aboutsummaryrefslogtreecommitdiff
path: root/fs
diff options
context:
space:
mode:
authorGravatar Antoine Tenart <antoine.tenart@bootlin.com>2020-07-31 12:10:27 +0200
committerGravatar Thomas Petazzoni <thomas.petazzoni@bootlin.com>2020-09-04 10:49:30 +0200
commitb843d7817398e0b085a126f95d13ecd42b3ce33e (patch)
tree6c51cf0b712818e6be1570a591c548c845dcd7c6 /fs
parentfde2d3b5244de2220e686a2370dc38d2df265c39 (diff)
downloadbuildroot-b843d7817398e0b085a126f95d13ecd42b3ce33e.tar.gz
buildroot-b843d7817398e0b085a126f95d13ecd42b3ce33e.tar.bz2
fs/common.mk: set SELinux file security contexts
Set the SELinux file security contexts using setfiles when generating root filesystem images. Without such security contexts created at build time, they need to be setup at first boot by running the restorecon utility on the target. This has two drawbacks: - You have to special case the first boot, which cannot be done in enforcing mode, and will have to run restorecon, then reboot. - You cannot support read-only filesystems. By setting up the security contexts at build time, we can have a filesystem image that is immediately ready to boot an SELinux system in enforcing mode, including if the root filesystem is read-only. Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Diffstat (limited to 'fs')
-rw-r--r--fs/common.mk11
1 files changed, 11 insertions, 0 deletions
diff --git a/fs/common.mk b/fs/common.mk
index 842ea924a5..1b44dc42ba 100644
--- a/fs/common.mk
+++ b/fs/common.mk
@@ -49,6 +49,16 @@ ROOTFS_COMMON_DEPENDENCIES = \
$(BR2_TAR_HOST_DEPENDENCY) \
$(if $(PACKAGES_USERS)$(ROOTFS_USERS_TABLES),host-mkpasswd)
+ifeq ($(BR2_PACKAGE_REFPOLICY),y)
+define ROOTFS_SELINUX
+ $(HOST_DIR)/sbin/setfiles -m -r $(TARGET_DIR) \
+ -c $(TARGET_DIR)/etc/selinux/targeted/policy/policy.$(BR2_PACKAGE_LIBSEPOL_POLICY_VERSION) \
+ $(TARGET_DIR)/etc/selinux/targeted/contexts/files/file_contexts \
+ $(TARGET_DIR)
+endef
+ROOTFS_COMMON_DEPENDENCIES += host-policycoreutils
+endif
+
ROOTFS_COMMON_FINAL_RECURSIVE_DEPENDENCIES = $(sort \
$(if $(filter undefined,$(origin ROOTFS_COMMON_FINAL_RECURSIVE_DEPENDENCIES__X)), \
$(eval ROOTFS_COMMON_FINAL_RECURSIVE_DEPENDENCIES__X := \
@@ -172,6 +182,7 @@ $$(BINARIES_DIR)/$$(ROOTFS_$(2)_FINAL_IMAGE_NAME): $$(ROOTFS_$(2)_DEPENDENCIES)
$$(foreach hook,$$(ROOTFS_$(2)_PRE_GEN_HOOKS),\
$$(call PRINTF,$$($$(hook))) >> $$(FAKEROOT_SCRIPT)$$(sep))
$$(call PRINTF,$$(ROOTFS_REPRODUCIBLE)) >> $$(FAKEROOT_SCRIPT)
+ $$(call PRINTF,$$(ROOTFS_SELINUX)) >> $$(FAKEROOT_SCRIPT)
$$(call PRINTF,$$(ROOTFS_$(2)_CMD)) >> $$(FAKEROOT_SCRIPT)
chmod a+x $$(FAKEROOT_SCRIPT)
PATH=$$(BR_PATH) FAKEROOTDONTTRYCHOWN=1 $$(HOST_DIR)/bin/fakeroot -- $$(FAKEROOT_SCRIPT)