dustin
/
aimee-os
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Create subvolumes in init-storage 

It turns out that we cannot use `systemd-tmpfiles` to create our Btrfs
subvolumes.  Since the directories we are interested in, specifically
`/var/log` and `/var/tmp` already exist in the rootfs image and are
therefore copied into the mutable filesystem, `systemd-tmpfiles` ignores
them.

To avoid having to explicitly specify the SELinux context for each
subvolume created on the persistent filesystem, `init-storage` now
executes `setfiles` to set the appropriate labels.
master
Dustin 2023-03-15 18:59:25 -05:00
parent 7c3738d067
commit b38f48b72f
3 changed files with 27 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
build-rootfs.sh
View File

@ -68,7 +68,6 @@ if [ -f /mnt/gentoo/etc/udev/hwdb.bin ]; then
fi fi
rm -f /mnt/gentoo/lib/tmpfiles.d/provision.conf rm -f /mnt/gentoo/lib/tmpfiles.d/provision.conf
sed -i 's:d /var/log :v /var/log :' /mnt/gentoo/lib/tmpfiles.d/var.conf
systemd-tmpfiles --root=/mnt/gentoo -E --exclude-prefix=/var --create systemd-tmpfiles --root=/mnt/gentoo -E --exclude-prefix=/var --create
systemctl preset-all --root=/mnt/gentoo systemctl preset-all --root=/mnt/gentoo

28
overlay/usr/libexec/init-storage
View File

@ -1,6 +1,13 @@
#!/bin/sh #!/bin/sh
# vim: set sw=4 ts=4 sts=4 et : # vim: set sw=4 ts=4 sts=4 et :
SUBVOLUMES='
/var
/var/log
/var/tmp
/etc
'
cleanup() { cleanup() {
if [ -n "${tmpdir}" ] && [ "${tmpdir}" != / ]; then if [ -n "${tmpdir}" ] && [ "${tmpdir}" != / ]; then
if mountpoint -q "${tmpdir}"; then if mountpoint -q "${tmpdir}"; then
@ -26,10 +33,11 @@ format_dev() {
mkfs.btrfs "${dev}" || exit mkfs.btrfs "${dev}" || exit
mount "${dev}" "${tmpdir}" || exit mount "${dev}" "${tmpdir}" || exit
btrfs subvolume create "${tmpdir}"/var || exit for vol in ${SUBVOLUMES}; do
chcon -t var_t "${tmpdir}"/var || exit mkdir -p "${tmpdir}${vol%/*}" || exit
btrfs subvolume create "${tmpdir}"/etc || exit btrfs subvolume create "${tmpdir}${vol}" || exit
chcon -t etc_t "${tmpdir}"/etc || exit done
relabel_all
umount "${dev}" || exit umount "${dev}" || exit
} }
@ -39,6 +47,18 @@ has_fs() {
[ -n "${fstype}" ] [ -n "${fstype}" ]
} }
relabel_all() {
selinuxtype=$(. /etc/selinux/config && echo ${SELINUXTYPE})
find "${tmpdir}" | \
setfiles \
-v \
-F \
-m \
-r "${tmpdir}" \
-s \
/etc/selinux/${selinuxtype}/contexts/files/file_contexts
}
setup_etc() { setup_etc() {
dev="$1" dev="$1"

5
repos/aimee-os/sec-policy/selinux-aimee-os/files/aimee-os.te
View File

@ -65,9 +65,10 @@ dontaudit aimee_storinit_t mount_runtime_t:dir write;
seutil_read_config(aimee_storinit_t) seutil_read_config(aimee_storinit_t)
seutil_read_file_contexts(aimee_storinit_t) seutil_read_file_contexts(aimee_storinit_t)
seutil_read_bin_policy(aimee_storinit_t)
seutil_domtrans_setfiles(aimee_storinit_t)
kernel_rw_unlabeled_dirs(aimee_storinit_t) kernel_manage_unlabeled_dirs(aimee_storinit_t)
kernel_relabelfrom_unlabeled_dirs(aimee_storinit_t)
auth_manage_shadow(aimee_storinit_t) auth_manage_shadow(aimee_storinit_t)
auth_relabel_shadow(aimee_storinit_t) auth_relabel_shadow(aimee_storinit_t)