On Fri, Aug 20, 2021 at 12:05 AM Yann E. MORIN <yann.morin.1998@free.fr> wrote:
José, All,

On 2021-08-19 12:29 +0300, José Pekkarinen spake thusly:
> Currently buildroot ship libselinux without triggering
> this option, which often shows inconsistencies between
> what the refpolicy defines as a label for a file and
> what the actual file has. Triggering an initial relabel
> would help activating enforcing state right away without
> requiring to enter it once in permissive and tweak the
> labels.
>
> Signed-off-by: José Pekkarinen <jose.pekkarinen@unikie.com>
> ---
> [ v1 -> v2 ] Fix if statement in libselinux recipe
>
>  package/libselinux/Config.in     | 7 +++++++
>  package/libselinux/libselinux.mk | 3 +++
>  2 files changed, 10 insertions(+)
>
> diff --git a/package/libselinux/Config.in b/package/libselinux/Config.in
> index 62070c8d59..df8bd7ffd0 100644
> --- a/package/libselinux/Config.in
> +++ b/package/libselinux/Config.in
> @@ -18,3 +18,10 @@ config BR2_PACKAGE_LIBSELINUX

>  comment "libselinux needs a toolchain w/ threads, dynamic library"
>       depends on !BR2_TOOLCHAIN_HAS_THREADS || BR2_STATIC_LIBS
> +
> +config BR2_PACKAGE_LIBSELINUX_AUTORELABEL
> +     bool
> +     depends on BR2_PACKAGE_LIBSELINUX
> +     depends on BR2_PACKAGE_FINDUTILS
> +     depends on BR2_PACKAGE_GREP
> +     default y
> diff --git a/package/libselinux/libselinux.mk b/package/libselinux/libselinux.mk
> index fdd13aa942..adf4b3d6f6 100644
> --- a/package/libselinux/libselinux.mk
> +++ b/package/libselinux/libselinux.mk
> @@ -71,6 +71,9 @@ define LIBSELINUX_INSTALL_TARGET_CMDS
>       $(TARGET_MAKE_ENV) $(MAKE) -C $(@D) \
>               $(LIBSELINUX_MAKE_OPTS) DESTDIR=$(TARGET_DIR) \
>               $(LIBSELINUX_MAKE_INSTALL_TARGETS)
> +     $(if $(BR2_PACKAGE_LIBSELINUX_AUTORELABEL),
> +             echo "-F" > $(TARGET_DIR)/.autorelabel
> +             mkdir $(TARGET_DIR)/var/lib/selinux)

Isn't this going to fail on read-only filesystems? Relabelling suposedly
requires that extended attributes be added/updated/removed, and that
requires a read-write filesystem...

Can't we do the re-labelling at the time we create the filesystem, i.e.
in fs/common.mk?

And it seems we already have that:

   52 ifeq ($(BR2_PACKAGE_REFPOLICY),y)
   53 define ROOTFS_SELINUX
   54     $(HOST_DIR)/sbin/setfiles -m -r $(TARGET_DIR) \
   55         -c $(TARGET_DIR)/etc/selinux/targeted/policy/policy.$(BR2_PACKAGE_LIBSEPOL_POLICY_VERSION) \
   56         $(TARGET_DIR)/etc/selinux/targeted/contexts/files/file_contexts \
   57         $(TARGET_DIR)
   58 endef
   59 ROOTFS_COMMON_DEPENDENCIES += host-policycoreutils
   60 endif

So why is the labelling wrong? Can't we fix it right there rather than
at runtime?

It's is not wrong, it was just unnoticed by my eyeballs,
however, there is a case this is not covering properly and preventing
the userspace to run right away in enforcing mode, because at
this time not all files in /dev are populated, and running it in
permissive mode multiple complains from selinux to the serial
devices turn up. If you have some suggestions how we can
improve this case, I'm happy to bring more changes.

Best regards.

José.