Label /sys before selinux-autorelabel units run (bsc#1232709)

openSUSE · Nov 13, 2024 · 209738b · 209738b
1 parent a4b7e76
commit 209738b
Show file tree

Hide file tree

Showing 4 changed files with 31 additions and 0 deletions.
diff --git a/microos-tools.spec b/microos-tools.spec
@@ -90,15 +90,24 @@ This package contains tools to make developing of MicroOS easier.
 %postun -n microos-devel-tools
 %service_del_postun microos-ro.service
 
+%pre -n selinux-autorelabel
+%service_add_pre systemd-tmpfiles-setup-sys.service
+
 %post -n selinux-autorelabel
 %{regenerate_initrd_post}
+%service_add_post systemd-tmpfiles-setup-sys.service
+
+%preun -n selinux-autorelabel
+%service_del_preun systemd-tmpfiles-setup-sys.service
 
 %postun -n selinux-autorelabel
 %{regenerate_initrd_post}
+%service_add_postun systemd-tmpfiles-setup-sys.service
 
 %posttrans -n selinux-autorelabel
 %{regenerate_initrd_posttrans}
 
+
 %files
 %dir %{_sysconfdir}/selinux
 %config %{_sysconfdir}/selinux/fixfiles_exclude_dirs
@@ -120,6 +129,7 @@ This package contains tools to make developing of MicroOS easier.
 %dir %{_prefix}/lib/dracut/modules.d
 %{_prefix}/lib/dracut/modules.d/98selinux-microos
 %{_systemdgeneratordir}/selinux-autorelabel-generator
+%{_unitdir}/systemd-tmpfiles-setup-sys.service
 
 %files -n microos-devel-tools
 %{_unitdir}/microos-ro.service

diff --git a/selinux/Makefile.am b/selinux/Makefile.am
@@ -1,5 +1,6 @@
 modulesdir = @dracutmodulesdir@/98selinux-microos
 selinuxdir = @sysconfdir@/selinux
+systemddir = $(systemdsystemunitdir)
 
 modules_SCRIPTS = 98selinux-microos/selinux-microos-relabel.sh \
 	98selinux-microos/module-setup.sh
@@ -8,4 +9,6 @@ selinux_DATA = fixfiles_exclude_dirs
 
 systemdgenerator_SCRIPTS = selinux-autorelabel-generator
 
+systemd_DATA = systemd-tmpfiles-setup-sys.service
+
 EXTRA_DIST = $(SCRIPTS) $(DATA)
diff --git a/selinux/selinux-autorelabel-generator b/selinux/selinux-autorelabel-generator
@@ -36,6 +36,8 @@ enable_units() {
 			[Unit]
 			Description=Relabel ${realdir}
 			DefaultDependencies=no
+			Requires=systemd-tmpfiles-setup-sys.service
+			After=systemd-tmpfiles-setup-sys.service
 			RequiresMountsFor=${realdir}
 			Before=local-fs.target
 			ConditionSecurity=selinux

diff --git a/selinux/systemd-tmpfiles-setup-sys.service b/selinux/systemd-tmpfiles-setup-sys.service
@@ -0,0 +1,16 @@
+[Unit]
+Description=Set correct SELinux labels in /sys
+Documentation=man:tmpfiles.d(5) man:systemd-tmpfiles(8)
+
+DefaultDependencies=no
+Before=sysinit.target local-fs-pre.target
+Wants=local-fs-pre.target
+Conflicts=shutdown.target initrd-switch-root.target
+Before=shutdown.target initrd-switch-root.target
+ConditionSecurity=selinux
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=systemd-tmpfiles --prefix=/sys --create --boot
+SuccessExitStatus=DATAERR CANTCREAT