本文介绍了解决persist分区SELinux权限问题的过程。通过分析init启动过程,明确了需要在init.rc文件中添加restorecon_recursive命令来确保persist分区正确应用SELinux策略。
文章出处:http://blog.youkuaiyun.com/shift_wwx/article/details/77500458
请转载的朋友标明出处~~
最近需要在平台上添加一个persist 分区,需要添加sepolicy,但是不管怎么修改,发现分区最终 ls -Z 出来一直是:u:object_r:unlabeled:s0,而不是想要的persist_file 属性。
修改如下:
file.te 中:
type persist_file, file_type;file_contexts中:
/persist(/.*)? u:object_r:persist_file:s0
可是为什么没有生效了?
查看了init 中的code:
int main(int argc, char** argv) {
......
if (is_first_stage) {
mount("tmpfs", "/dev", "tmpfs", MS_NOSUID, "mode=0755");
mkdir("/dev/pts", 0755);
mkdir("/dev/socket", 0755);
mount("devpts", "/dev/pts", "devpts", 0, NULL);
#define MAKE_STR(x) __STRING(x)
mount("proc", "/proc", "proc", 0, "hidepid=2,gid=" MAKE_STR(AID_READPROC));
mount("sysfs", "/sys", "sysfs", 0, NULL);
}
// We must have some place other than / to create the device nodes for
// kmsg and null, otherwise we won't be able to remount / read-only
// later on. Now that tmpfs is mounted on /dev, we can actually talk
// to the outside world.
open_devnull_stdio();
klog_init();
klog_set_level(KLOG_NOTICE_LEVEL);
NOTICE("init %s started!\n", is_first_stage ? "first stage" : "second stage");
if (!is_first_stage) {
// Indicate that booting is in progress to background fw loaders, etc.
close(open("/dev/.booting", O_WRONLY | O_CREAT | O_CLOEXEC, 0000));
property_init();
// If arguments are passed both on the command line and in DT,
// properties set in DT always have priority over the command-line ones.
process_kernel_dt();
process_kernel_cmdline();
// Propagate the kernel variables to internal variables
// used by init as well as the current required properties.
export_kernel_boot_props();
}
// Set up SELinux, including loading the SELinux policy if we're in the kernel domain.
selinux_initialize(is_first_stage);
// If we're in the kernel domain, re-exec init to transition to the init domain now
// that the SELinux policy has been loaded.
if (is_first_stage) {
if (restorecon("/init") == -1) {
ERROR("restorecon failed: %s\n", strerror(errno));
security_failure();
}
char* path = argv[0];
char* args[] = { path, const_cast<char*>("--second-stage"), nullptr };
if (execv(path, args) == -1) {
ERROR("execv(\"%s\") failed: %s\n", path, strerror(errno));
security_failure();
}
}
// These directories were necessarily created before initial policy load
// and therefore need their security context restored to the proper value.
// This must happen before /dev is populated by ueventd.
NOTICE("Running restorecon...\n");
restorecon("/dev");
restorecon("/dev/socket");
restorecon("/dev/__properties__");
restorecon("/property_contexts");
restorecon_recursive("/sys");
......
parser.ParseConfig("/init.rc");
......
selinux_initialize(is_first_stage);
// If we're in the kernel domain, re-exec init to transition to the init domain now
// that the SELinux policy has been loaded.
if (is_first_stage) {
if (restorecon("/init") == -1) {
ERROR("restorecon failed: %s\n", strerror(errno));
security_failure();
}
char* path = argv[0];
char* args[] = { path, const_cast<char*>("--second-stage"), nullptr };
if (execv(path, args) == -1) {
ERROR("execv(\"%s\") failed: %s\n", path, strerror(errno));
security_failure();
}
}
// These directories were necessarily created before initial policy load
// and therefore need their security context restored to the proper value.
// This must happen before /dev is populated by ueventd.
NOTICE("Running restorecon...\n");
restorecon("/dev");
restorecon("/dev/socket");
restorecon("/dev/__properties__");
restorecon("/property_contexts");
restorecon_recursive("/sys");
......
parser.ParseConfig("/init.rc");
......
可以看到在init.rc 解析之前做了selinux 的load,在load 之后都会对一些分区做restorecon的操作,这个应该是说在init.rc 解析之前先做了selinux 的load,也就是file_contexts等load,但是此时并没有persist 分区,所以sepolicy 并没有生效。
看到这,大概就知道之前为什么一直不行了,因为需要restore的操作,所以,最终修改如下:(在init.rc 或者init.*.rc 中:)
restorecon_recursive /persist
对于,restorecon 和 restorecon_recursive 的区别,可以看下code,就是一个递归的效果。
扫一扫
5014
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
