can I get some comments here? I'm starting to do some tests with 2021.08 and I find unlabeled stuff like the following ones: [ 10.534555] SELinux: Context Default is not valid (left unmapped). [ 10.562318] audit: type=3D1400 audit(1632913977.130:4): avc: denied { read } for pid=3D108 comm=3D"auditd" name=3D"audit" dev=3D"vda" ino=3D1638= 7 scontext=3Dsystem_u:system_r:auditd_t tcontext=3Dsystem_u:object_r:unlabele= d_t tclass=3Ddir permissive=3D1 trawcon=3D"Default" [ 10.579085] audit: type=3D1400 audit(1632913977.146:5): avc: denied { open } for pid=3D108 comm=3D"auditd" path=3D"/var/log/audit" dev=3D"vda" i= no=3D16387 scontext=3Dsystem_u:system_r:auditd_t tcontext=3Dsystem_u:object_r:unlabele= d_t tclass=3Ddir permissive=3D1 trawcon=3D"Def" [ 10.594226] audit: type=3D1400 audit(1632913977.146:6): avc: denied { getattr } for pid=3D108 comm=3D"auditd" path=3D"/var/log/audit" dev=3D"vda= " ino=3D16387 scontext=3Dsystem_u:system_r:auditd_t tcontext=3Dsystem_u:object_r:unlabeled_t tclass=3Ddir permissive=3D1 trawco= n=3D"" [ 10.610371] audit: type=3D1400 audit(1632913977.146:7): avc: denied { search } for pid=3D108 comm=3D"auditd" name=3D"audit" dev=3D"vda" ino=3D16= 387 scontext=3Dsystem_u:system_r:auditd_t tcontext=3Dsystem_u:object_r:unlabele= d_t tclass=3Ddir permissive=3D1 trawcon=3D"Default" [ 10.629470] audit: type=3D1400 audit(1632913977.197:8): avc: denied { setattr } for pid=3D109 comm=3D"auditd" name=3D"audit" dev=3D"vda" ino=3D1= 6387 scontext=3Dsystem_u:system_r:auditd_t tcontext=3Dsystem_u:object_r:unlabele= d_t tclass=3Ddir permissive=3D1 trawcon=3D"Default" [ 10.646993] audit: type=3D1400 audit(1632913977.214:9): avc: denied { write } for pid=3D109 comm=3D"auditd" name=3D"audit" dev=3D"vda" ino=3D163= 87 scontext=3Dsystem_u:system_r:auditd_t tcontext=3Dsystem_u:object_r:unlabele= d_t tclass=3Ddir permissive=3D1 trawcon=3D"Default" [ 10.662781] audit: type=3D1400 audit(1632913977.214:10): avc: denied { add_name } for pid=3D109 comm=3D"auditd" name=3D"audit.log" scontext=3Dsystem_u:system_r:auditd_t tcontext=3Dsystem_u:object_r:unlabele= d_t tclass=3Ddir permissive=3D1 trawcon=3D"Default" [ 10.677266] audit: type=3D1400 audit(1632913977.214:11): avc: denied { create } for pid=3D109 comm=3D"auditd" name=3D"audit.log" scontext=3Dsystem_u:system_r:auditd_t tcontext=3Dsystem_u:object_r:unlabele= d_t tclass=3Dfile permissive=3D1 These makes me think adding some via to handle the autorelabel mechanism is still needed. Best regards. Jos=C3=A9. On Tue, Sep 7, 2021 at 3:58 PM Jos=C3=A9 Pekkarinen wrote: > This patch adds a system service to check whether the > autorelabel via is requested or not, and produce the > labeling of the system under the loaded final kernel, > including automatically populated fs by the kernel. > > Signed-off-by: Jos=C3=A9 Pekkarinen > --- > .../policycoreutils/S00selinux-autorelabel | 49 +++++++++++++++++++ > package/policycoreutils/policycoreutils.mk | 5 ++ > 2 files changed, 54 insertions(+) > create mode 100644 package/policycoreutils/S00selinux-autorelabel > > diff --git a/package/policycoreutils/S00selinux-autorelabel > b/package/policycoreutils/S00selinux-autorelabel > new file mode 100644 > index 0000000000..7a47db891f > --- /dev/null > +++ b/package/policycoreutils/S00selinux-autorelabel > @@ -0,0 +1,49 @@ > +#!/bin/sh > + > +DAEMON=3D"Autorelabel check" > + > +start() { > + printf 'Starting %s: ' "$DAEMON" > + > + if [ -f /.autorelabel ]; then > + echo "Relabeling" > + echo "*** Warning -- SELinux ${SELINUXTYPE} policy relabel is > required." > + echo "*** Relabeling could take a very long time, depending on > file" > + echo "*** system size and speed of hard drives." > + mount -a > + setfiles -m -r / > + > + # Remove label > + rm -f /.autorelabel || failed "Failed to remove the autorelabel > flag" > + > + # Reboot to activate relabeled file system > + echo "Automatic reboot in progress." > + reboot -f > + fi > + > + echo "OK" > + return 0 > +} > + > +stop() { > + printf 'Stopping %s: ' "$DAEMON" > + echo "OK" > + return 0 > +} > + > +restart() { > + stop > + sleep 1 > + start > +} > + > +case "$1" in > + start|stop|restart) > + "$1";; > + reload) > + # Restart, since there is no true "reload" feature. > + restart;; > + *) > + echo "Usage: $0 {start|stop|restart|reload}" > + exit 1 > +esac > diff --git a/package/policycoreutils/policycoreutils.mk > b/package/policycoreutils/policycoreutils.mk > index 5290c5b9f8..f698698059 100644 > --- a/package/policycoreutils/policycoreutils.mk > +++ b/package/policycoreutils/policycoreutils.mk > @@ -93,5 +93,10 @@ define HOST_POLICYCOREUTILS_INSTALL_CMDS > ) > endef > > +define POLICYCOREUTILS_INSTALL_INIT_SYSV > + $(INSTALL) -m 0755 -D > package/policycoreutils/S00selinux-autorelabel \ > + $(TARGET_DIR)/etc/init.d/S00selinux-autorelabel > +endef > + > $(eval $(generic-package)) > $(eval $(host-generic-package)) > -- > 2.25.1 > > --=20 Jos=C3=A9. --000000000000113f4905cd20c251 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable

Hi,

Can I get some comments= here? I'm starting
to do some tests with 2021.08 and= I find unlabeled
stuff like the following ones:

[ =C2=A0 10.534555] SELinux: =C2=A0Context Default is not valid (left u= nmapped).
[ =C2=A0 10.562318] audit: type=3D1400 audit(1632913977.130:4)= : avc: =C2=A0denied =C2=A0{ read } for =C2=A0pid=3D108 comm=3D"auditd&= quot; name=3D"audit" dev=3D"vda" ino=3D16387 scontext= =3Dsystem_u:system_r:auditd_t tcontext=3Dsystem_u:object_r:unlabeled_t tcla= ss=3Ddir permissive=3D1 trawcon=3D"Default"
[ =C2=A0 10.579085= ] audit: type=3D1400 audit(1632913977.146:5): avc: =C2=A0denied =C2=A0{ ope= n } for =C2=A0pid=3D108 comm=3D"auditd" path=3D"/var/log/aud= it" dev=3D"vda" ino=3D16387 scontext=3Dsystem_u:system_r:aud= itd_t tcontext=3Dsystem_u:object_r:unlabeled_t tclass=3Ddir permissive=3D1 = trawcon=3D"Def"
[ =C2=A0 10.594226] audit: type=3D1400 audit(1= 632913977.146:6): avc: =C2=A0denied =C2=A0{ getattr } for =C2=A0pid=3D108 c= omm=3D"auditd" path=3D"/var/log/audit" dev=3D"vda&= quot; ino=3D16387 scontext=3Dsystem_u:system_r:auditd_t tcontext=3Dsystem_u= :object_r:unlabeled_t tclass=3Ddir permissive=3D1 trawcon=3D""[ =C2=A0 10.610371] audit: type=3D1400 audit(1632913977.146:7): avc: =C2= =A0denied =C2=A0{ search } for =C2=A0pid=3D108 comm=3D"auditd" na= me=3D"audit" dev=3D"vda" ino=3D16387 scontext=3Dsystem_= u:system_r:auditd_t tcontext=3Dsystem_u:object_r:unlabeled_t tclass=3Ddir p= ermissive=3D1 trawcon=3D"Default"
[ =C2=A0 10.629470] audit: t= ype=3D1400 audit(1632913977.197:8): avc: =C2=A0denied =C2=A0{ setattr } for= =C2=A0pid=3D109 comm=3D"auditd" name=3D"audit" dev=3D&= quot;vda" ino=3D16387 scontext=3Dsystem_u:system_r:auditd_t tcontext= =3Dsystem_u:object_r:unlabeled_t tclass=3Ddir permissive=3D1 trawcon=3D&quo= t;Default"
[ =C2=A0 10.646993] audit: type=3D1400 audit(1632913977.= 214:9): avc: =C2=A0denied =C2=A0{ write } for =C2=A0pid=3D109 comm=3D"= auditd" name=3D"audit" dev=3D"vda" ino=3D16387 sco= ntext=3Dsystem_u:system_r:auditd_t tcontext=3Dsystem_u:object_r:unlabeled_t= tclass=3Ddir permissive=3D1 trawcon=3D"Default"
[ =C2=A0 10.6= 62781] audit: type=3D1400 audit(1632913977.214:10): avc: =C2=A0denied =C2= =A0{ add_name } for =C2=A0pid=3D109 comm=3D"auditd" name=3D"= audit.log" scontext=3Dsystem_u:system_r:auditd_t tcontext=3Dsystem_u:o= bject_r:unlabeled_t tclass=3Ddir permissive=3D1 trawcon=3D"Default&quo= t;
[ =C2=A0 10.677266] audit: type=3D1400 audit(1632913977.214:11): avc:= =C2=A0denied =C2=A0{ create } for =C2=A0pid=3D109 comm=3D"auditd"= ; name=3D"audit.log" scontext=3Dsystem_u:system_r:auditd_t tconte= xt=3Dsystem_u:object_r:unlabeled_t tclass=3Dfile permissive=3D1

These makes me think adding some via to
handle the auto= relabel mechanism is still needed.

Best regards.

Jos=C3=A9.

On Tue, Sep 7, 2021 = at 3:58 PM Jos=C3=A9 Pekkarinen <jose.pekkarinen@unikie.com> wrote:
This patch adds a system service to check = whether the
autorelabel via is requested or not, and produce the
labeling of the system under the loaded final kernel,
including automatically populated fs by the kernel.

Signed-off-by: Jos=C3=A9 Pekkarinen <jose.pekkarinen@unikie.com>
---
=C2=A0.../policycoreutils/S00selinux-autorelabel=C2=A0 =C2=A0 | 49 ++++++++= +++++++++++
=C2=A0package/policycoreutils/policycoreutils.mk=C2=A0 =C2=A0 |=C2=A0 5= ++
=C2=A02 files changed, 54 insertions(+)
=C2=A0create mode 100644 package/policycoreutils/S00selinux-autorelabel

diff --git a/package/policycoreutils/S00selinux-autorelabel b/package/polic= ycoreutils/S00selinux-autorelabel
new file mode 100644
index 0000000000..7a47db891f
--- /dev/null
+++ b/package/policycoreutils/S00selinux-autorelabel
@@ -0,0 +1,49 @@
+#!/bin/sh
+
+DAEMON=3D"Autorelabel check"
+
+start() {
+=C2=A0 =C2=A0 printf 'Starting %s: ' "$DAEMON"
+
+=C2=A0 =C2=A0 if [ -f /.autorelabel ]; then
+=C2=A0 =C2=A0 =C2=A0 =C2=A0 echo "Relabeling"
+=C2=A0 =C2=A0 =C2=A0 =C2=A0 echo "*** Warning -- SELinux ${SELINUXTYP= E} policy relabel is required."
+=C2=A0 =C2=A0 =C2=A0 =C2=A0 echo "*** Relabeling could take a very lo= ng time, depending on file"
+=C2=A0 =C2=A0 =C2=A0 =C2=A0 echo "*** system size and speed of hard d= rives."
+=C2=A0 =C2=A0 =C2=A0 =C2=A0 mount -a
+=C2=A0 =C2=A0 =C2=A0 =C2=A0 setfiles -m -r /
+
+=C2=A0 =C2=A0 =C2=A0 =C2=A0 # Remove label
+=C2=A0 =C2=A0 =C2=A0 =C2=A0 rm -f=C2=A0 /.autorelabel || failed "Fail= ed to remove the autorelabel flag"
+
+=C2=A0 =C2=A0 =C2=A0 =C2=A0 # Reboot to activate relabeled file system
+=C2=A0 =C2=A0 =C2=A0 =C2=A0 echo "Automatic reboot in progress."=
+=C2=A0 =C2=A0 =C2=A0 =C2=A0 reboot -f
+=C2=A0 =C2=A0 fi
+
+=C2=A0 =C2=A0 echo "OK"
+=C2=A0 =C2=A0 return 0
+}
+
+stop() {
+=C2=A0 =C2=A0 printf 'Stopping %s: ' "$DAEMON"
+=C2=A0 =C2=A0 echo "OK"
+=C2=A0 =C2=A0 return 0
+}
+
+restart() {
+=C2=A0 =C2=A0 =C2=A0 =C2=A0stop
+=C2=A0 =C2=A0 =C2=A0 =C2=A0sleep 1
+=C2=A0 =C2=A0 =C2=A0 =C2=A0start
+}
+
+case "$1" in
+=C2=A0 =C2=A0 =C2=A0 =C2=A0start|stop|restart)
+=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0"$1";; +=C2=A0 =C2=A0 =C2=A0 =C2=A0reload)
+=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0# Restart, since th= ere is no true "reload" feature.
+=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0restart;;
+=C2=A0 =C2=A0 =C2=A0 =C2=A0*)
+=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0echo "Usage: $= 0 {start|stop|restart|reload}"
+=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0exit 1
+esac
diff --git a/package/policycoreutils/policycoreutils.mk b/package/polic= ycoreutils/policycoreutils.mk
index 5290c5b9f8..f698698059 100644
--- a/package/policycoreutils/policycoreutils.mk
+++ b/package/policycoreutils/policycoreutils.mk
@@ -93,5 +93,10 @@ define HOST_POLICYCOREUTILS_INSTALL_CMDS
=C2=A0 =C2=A0 =C2=A0 =C2=A0 )
=C2=A0endef

+define POLICYCOREUTILS_INSTALL_INIT_SYSV
+=C2=A0 =C2=A0 =C2=A0 =C2=A0$(INSTALL) -m 0755 -D package/policycoreutils/S= 00selinux-autorelabel \
+=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0$(TARGET_DIR)/etc/i= nit.d/S00selinux-autorelabel
+endef
+
=C2=A0$(eval $(generic-package))
=C2=A0$(eval $(host-generic-package))
--
2.25.1



--
Jos=C3=A9.
--000000000000113f4905cd20c251-- --===============8109033389265613310== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ buildroot mailing list buildroot@buildroot.org https://lists.buildroot.org/mailman/listinfo/buildroot --===============8109033389265613310==--