Label /sys before selinux-autorelabel units run (bsc#1232709)

Addresses: Oct 31 08:19:17 localhost.localdomain kernel: audit: type=1400 audit(1730362757.524:6): avc: denied { read } for pid=1753 comm="restorecon" name="online" dev="sysfs" ino=45 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=0
openSUSE · Nov 14, 2024 · 0435aa6 · 0435aa6
1 parent a4b7e76
commit 0435aa6
Show file tree

Hide file tree

Showing 4 changed files with 44 additions and 0 deletions.
diff --git a/microos-tools.spec b/microos-tools.spec
@@ -90,15 +90,24 @@ This package contains tools to make developing of MicroOS easier.
 %postun -n microos-devel-tools
 %service_del_postun microos-ro.service
 
+%pre -n selinux-autorelabel
+%service_add_pre systemd-tmpfiles-setup-sys.service
+
 %post -n selinux-autorelabel
 %{regenerate_initrd_post}
+%service_add_post systemd-tmpfiles-setup-sys.service
+
+%preun -n selinux-autorelabel
+%service_del_preun systemd-tmpfiles-setup-sys.service
 
 %postun -n selinux-autorelabel
 %{regenerate_initrd_post}
+%service_del_postun systemd-tmpfiles-setup-sys.service
 
 %posttrans -n selinux-autorelabel
 %{regenerate_initrd_posttrans}
 
+
 %files
 %dir %{_sysconfdir}/selinux
 %config %{_sysconfdir}/selinux/fixfiles_exclude_dirs
@@ -120,6 +129,7 @@ This package contains tools to make developing of MicroOS easier.
 %dir %{_prefix}/lib/dracut/modules.d
 %{_prefix}/lib/dracut/modules.d/98selinux-microos
 %{_systemdgeneratordir}/selinux-autorelabel-generator
+%{_unitdir}/systemd-tmpfiles-setup-sys.service
 
 %files -n microos-devel-tools
 %{_unitdir}/microos-ro.service

diff --git a/selinux/Makefile.am b/selinux/Makefile.am
@@ -1,5 +1,6 @@
 modulesdir = @dracutmodulesdir@/98selinux-microos
 selinuxdir = @sysconfdir@/selinux
+systemddir = $(systemdsystemunitdir)
 
 modules_SCRIPTS = 98selinux-microos/selinux-microos-relabel.sh \
 	98selinux-microos/module-setup.sh
@@ -8,4 +9,6 @@ selinux_DATA = fixfiles_exclude_dirs
 
 systemdgenerator_SCRIPTS = selinux-autorelabel-generator
 
+systemd_DATA = systemd-tmpfiles-setup-sys.service
+
 EXTRA_DIST = $(SCRIPTS) $(DATA)
diff --git a/selinux/selinux-autorelabel-generator b/selinux/selinux-autorelabel-generator
@@ -36,6 +36,8 @@ enable_units() {
 			[Unit]
 			Description=Relabel ${realdir}
 			DefaultDependencies=no
+			Requires=systemd-tmpfiles-setup-sys.service
+			After=systemd-tmpfiles-setup-sys.service
 			RequiresMountsFor=${realdir}
 			Before=local-fs.target
 			ConditionSecurity=selinux

diff --git a/selinux/systemd-tmpfiles-setup-sys.service b/selinux/systemd-tmpfiles-setup-sys.service
@@ -0,0 +1,29 @@
+# Workaround for bsc#1232709
+# 
+# SELinux labels need to be set for certain /sys entries
+# before restorecon -T0 can be run by the selinux-autorelabel
+# generated unit files.
+# 
+# The /sys entries that need to be labeled in advance are defined in:
+# /usr/lib/tmpfiles.d/selinux-policy.conf
+#
+# This can be removed in case systemd upstream adds /sys
+# to their mount_setup: 
+# https://github.com/systemd/systemd/blob/bdf75118bade008b6a465173c02933eb377aef0d/src/shared/mount-setup.c#L407
+
+[Unit]
+Description=Set correct SELinux labels in /sys
+Documentation=man:tmpfiles.d(5) man:systemd-tmpfiles(8)
+
+DefaultDependencies=no
+Before=sysinit.target local-fs-pre.target systemd-udevd.service
+Wants=local-fs-pre.target
+Conflicts=shutdown.target initrd-switch-root.target
+Before=shutdown.target initrd-switch-root.target
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=systemd-tmpfiles --prefix=/sys --create --boot
+SuccessExitStatus=DATAERR CANTCREAT
+ImportCredential=tmpfiles.*