Code Review / AGL / meta-agl.git / commit
? search:
summary | shortlog | log | commit | commitdiff | review | tree
(parent: 6c9fa75) | patch
Add SELinux feature 90/27790/2
authorScott Murray <scott.murray@konsulko.com>
Mon, 25 Jul 2022 18:23:13 +0000 (14:23 -0400)
committerJan-Simon Moeller <jsmoeller@linuxfoundation.org>
Wed, 27 Jul 2022 12:31:58 +0000 (12:31 +0000)
commit2ea9cbefb8e0923f2f58e7e8022f3e134977a87a
treed9440b8d8ccfaa496086842eef5ca7d588b58a17tree | snapshot
parent6c9fa75459cf86576c47411fc239e0d7896d483ccommit | diff
Add SELinux feature

Add agl-selinux feature to enable SELinux support.

Notes:
- SELinux is in permissive mode by default for now, and using the
  targeted policy by default.
- The linux-yocto specific bbappend in meta-selinux is masked out in
  favor of adding a more universal kernel configuration fragment with
  AGL's own scheme.
- SELinux specific recipes and bbappends are added via a meta-selinux
  dynamic-layers addition in meta-agl-core to keep using meta-selinux
  optional.  This will avoid issues with the Yocto autobuilder testing
  of meta-agl-core.
- To avoid the effectively hard-coded autorelabel on first boot, a
  bbappend is added to the selinux-autorelabel recipe to remove the
  flag creation.  In the off chance that a build happens on a filesystem
  without xattr support, the logic in the selinux-image bbclass will
  still touch the /.autorelabel flag and trigger relabeling.
- A systemd unit and script are added with a new systemd-selinux-relabel
  recipe to handle relabeling of some systemd generated files that do
  not get handled during root filesystem construction.  Some of these
  can be addressed by some upstream tweaks, but /etc/machine-id will
  always need special handling unless there is a shift to using
  read-only or stateless root by default.  With this workaround we still
  avoid doing a full relabel and reboot on first boot, which helps
  simplify CI.

Bug-AGL: SPEC-4332

Signed-off-by: Scott Murray <scott.murray@konsulko.com>
Change-Id: Ibf469e11eb3a67709074cc6794b3d12cd5071a90
Reviewed-on: https://gerrit.automotivelinux.org/gerrit/c/AGL/meta-agl/+/27790
Tested-by: Jenkins Job builder account
ci-image-build: Jenkins Job builder account
ci-image-boot-test: Jenkins Job builder account
Reviewed-by: Jan-Simon Moeller <jsmoeller@linuxfoundation.org>
14 files changed:
meta-agl-core/conf/include/agl-selinux.inc [new file with mode: 0644] blob
meta-agl-core/conf/layer.conf diff | blob | history
meta-agl-core/dynamic-layers/meta-selinux/recipes-core/systemd/files/systemd-selinux-relabel.service [new file with mode: 0644] blob
meta-agl-core/dynamic-layers/meta-selinux/recipes-core/systemd/files/systemd-selinux-relabel.sh [new file with mode: 0644] blob
meta-agl-core/dynamic-layers/meta-selinux/recipes-core/systemd/systemd-selinux-relabel_1.0.bb [new file with mode: 0644] blob
meta-agl-core/dynamic-layers/meta-selinux/recipes-platform/packagegroups/packagegroup-agl-core-selinux.bb [new file with mode: 0644] blob
meta-agl-core/dynamic-layers/meta-selinux/recipes-security/selinux-scripts/selinux-autorelabel_0.1.bbappend [new file with mode: 0644] blob
meta-agl-core/dynamic-layers/meta-selinux/recipes-security/selinux-scripts/selinux-autorelabel_aglcore.inc [new file with mode: 0644] blob
meta-agl-core/recipes-kernel/linux/linux-agl-config.inc diff | blob | history
meta-agl-core/recipes-kernel/linux/linux/selinux.cfg [new file with mode: 0644] blob
meta-agl-core/recipes-platform/images/agl-image-boot.inc diff | blob | history
templates/feature/agl-selinux/50_bblayers.conf.inc [new file with mode: 0644] blob
templates/feature/agl-selinux/50_local.conf.inc [new file with mode: 0644] blob
templates/feature/agl-selinux/README_feature_agl-selinux.md [new file with mode: 0644] blob
meta-agl layer (core AGL)