!6 Add selinux-autorelabel

Merge pull request !6 from guoxiaoqi/next

policycoreutils.spec

@@ -2,7 +2,7 @@
 
 Name:      policycoreutils
 Version:   2.8
-Release:   11
+Release:   12
 Summary:   Policy core utilities of selinux
 License:   GPLv2
 URL:       https://github.com/SELinuxProject
@@ -12,30 +12,35 @@ Source3:   https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/r
 Source4:   https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20180524/selinux-dbus-2.8.tar.gz
 Source5:   https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20180524/semodule-utils-2.8.tar.gz
 Source6:   https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20180524/restorecond-2.8.tar.gz
+Source7:   selinux-autorelabel
+Source8:   selinux-autorelabel.service
+Source9:   selinux-autorelabel-mark.service
+Source10:  selinux-autorelabel.target
+Source11:  selinux-autorelabel-generator.sh
 
-Patch6000: python-sepolgen-fix-typo-in-PathChoooser-name.patch
+Patch0: python-sepolgen-fix-typo-in-PathChoooser-name.patch
-Patch6001: policycoreutils-secon-free-scon_trans-before-returni.patch
+Patch1: policycoreutils-secon-free-scon_trans-before-returni.patch
-Patch6002: python-sepolicy-fix-procotol-misspelling.patch
+Patch2: python-sepolicy-fix-procotol-misspelling.patch
-Patch6003: restorecond-Do-not-ignore-the-f-option.patch
+Patch3: restorecond-Do-not-ignore-the-f-option.patch
-Patch6004: python-sepolicy-Fix-info-to-search-aliases-as-well.patch
+Patch4: python-sepolicy-Fix-info-to-search-aliases-as-well.patch
-Patch6005: python-sepolicy-Stop-rejecting-aliases-in-sepolicy-c.patch
+Patch5: python-sepolicy-Stop-rejecting-aliases-in-sepolicy-c.patch
-Patch6006: python-semanage-Stop-rejecting-aliases-in-semanage-c.patch
+Patch6: python-semanage-Stop-rejecting-aliases-in-semanage-c.patch
-Patch6007: python-chcat-use-check_call-instead-of-getstatusoutp.patch
+Patch7: python-chcat-use-check_call-instead-of-getstatusoutp.patch
-Patch6008: python-chcat-fix-removing-categories-on-users-with-F.patch
+Patch8: python-chcat-fix-removing-categories-on-users-with-F.patch
-Patch6009: python-sepolicy-search-also-for-dontaudit-rules.patch
+Patch9: python-sepolicy-search-also-for-dontaudit-rules.patch
-Patch6010: python-semanage-move-valid_types-initialisations-to-.patch
+Patch10: python-semanage-move-valid_types-initialisations-to-.patch
-Patch6011: python-sepolicy-Add-sepolicy.load_store_policy-store.patch
+Patch11: python-sepolicy-Add-sepolicy.load_store_policy-store.patch
-Patch6012: python-semanage-Load-a-store-policy-and-set-the-stor.patch
+Patch12: python-semanage-Load-a-store-policy-and-set-the-stor.patch
-Patch6013: python-sepolgen-close-etc-selinux-sepolgen.conf-afte.patch
+Patch13: python-sepolgen-close-etc-selinux-sepolgen.conf-afte.patch
-Patch6014: python-audit2allow-allow-using-audit2why-as-non-root.patch
+Patch14: python-audit2allow-allow-using-audit2why-as-non-root.patch
-Patch6015: python-sepolgen-refpolicy-installs-its-Makefile-in-i.patch
+Patch15: python-sepolgen-refpolicy-installs-its-Makefile-in-i.patch
-Patch6016: setsebool-support-use-of-P-on-SELinux-disabled-hosts.patch
+Patch16: setsebool-support-use-of-P-on-SELinux-disabled-hosts.patch
-Patch6017: python-use-or-when-comparing-a-variable-with-a-strin.patch
+Patch17: python-use-or-when-comparing-a-variable-with-a-strin.patch
-Patch6018: python-sepolicy-fix-variable-name.patch
+Patch18: python-sepolicy-fix-variable-name.patch
-Patch6019: python-semanage-seobject-Fix-listing-boolean-values.patch
+Patch19: python-semanage-seobject-Fix-listing-boolean-values.patch
-Patch6020: python-semanage-module-Fix-handling-of-a-e-d-r-optio.patch
+Patch20: python-semanage-module-Fix-handling-of-a-e-d-r-optio.patch
-Patch9021: fix-fixfiles-N-date-function.patch
+Patch21: fix-fixfiles-N-date-function.patch
-Patch9022: fix-fixfiles-N-date-function-two.patch
+Patch22: fix-fixfiles-N-date-function-two.patch
 
 BuildRequires: pam-devel libsepol-static libsemanage-static libselinux-devel  libcap-devel audit-libs-devel gettext
 BuildRequires: desktop-file-utils dbus-devel dbus-glib-devel python2-devel python3-devel libcap-ng-devel
@@ -179,6 +184,12 @@ rm -rf %{buildroot}%{python2_sitelib}/sepolicy/help
 rm -f  %{buildroot}%{python3_sitelib}/sepolicy/gui.*
 rm -f  %{buildroot}%{python3_sitelib}/sepolicy/sepolicy.glade
 
+install -m 644 -p %{SOURCE8} %{buildroot}/%{_unitdir}/
+install -m 644 -p %{SOURCE9} %{buildroot}/%{_unitdir}/
+install -m 644 -p %{SOURCE10} %{buildroot}/%{_unitdir}/
+install -D -m 755 -p %{SOURCE11} %{buildroot}/%{_systemdgeneratordir}/%{basename:%{SOURCE11}}
+install -m 755 -p %{SOURCE7} %{buildroot}/%{_libexecdir}/selinux/
+
 pathfix.py -i "%{__python2} -Es" -p %{buildroot}%{python2_sitelib}
 pathfix.py -i "%{__python3} -Es" -p %{buildroot}%{python3_sitelib}
 pathfix.py -i "%{__python3} -Es" -p %{buildroot}%{_sbindir}/semanage  %{buildroot}%{_bindir}/sandbox \
@@ -297,6 +308,9 @@ find %{buildroot}%{python2_sitelib} %{buildroot}%{python3_sitelib} %{buildroot}%
 %{_mandir}/*
 
 %changelog
+* Fri Feb 14 2020 openEuler Buildteam <buildteam@openeuler.org> - 2.8-12
+- Add selinux-autorelabel
+
 * Fri Dec 20 2019 openEuler Buildteam <buildteam@openeuler.org> - 2.8-11
 - Simplify functions
 

selinux-autorelabel

@@ -0,0 +1,73 @@
+#!/bin/bash
+#
+# Do automatic relabelling
+#
+
+# . /etc/init.d/functions
+
+# If the user has this (or similar) UEFI boot order:
+#
+#             Windows | grub | Linux
+#
+# And decides to boot into grub/Linux, then the reboot at the end of autorelabel
+# would cause the system to boot into Windows again, if the autorelabel was run.
+#
+# This function restores the UEFI boot order, so the user will boot into the
+# previously set (and expected) partition.
+efi_set_boot_next() {
+    # NOTE: The [ -x /usr/sbin/efibootmgr ] test is not sufficent -- it could
+    #       succeed even on system which is not EFI-enabled...
+    if ! efibootmgr > /dev/null 2>&1; then
+        return
+    fi
+
+    # NOTE: It it possible that some other services might be setting the
+    #       'BootNext' item for any reasons, and we shouldn't override it if so.
+    if ! efibootmgr | grep --quiet -e 'BootNext'; then
+        CURRENT_BOOT="$(efibootmgr | grep -e 'BootCurrent' | sed -re 's/(^.+:[[:space:]]*)([[:xdigit:]]+)/\2/')"
+        efibootmgr -n "${CURRENT_BOOT}" > /dev/null 2>&1
+    fi
+}
+
+relabel_selinux() {
+    # if /sbin/init is not labeled correctly this process is running in the
+    # wrong context, so a reboot will be required after relabel
+    AUTORELABEL=
+    . /etc/selinux/config
+    echo "0" > /sys/fs/selinux/enforce
+    [ -x /bin/plymouth ] && plymouth --quit
+
+    if [ "$AUTORELABEL" = "0" ]; then
+	echo
+	echo $"*** Warning -- SELinux ${SELINUXTYPE} policy relabel is required. "
+	echo $"*** /etc/selinux/config indicates you want to manually fix labeling"
+	echo $"*** problems. Dropping you to a shell; the system will reboot"
+	echo $"*** when you leave the shell."
+	sulogin
+
+    else
+	echo
+	echo $"*** Warning -- SELinux ${SELINUXTYPE} policy relabel is required."
+	echo $"*** Relabeling could take a very long time, depending on file"
+	echo $"*** system size and speed of hard drives."
+
+	FORCE=`cat /.autorelabel`
+        [ -x "/usr/sbin/quotaoff" ] && /usr/sbin/quotaoff -aug
+	/sbin/fixfiles $FORCE restore
+    fi
+
+    rm -f  /.autorelabel
+    /usr/lib/dracut/dracut-initramfs-restore
+    efi_set_boot_next
+    if [ -x /usr/bin/grub2-editenv ]; then
+        grub2-editenv - incr boot_indeterminate >/dev/null 2>&1
+    fi
+    sync
+    systemctl --force reboot
+}
+
+# Check to see if a full relabel is needed
+if [ "$READONLY" != "yes" ]; then
+    restorecon $(awk '!/^#/ && $4 !~ /noauto/ && $2 ~ /^\// { print $2 }' /etc/fstab) >/dev/null 2>&1
+    relabel_selinux
+fi

selinux-autorelabel-generator.sh

@@ -0,0 +1,29 @@
+#!/bin/sh
+
+# This systemd.generator(7) detects if SELinux is running and if the
+# user requested an autorelabel, and if so sets the default target to
+# selinux-autorelabel.target, which will cause the filesystem to be
+# relabelled and then the system will reboot again and boot into the
+# real default target.
+
+PATH=/usr/sbin:$PATH
+unitdir=/usr/lib/systemd/system
+
+# If invoked with no arguments (for testing) write to /tmp.
+earlydir="/tmp"
+if [ -n "$2" ]; then
+    earlydir="$2"
+fi
+
+set_target ()
+{
+    ln -sf "$unitdir/selinux-autorelabel.target" "$earlydir/default.target"
+}
+
+if selinuxenabled; then
+    if test -f /.autorelabel; then
+        set_target
+    elif grep -sqE "\bautorelabel\b" /proc/cmdline; then
+        set_target
+    fi
+fi

selinux-autorelabel-mark.service

@@ -0,0 +1,18 @@
+[Unit]
+Description=Mark the need to relabel after reboot
+DefaultDependencies=no
+Requires=local-fs.target
+Conflicts=shutdown.target
+After=local-fs.target
+Before=sysinit.target shutdown.target
+ConditionSecurity=!selinux
+ConditionPathIsDirectory=/etc/selinux
+ConditionPathExists=!/.autorelabel
+
+[Service]
+ExecStart=-/bin/touch /.autorelabel
+Type=oneshot
+RemainAfterExit=yes
+
+[Install]
+WantedBy=sysinit.target

selinux-autorelabel.service

@@ -0,0 +1,14 @@
+[Unit]
+Description=Relabel all filesystems
+DefaultDependencies=no
+Conflicts=shutdown.target
+After=sysinit.target
+Before=shutdown.target
+ConditionSecurity=selinux
+
+[Service]
+ExecStart=/usr/libexec/selinux/selinux-autorelabel
+Type=oneshot
+TimeoutSec=0
+RemainAfterExit=yes
+StandardInput=tty

selinux-autorelabel.target

@@ -0,0 +1,7 @@
+[Unit]
+Description=Relabel all filesystems and reboot
+DefaultDependencies=no
+Requires=sysinit.target selinux-autorelabel.service
+Conflicts=shutdown.target
+After=sysinit.target selinux-autorelabel.service
+ConditionSecurity=selinux