diff --git a/.github/labeler.yml b/.github/labeler.yml index 5667c63571..8ff2b03ea5 100644 --- a/.github/labeler.yml +++ b/.github/labeler.yml @@ -498,10 +498,6 @@ pollcdrom: - changed-files: - any-glob-to-any-file: 'modules.d/98pollcdrom/*' -selinux: - - changed-files: - - any-glob-to-any-file: 'modules.d/98selinux/*' - syslog: - changed-files: - any-glob-to-any-file: 'modules.d/98syslog/*' diff --git a/modules.d/98selinux/module-setup.sh b/modules.d/98selinux/module-setup.sh deleted file mode 100755 index 3574b1221e..0000000000 --- a/modules.d/98selinux/module-setup.sh +++ /dev/null @@ -1,17 +0,0 @@ -#!/bin/bash - -# called by dracut -check() { - return 255 -} - -# called by dracut -depends() { - return 0 -} - -# called by dracut -install() { - inst_hook pre-pivot 50 "$moddir/selinux-loadpolicy.sh" - inst_multiple setenforce chroot -} diff --git a/modules.d/98selinux/selinux-loadpolicy.sh b/modules.d/98selinux/selinux-loadpolicy.sh deleted file mode 100755 index 0235b8ed45..0000000000 --- a/modules.d/98selinux/selinux-loadpolicy.sh +++ /dev/null @@ -1,70 +0,0 @@ -#!/bin/sh - -# FIXME: load selinux policy. this should really be done after we switchroot - -rd_load_policy() { - # If SELinux is disabled exit now - getarg "selinux=0" > /dev/null && return 0 - - SELINUX="enforcing" - # shellcheck disable=SC1090 - [ -e "$NEWROOT/etc/selinux/config" ] && . "$NEWROOT/etc/selinux/config" - - # Check whether SELinux is in permissive mode - permissive=0 - - if getarg "enforcing=0" > /dev/null || [ "$SELINUX" = "permissive" ]; then - permissive=1 - fi - - # Attempt to load SELinux Policy - if [ -x "$NEWROOT/usr/sbin/load_policy" -o -x "$NEWROOT/sbin/load_policy" ]; then - local ret=0 - local out - info "Loading SELinux policy" - mount -o bind /sys "$NEWROOT"/sys - # load_policy does mount /proc and /sys/fs/selinux in - # libselinux,selinux_init_load_policy() - if [ -x "$NEWROOT/sbin/load_policy" ]; then - out=$(LANG=C chroot "$NEWROOT" /sbin/load_policy -i 2>&1) - ret=$? - info "$out" - else - out=$(LANG=C chroot "$NEWROOT" /usr/sbin/load_policy -i 2>&1) - ret=$? - info "$out" - fi - umount "$NEWROOT"/sys/fs/selinux - umount "$NEWROOT"/sys - - if [ "$SELINUX" = "disabled" ]; then - return 0 - fi - - if [ $ret -eq 0 -o $ret -eq 2 ]; then - # If machine requires a relabel, force to permissive mode - [ -e "$NEWROOT"/.autorelabel ] && LANG=C /usr/sbin/setenforce 0 - mount --rbind /dev "$NEWROOT/dev" - LANG=C chroot "$NEWROOT" /sbin/restorecon -R /dev - umount -R "$NEWROOT/dev" - return 0 - fi - - warn "Initial SELinux policy load failed." - if [ $ret -eq 3 -o $permissive -eq 0 ]; then - warn "Machine in enforcing mode." - warn "Not continuing" - emergency_shell -n selinux - exit 1 - fi - return 0 - elif [ $permissive -eq 0 -a "$SELINUX" != "disabled" ]; then - warn "Machine in enforcing mode and cannot execute load_policy." - warn "To disable selinux, add selinux=0 to the kernel command line." - warn "Not continuing" - emergency_shell -n selinux - exit 1 - fi -} - -rd_load_policy diff --git a/modules.d/99base/init.sh b/modules.d/99base/init.sh index 285059e517..391c4be899 100755 --- a/modules.d/99base/init.sh +++ b/modules.d/99base/init.sh @@ -5,6 +5,7 @@ # Copyright 2008-2010, Red Hat, Inc. # Harald Hoyer # Jeremy Katz +# Copyright 2024 Guido Trentalancia export -p > /tmp/export.orig @@ -397,3 +398,63 @@ else emergency_shell } fi + +# If SELinux is disabled exit now +getarg "selinux=0" > /dev/null && return 0 + +SELINUX="enforcing" +# shellcheck disable=SC1090 +[ -e "/etc/selinux/config" ] && . "/etc/selinux/config" + +# Check whether SELinux is in permissive mode +permissive=0 + +if getarg "enforcing=0" > /dev/null || [ "$SELINUX" = "permissive" ]; then + permissive=1 +fi + +# Finally load the SELinux policy and perform relabeling if needed +if [ -x "/sbin/load_policy" ] || [ -x "/usr/sbin/load_policy" ]; then + local ret=0 + local out + info "Loading SELinux policy" + + if [ -x "/sbin/load_policy" ]; then + out=$(LANG=C /sbin/load_policy -i 2>&1) + ret=$? + info "$out" + else + out=$(LANG=C /usr/sbin/load_policy -i 2>&1) + ret=$? + info "$out" + fi + umount /sys/fs/selinux + + if [ "$SELINUX" = "disabled" ]; then + return 0 + fi + + if [ $ret -eq 0 ] || [ $ret -eq 2 ]; then + # If machine requires a relabel, force to permissive mode + [ -e "/.autorelabel" ] && LANG=C /usr/sbin/setenforce 0 + mount --rbind /dev "/dev" + LANG=C /sbin/restorecon -R /dev + umount -R "/dev" + return 0 + fi + + warn "Initial SELinux policy load failed." + if [ $ret -eq 3 ] || [ $permissive -eq 0 ]; then + warn "Machine in enforcing mode." + warn "Not continuing" + emergency_shell -n selinux + exit 1 + fi + return 0 +elif [ $permissive -eq 0 ] && [ "$SELINUX" != "disabled" ]; then + warn "Machine in enforcing mode and cannot execute load_policy." + warn "To disable selinux, add selinux=0 to the kernel command line." + warn "Not continuing" + emergency_shell -n selinux + exit 1 +fi