From patchwork Wed Nov  2 07:30:50 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Yi Zhao <yi.zhao@windriver.com>
X-Patchwork-Id: 14696
Return-Path: <yi.zhao@windriver.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 846F8C4332F
	for <webhook@archiver.kernel.org>; Wed,  2 Nov 2022 07:31:13 +0000 (UTC)
Received: from mx0a-0064b401.pphosted.com (mx0a-0064b401.pphosted.com
 [205.220.166.238])
 by mx.groups.io with SMTP id smtpd.web08.3567.1667374269053795241
 for <yocto@lists.yoctoproject.org>;
 Wed, 02 Nov 2022 00:31:09 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@windriver.com header.s=pps06212021 header.b=TbzNdF6U;
 spf=permerror,
 err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}:
 invalid domain name (domain: windriver.com, ip: 205.220.166.238,
 mailfrom: prvs=83050761c3=yi.zhao@windriver.com)
Received: from pps.filterd (m0250810.ppops.net [127.0.0.1])
	by mx0a-0064b401.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id
 2A27QHev027485;
	Wed, 2 Nov 2022 00:31:07 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=windriver.com;
 h=from : to :
 subject : date : message-id : in-reply-to : references :
 content-transfer-encoding : content-type : mime-version; s=PPS06212021;
 bh=0LhRFou80w3AEKZN/gvIuQvZmeGzF+HGcPfoOD6wxPI=;
 b=TbzNdF6UO0xeRvAdD4r2VPb+dVVKtYdomRNbbUrtHiA4WqJT7omScbbHUsxkpPuS0Ntw
 m0B6DO0cUMyfFFP+vZ0sMbOURtWKDLvYA3BdoXt9yQJ3SB1alBMTfRJ2hCQyOdTR6HSV
 1J6KKMZE2ZQrildc6GuTX5T+yTUSH0IYNnm6uKfDefwsglNJk1mSgOxp59NDKH2swfQX
 BxP8Dy7UcmCFpq6wUw0gMzL6u4UjrinA1IqdgzGFgUoza5y1wISnNMzqM9AlJBIOcUp+
 yoYKCQL167dKFFKxTOFB4L9ZWp5i5GidC/beOBbGsyudxq7d2Hk2Rsu705fRddg+JwlV Ww==
Received: from nam11-dm6-obe.outbound.protection.outlook.com
 (mail-dm6nam11lp2168.outbound.protection.outlook.com [104.47.57.168])
	by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 3kj2gsa4ts-1
	(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT);
	Wed, 02 Nov 2022 00:31:07 -0700
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
 b=Y79sCeyOhIWD1W2RZBJtSqenXltr55QQD+5Dbw2/THmmH9HB24KqwXINgTAV07RvGigsup4j6evXeNLejCXbtdSQ4K9yU4zhZzID/9AHNGgSyqA3W+mJJe9nYQYSljZy9KxJSqoninQviqaAgPSaVUdcC9JRTFlFyQ0k1BuEHuEumCQb15W9NB0il9onYuesgfbYQHwj5OXlaqhwEN6M1ZevbNBj+NMyIFeOG6CUXH55YvE4+RsvTOBjKSFq8H7dZ3yvasiDNDybHFBENDmmGc61xJYBQ/aTmehKR69+ww6fJ9BmXkZHhN+1ZDalsfEWAlQBUwrUVnHWzzR4BXjOdw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
 s=arcselector9901;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
 bh=0LhRFou80w3AEKZN/gvIuQvZmeGzF+HGcPfoOD6wxPI=;
 b=LQQBatgszIO+vyJrXhsTCc/jK2yooZOE1EYDdVILn6D3PQppW/dqMN4Y9SrjROVE6zH6GWNryZ+oXEi6AIYBMMO4zxQf32KzfSA5hSZdyAzcXyUcWDfAKMdqidCXsCVBTfJ+73uSXNsUhmGY4utgihfswXmw+1jfeHwJzKhH+oSns99W6MKIJt8RJaDXEtGkbkDlCu8pv5PCpbcRvwUtHSHopkldxqPEVZmyE9zjDHpej4/cXdCkc0F23Z3VRRNSkAViu+LWQpRbqBWOMs5LEzZlgf2PYxhq/zAeqM1I6FF1dIah6Mn5ONoQ2+ZWH2yrzRf++rkgthWEfgawn5Wnsw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass
 smtp.mailfrom=windriver.com; dmarc=pass action=none
 header.from=windriver.com; dkim=pass header.d=windriver.com; arc=none
Received: from CO1PR11MB4867.namprd11.prod.outlook.com (2603:10b6:303:9a::13)
 by DS0PR11MB7333.namprd11.prod.outlook.com (2603:10b6:8:13e::18) with
 Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5746.28; Wed, 2 Nov
 2022 07:31:06 +0000
Received: from CO1PR11MB4867.namprd11.prod.outlook.com
 ([fe80::6ad2:95fb:73d5:35ae]) by CO1PR11MB4867.namprd11.prod.outlook.com
 ([fe80::6ad2:95fb:73d5:35ae%8]) with mapi id 15.20.5769.021; Wed, 2 Nov 2022
 07:31:05 +0000
From: Yi Zhao <yi.zhao@windriver.com>
To: yocto@lists.yoctoproject.org, joe_macdonald@mentor.com, joe@deserted.net
Subject: [meta-selinux][PATCH 2/4] base-files: set correct label for
 /var/volatile
Date: Wed,  2 Nov 2022 15:30:50 +0800
Message-Id: <20221102073052.1567876-2-yi.zhao@windriver.com>
X-Mailer: git-send-email 2.25.1
In-Reply-To: <20221102073052.1567876-1-yi.zhao@windriver.com>
References: <20221102073052.1567876-1-yi.zhao@windriver.com>
X-ClientProxiedBy: TYAPR01CA0108.jpnprd01.prod.outlook.com
 (2603:1096:404:2a::24) To CO1PR11MB4867.namprd11.prod.outlook.com
 (2603:10b6:303:9a::13)
MIME-Version: 1.0
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: CO1PR11MB4867:EE_|DS0PR11MB7333:EE_
X-MS-Office365-Filtering-Correlation-Id: dd1ddfe9-0bca-49ab-8e46-08dabca433d7
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: 
	kw0XrFTrbU6K3O13BJJ2AsdeHs0bnFQsz/bHzTmflEtHqQ9IzHnGDCxjpyUY/z4m5TY29x789mX0UKujcapq4gJKDaQOR1j7tPVXOtLnB55GUD9x8TS24yslJ+zigwR6x+0du2cbRJWuQWezsge4sSTGxgKSQNSEZACX8gPQNQXJVQe4GthdNI8WLTZsMYfvQNnemdm58eNdW3qZz4Olx7z+E5Y9prGPzIrsbPKysGDI+9LAGaVY0KuX09J9Mk1QVudmb6PzBqgB3QrYM7ZEBgoQy8JiiTjegNRN/HBl5YnXk3dznUm6fkp2Ip6NKzMaEDDcIXBr9I7+wBR8cXta22J5KX/15ENSm2l4NN0twCv30JvuvW3PbaDj2cuu/rAyKtTCgCOt5J3bGP35qNANcHPVqf4gA34nI7k0AFinJ1QSyO2pkUpqKCK76w3YoYz/ZsftO810VFC5U0D2BHdz9G5pyCUSXKSE9I58L20FiY5Ip6kkPeSJmNpHPHIYE25dEY7GK8ZOGgBaVoHPQp4HNDgtkRRPmhgOIH0eKPtlTyMux5GTcz8eOmC1sxn1U6lEGMkA5Xs/WxZsnDGuZVbqnijbjRR9r8fs8y4DDpENfr5EPDC5NfQHH2xWjtl6IzwfR2nn36bpdHWZtRoxIEFvPZ9JJykMi1u67F+xg2qT35mkKO4pwBTiWnOHyZLTB0GptML5JmPzI24O1jFnkidmtTZB/GCmf0YzPtO2/CwnkR+gyoWxqVyogAoLmOMnn2j4AxV3oThLlEmld2Qm7020PA==
X-Forefront-Antispam-Report: 
	CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:CO1PR11MB4867.namprd11.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230022)(4636009)(366004)(136003)(39850400004)(346002)(396003)(376002)(451199015)(1076003)(316002)(38350700002)(41300700001)(5660300002)(6506007)(8676002)(66476007)(66556008)(86362001)(38100700002)(26005)(6512007)(478600001)(2616005)(66946007)(186003)(6486002)(52116002)(6666004)(8936002)(2906002)(44832011)(36756003);DIR:OUT;SFP:1101;
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: 
 b9Wg4C3souVxzsE360AqosBvX6s1nm5qUhzPqG+iMpyjdzqerwGRJVcfpZ4fy6R7QKA/ZrvrWzrfFFWGYSzm9JlDmTYveobbk+ZfeyJQ6jII33eqnqbScoxVRXPvQxGn1Ngozx4OwU58Jy2knT1nObNGqy2WSOzufC6ewwZ9IDlvd92vTki/sYYuxY6Rl/jPDf0rXo5Vyi3KLai51mkMLs+T0rdXaN7UYSM0ep0aGUwNc4c8OxfaIsXYACnV9IzsqjxKhSqM9c/iuAquGXMBVXwtDWA7ITZy7UUfLRaPVxcDl32FYmmBNRBf6/HncI/d+FaNQEY6eR/Ae1kwjSI+B2BGpJVivPy5ZQGszFGcC4sumxS+0YZc570Pu9XR+S3x8OPhIRm7ywTPp9jsuuXDZvPPKrRJbC5wlGd9axx3Ny3IICNQ9lIfX14yzxePKbeyhlJUgAUeSwgsudazk2pZZDZC8ekwRoSa44SvRS6mdVkfYKTH1M0idAUh34RJ7tFPK3JoUbfYjcbyj5Jc7gFur66PgROFp3+KDtfGHdM2l4D6yLvAlZ94hLA9JK4bFJRr8AtcNolVYXtSDDgy9hgcyE9geSo3ISGmps113mjeNvo4viwlT5xI3rJvAFh38NyEkvPSyd55/lvUMhJElWgHUHTnsR30rtxxdiSkWDX6gFYnpsOblcZAPWWZ7MArMhMqCps9QcGTxwCWTsezmo86We86lQ1Xf9LaakM703dYjditt+RV7X+ICdfS1mzu+GxmAO227a8RS6NzkGimjducu59On7MqI29Yl9ln6JEBcrmkOmDRT8LM41nQYO+5tA9Jpvox0QeBmCfdHxeFVlGEhWS4nxo+QqY2kmLfvQpenS3NsI7WIxYfZ2AvNL+LDWG95Oyuu0VGIrpjJa1p9ft8ugKA9iKbozwa2Pj1tqejk5WiGTzDFt9QUIBJFzl9r9qlAgALjSp9mjNUuUlAh6QN4LdcIl8knv2L/gaGVbQMqNQJyaDFzbzFwHLwrbPOoCxAi+1exXWrduDU9/VVBuATuXZzAxmBksnvL+feMc18kmE2jbnK6+RjMQHSgQe5D0p2UE+mCxgTc8SbQaSGrHVWMHIQe4wGmoIlrCTNyQiS7GsnlLnOLGh0dyGtyT5gvOM5lYklcHBCMy8weHzuCblWvZNRTMX3scSi/z6St1i7mrLpWm2LeQvkUKr6CJnMkHO3ae8mqlPfBFfzWSnnXw4uyvaMgsxrZClI5foSrwkNckgSHitMTOXWGa+ocosGbbG3cdh9OLrBVhnPVGQfkkNJQtEVv4t4VMXmr/v8BuTeTPfBd3jt4f/TURCXwZqM1vbZ5FLF8jp2Dd3cZHLKCzAHbASWQH3xm8UknAUsHZ/i5kGrq8f23nj79ftQ+tL5wDMuDMUSe60jrSrlPwE25h5W4L4QxtYPXALFkbgHvJFZt+q7TyiOK5dktNDAuGDADS6n4PbIxIyJerd/mK7PV2sqG7kYMujlI51hWaygw3RoBDxi57bJovkAMlTH83BhtuiF77FuV4faTKxQ6UEydyWF8Pr1zV2nVbQlF4+930fmSTc23512FSKMWV49yGJdgpLP
X-OriginatorOrg: windriver.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 
 dd1ddfe9-0bca-49ab-8e46-08dabca433d7
X-MS-Exchange-CrossTenant-AuthSource: CO1PR11MB4867.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 02 Nov 2022 07:31:05.8967
 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 8ddb2873-a1ad-4a18-ae4e-4644631433be
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: 
 dQ6n4BmVqrmK3SVlbJO5kqKDLj66ts59XubOQtQW3V9115kZLhYwyyT4pNxVZzUznXcmSxPbq9pOXqM126xvRg==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DS0PR11MB7333
X-Proofpoint-GUID: elTGpQUjuLnaLtko0iSWOvDxXHV7ajye
X-Proofpoint-ORIG-GUID: elTGpQUjuLnaLtko0iSWOvDxXHV7ajye
X-Proofpoint-Virus-Version: vendor=baseguard
 engine=ICAP:2.0.205,Aquarius:18.0.895,Hydra:6.0.545,FMLib:17.11.122.1
 definitions=2022-11-02_04,2022-11-01_02,2022-06-22_01
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0
 clxscore=1015 mlxscore=0
 spamscore=0 malwarescore=0 adultscore=0 mlxlogscore=886 impostorscore=0
 priorityscore=1501 lowpriorityscore=0 phishscore=0 bulkscore=0
 suspectscore=0 classifier=spam adjust=0 reason=mlx scancount=1
 engine=8.12.0-2210170000 definitions=main-2211020045
List-Id: <yocto.lists.yoctoproject.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <yocto@lists.yoctoproject.org>; Wed, 02 Nov 2022 07:31:13 -0000
X-Groupsio-URL: https://lists.yoctoproject.org/g/yocto/message/58467

By default /var/volatile will be mounted with tmpfs_t instead of var_t
label, which will cause us to have to add some extra rules to eliminate
avc denials of some services.

Set rootcontext for /var/volatile in fstab to make sure it is mounted
with correct label.

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
---
 recipes-core/base-files/base-files_%.bbappend  |  1 +
 recipes-core/base-files/base-files_selinux.inc | 13 +++++++++++++
 2 files changed, 14 insertions(+)
 create mode 100644 recipes-core/base-files/base-files_%.bbappend
 create mode 100644 recipes-core/base-files/base-files_selinux.inc

diff --git a/recipes-core/base-files/base-files_%.bbappend b/recipes-core/base-files/base-files_%.bbappend
new file mode 100644
index 0000000..f167033
--- /dev/null
+++ b/recipes-core/base-files/base-files_%.bbappend
@@ -0,0 +1 @@
+require ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'base-files_selinux.inc', '', d)}
diff --git a/recipes-core/base-files/base-files_selinux.inc b/recipes-core/base-files/base-files_selinux.inc
new file mode 100644
index 0000000..f2373aa
--- /dev/null
+++ b/recipes-core/base-files/base-files_selinux.inc
@@ -0,0 +1,13 @@
+REFPOLICY_TYPE = "${@d.getVar('PREFERRED_PROVIDER_virtual/refpolicy').split('-')[1] or ''}"
+
+do_install:append () {
+    if [ -n "${REFPOLICY_TYPE}" ]; then
+        if [ "${REFPOLICY_TYPE}" = "standard" ]; then
+            sed -i 's/\s*\/var\/volatile\s*tmpfs\s*defaults/&,rootcontext=system_u:object_r:var_t/' \
+                ${D}${sysconfdir}/fstab
+        else
+            sed -i 's/\s*\/var\/volatile\s*tmpfs\s*defaults/&,rootcontext=system_u:object_r:var_t:s0/' \
+                ${D}${sysconfdir}/fstab
+        fi
+    fi
+}