[Buildroot] [PATCH v2] package/libselinux: Add autorelabel for first boot

Yann E. MORIN yann.morin.1998 at free.fr
Fri Aug 20 19:15:41 UTC 2021


José, All,

+Matthew +Adam, our resident SELinux experts: questions for you toward
the end...

On 2021-08-20 15:19 +0300, José Pekkarinen spake thusly:
> On Fri, Aug 20, 2021 at 12:05 AM Yann E. MORIN < [1]yann.morin.1998 at free.fr> wrote:
> > On 2021-08-19 12:29 +0300, José Pekkarinen spake thusly:
> > > Currently buildroot ship libselinux without triggering
> > > this option, which often shows inconsistencies between
> > > what the refpolicy defines as a label for a file and
> > > what the actual file has. Triggering an initial relabel
> > > would help activating enforcing state right away without
> > > requiring to enter it once in permissive and tweak the
> > > labels.
[--SNIP--]
> > Isn't this going to fail on read-only filesystems? Relabelling suposedly
> > requires that extended attributes be added/updated/removed, and that
> > requires a read-write filesystem...
> > Can't we do the re-labelling at the time we create the filesystem, i.e.
> > in fs/common.mk?
> > And it seems we already have that:
[--SNIP--]
> > So why is the labelling wrong? Can't we fix it right there rather than
> > at runtime?
> It's is not wrong, it was just unnoticed by my eyeballs,

:-)

> however, there is a case this is not covering properly and preventing
> the userspace to run right away in enforcing mode, because at
> this time not all files in /dev are populated, and running it in
> permissive mode multiple complains from selinux to the serial
> devices turn up. If you have some suggestions how we can
> improve this case, I'm happy to bring more changes.

What I understand from your explanations, above, is that we have to have
some labels (i.e. extended attributes) set on files in /dev, or the
policy may reference objects that are not properly labeled.

OK, so this hit the thick wall circling around my very limited knowledge
of how SELinux works.

Matthew, Adam, any help/explanations/details/review would be much welcome.

Regards,
Yann E. MORIN.

-- 
.-----------------.--------------------.------------------.--------------------.
|  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___               |
| +33 561 099 427 `------------.-------:  X  AGAINST      |  \e/  There is no  |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL    |   v   conspiracy.  |
'------------------------------^-------^------------------^--------------------'


More information about the buildroot mailing list