Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

build_library: set correct SELinux contexts in final images #368

Closed
wants to merge 1 commit into from
Closed

build_library: set correct SELinux contexts in final images #368

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 5 additions & 5 deletions build_library/build_image_util.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -732,6 +732,11 @@ EOF
"${BUILD_DIR}/${image_kconfig}"
fi

# Label the root filesystem using 'file_contexts'.
sudo chroot "${root_fs_dir}" bash -c "cd /usr/share/selinux/mcs && semodule -s mcs -i *.pp"
sudo setfiles -Dv -r "${root_fs_dir}" "${root_fs_dir}"/etc/selinux/mcs/contexts/files/file_contexts "${root_fs_dir}"
sudo setfiles -Dv -r "${root_fs_dir}" "${root_fs_dir}"/etc/selinux/mcs/contexts/files/file_contexts "${root_fs_dir}"/usr

write_contents "${root_fs_dir}" "${BUILD_DIR}/${image_contents}"

# Zero all fs free space to make it more compressible so auto-update
Expand All @@ -741,11 +746,6 @@ EOF
sudo fstrim "${root_fs_dir}/usr" || true
fi

# Build the selinux policy
if pkg_use_enabled coreos-base/coreos selinux; then
sudo chroot "${root_fs_dir}" bash -c "cd /usr/share/selinux/mcs && semodule -s mcs -i *.pp"
fi

# Make the filesystem un-mountable as read-write and setup verity.
if [[ ${disable_read_write} -eq ${FLAGS_TRUE} ]]; then
# Unmount /usr partition
Expand Down
19 changes: 18 additions & 1 deletion build_torcx_store
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -188,7 +188,24 @@ function torcx_package() {
fi

tmpfile="${BUILD_DIR}/${name}:${version}.torcx.tgz"
tar --force-local --selinux --xattrs -C "${tmppkgroot}" -czf "${tmpfile}" .
# build the file_contexts and set labels on the Torcx image content.
sudo chroot "${BOARD_ROOT}" bash -c "cd /usr/share/selinux/mcs && semodule -s mcs -i *.pp"
# temporary move to relabel the torcx files, they can't be relabelled on overlay FS (operation not supported)
sudo mkdir -p /mnt/host/source/src/build/
sudo cp -r "${tmppkgroot}" /mnt/host/source/src/build/torcx
sudo setfiles -Dv -r /mnt/host/source/src/build/torcx "${BOARD_ROOT}/etc/selinux/mcs/contexts/files/file_contexts" /mnt/host/source/src/build/torcx

# this is a bit hacky: we need to copy the file_contexts and the compiled policies from the BOARD_ROOT
# to the SDK. Otherwise, 'tar' will lookup for SELinux labels from the SDK and it will result
# into a partially updated system.
sudo mkdir -p /etc/selinux/mcs/contexts/files/
sudo cp "${BOARD_ROOT}/etc/selinux/mcs/contexts/files/file_contexts" /etc/selinux/mcs/contexts/files/

# sed file_contexts to simulate the root
sudo sed -i "s#^#/mnt/host/source/src/build/torcx#" /etc/selinux/mcs/contexts/files/file_contexts
# debug:
cat /etc/selinux/mcs/contexts/files/file_contexts
tar --force-local --selinux --xattrs -C /mnt/host/source/src/build/torcx -czf "${tmpfile}" .
sha512sum=$(sha512sum "${tmpfile}" | awk '{print $1}')

# TODO(euank): this opaque digest, if it were reproducible, could save
Expand Down