Merge branch 'add_selinux_support' into 'master'

Add SELinux support

See merge request live-team/live-build!354

functions/configuration.sh

@@ -414,6 +414,30 @@ Prepare_config ()
 			;;
 	esac
 
+	LB_SELINUX="${LB_SELINUX:-disable}"
+
+	case "${LB_SELINUX}" in
+		enforced)
+			SELINUX_ENFORCED_CMDLINE="selinux=1 security=selinux enforcing=1"
+			if ! echo "${LB_BOOTAPPEND_LIVE}" | grep -q "${SELINUX_ENFORCED_CMDLINE}"
+			then
+				LB_BOOTAPPEND_LIVE="${LB_BOOTAPPEND_LIVE} ${SELINUX_ENFORCED_CMDLINE}"
+			fi
+		;;
+
+		permissive)
+			SELINUX_PERMISSIVE_CMDLINE="selinux=1 security=selinux enforcing=0"
+			if ! echo "${LB_BOOTAPPEND_LIVE}" | grep -q "${SELINUX_PERMISSIVE_CMDLINE}"
+			then
+				LB_BOOTAPPEND_LIVE="${LB_BOOTAPPEND_LIVE} ${SELINUX_PERMISSIVE_CMDLINE}"
+			fi
+		;;
+
+		disable)
+		;;
+
+	esac
+
 	local _LB_BOOTAPPEND_PRESEED
 	if [ -n "${LB_DEBIAN_INSTALLER_PRESEEDFILE}" ]
 	then
@@ -781,6 +805,11 @@ Validate_config_permitted_values ()
 		exit 1
 	fi
 
+	if ! In_list "${LB_SELINUX}" enforced permissive disable; then
+		Echo_error "You have specified an invalid value for LB_SELINUX (--selinux)."
+		exit 1
+	fi
+
 	if ! In_list "${LB_SOURCE_IMAGES}" iso netboot tar hdd; then
 		Echo_error "You have specified an invalid value for LB_SOURCE_IMAGES (--source-images)."
 		exit 1
@@ -843,6 +872,17 @@ Validate_config_dependencies ()
 		fi
 	fi
 
+	if In_list "${LB_SELINUX}" permissive enforced; then
+		if [ "${LB_CHROOT_FILESYSTEM}" != "squashfs" ]; then
+			Echo_error "You have selected values of LB_SELINUX and LB_CHROOT_FILESYSTEM which are incompatible. SELinux only supports squashfs as the chroot filesystem."
+			exit 1
+		fi
+	fi
+
+	if [ "${LB_SELINUX}" = "enforced" ]; then
+		Echo_warning "A value of 'enforced' for option LB_SELINUX is known not to boot onto an usable Live CD."
+	fi
+
 	Validate_http_proxy
 }
 

manpages/en/lb_config.1

@@ -205,6 +205,8 @@
 	[\fB\-\-quiet\fR]
 .br
 	[\fB\-\-security\fR true|false]
+.br
+	[\fB\-\-selinux\fR Ienforced|permissive|disable]
 .br
 	[\fB\-\-source\fR true|false]
 .br
@@ -438,6 +440,8 @@ sets the location of the mirror that will be used to fetch the debian installer
 reduces the verbosity of messages output by \fBlb build\fR.
 .IP "\fB\-\-security\fR true|false" 4
 defines if the security repositories specified in the security mirror options should be used or not.
+.IP "\fB\-\-selinux\fR \fIenforced|permissive|disable\fR" 4
+enables with enforcing or not Secure Enhanced Linux (SELinux). By default, this is set to disabled.
 .IP "\fB\-\-source\fR true|false" 4
 defines if a corresponding source image to the binary image should be built. By default this is false because most people do not require this and it involves downloading quite a few source packages. However, if you distribute your live image to others, you should make sure you build it with a source image alongside to help enable you to comply with licensing terms.
 .IP "\fB\-s\fR|\fB\-\-source\-images\fR iso|netboot|tar|hdd" 4

scripts/build/binary_rootfs

@@ -263,6 +263,16 @@ case "${LB_CHROOT_FILESYSTEM}" in
 	squashfs)
 		# Checking depends
 		Check_package chroot /usr/share/doc/squashfs-tools squashfs-tools
+		case "${LB_SELINUX}" in
+			enforced|permissive)
+				Check_package host /sbin/setfiles policycoreutils
+				Check_package host /etc/selinux/default/contexts/files/file_contexts selinux-policy-default
+			;;
+
+			disable)
+			;;
+
+		esac
 
 		# Restoring cache
 		Restore_package_cache binary
@@ -323,6 +333,16 @@ case "${LB_CHROOT_FILESYSTEM}" in
 			MKSQUASHFS_OPTIONS="-Xcompression-level ${LB_CHROOT_SQUASHFS_COMPRESSION_LEVEL} ${MKSQUASHFS_OPTIONS}"
 		fi
 
+		case "${LB_SELINUX}" in
+			enforced|permissive)
+				MKSQUASHFS_OPTIONS="-xattrs ${MKSQUASHFS_OPTIONS}"
+			;;
+
+			disable)
+			;;
+
+		esac
+
 		case "${LB_BUILD_WITH_CHROOT}" in
 			true)
 				if [ -e config/rootfs/excludes ]
@@ -332,6 +352,17 @@ case "${LB_CHROOT_FILESYSTEM}" in
 					MKSQUASHFS_OPTIONS="-wildcards -ef /excludes ${MKSQUASHFS_OPTIONS}"
 				fi
 
+				case "${LB_SELINUX}" in
+					enforced|permissive)
+						# TODO: Since bookworm parallel relabelling with -T 0 is possible and faster
+						setfiles -F -r chroot/chroot /etc/selinux/default/contexts/files/file_contexts chroot/chroot
+					;;
+
+					disable)
+					;;
+
+				esac
+
 				# Create image
 				Chroot chroot "nice -n 17 mksquashfs chroot filesystem.squashfs ${MKSQUASHFS_OPTIONS}"
 
@@ -368,6 +399,17 @@ case "${LB_CHROOT_FILESYSTEM}" in
 					MKSQUASHFS_OPTIONS="-wildcards -ef config/rootfs/excludes ${MKSQUASHFS_OPTIONS}"
 				fi
 
+				case "${LB_SELINUX}" in
+					enforced|permissive)
+						# TODO: Since bookworm parallel relabelling with -T 0 is possible and faster
+						setfiles -F -r chroot /etc/selinux/default/contexts/files/file_contexts chroot
+					;;
+
+					disable)
+					;;
+
+				esac
+
 				nice -n 19 mksquashfs chroot binary/${INITFS}/filesystem.squashfs ${MKSQUASHFS_OPTIONS}
 				;;
 		esac

scripts/build/chroot

@@ -37,6 +37,7 @@ lb chroot_prep install all mode-archives-chroot "${@}"
 lb chroot_linux-image "${@}"
 lb chroot_firmware "${@}"
 lb chroot_preseed "${@}"
+lb chroot_selinux "${@}"
 lb chroot_includes_before_packages "${@}"
 
 for _PASS in install live; do

scripts/build/chroot_selinux

@@ -0,0 +1,52 @@
+#!/bin/sh
+
+## live-build(7) - System Build Scripts
+## Copyright (C) 2016-2020 The Debian Live team
+## Copyright (C) 2006-2015 Daniel Baumann <mail@daniel-baumann.ch>
+##
+## This program comes with ABSOLUTELY NO WARRANTY; for details see COPYING.
+## This is free software, and you are welcome to redistribute it
+## under certain conditions; see COPYING for details.
+
+
+set -e
+
+# Including common functions
+[ -e "${LIVE_BUILD}/scripts/build.sh" ] && . "${LIVE_BUILD}/scripts/build.sh" || . /usr/lib/live/build.sh
+
+# Setting static variables
+DESCRIPTION="Schedule SELinux packages for installation"
+USAGE="${PROGRAM} [--force]"
+
+# Processing arguments and configuration files
+Init_config_data "${@}"
+
+# Requiring stage file
+Require_stagefiles config bootstrap
+
+case "${LB_SELINUX}" in
+	enforced|permissive)
+		Echo_message "Begin scheduling SELinux installation..."
+
+		# Checking stage file
+		Check_stagefile
+
+		# Acquire lock file
+		Acquire_lockfile
+
+		SELINUX_CHROOT_PACKAGES="selinux-basics selinux-policy-default auditd"
+
+		# Drop section and keep package names only
+		for _PACKAGE in ${SELINUX_CHROOT_PACKAGES}
+		do
+			echo $(echo ${_PACKAGE} | awk -F/ '{ print $NF }') >> chroot/root/packages.chroot
+		done
+	;;
+
+	disable)
+	;;
+
+esac
+
+# Creating stage file
+Create_stagefile

scripts/build/config

@@ -117,6 +117,7 @@ USAGE="${PROGRAM} [--apt apt|apt-get|aptitude]\n\
 \t    [--proposed-updates true|false]\n\
 \t    [--quiet]\n\
 \t    [--security true|false]\n\
+\t    [--selinux enforced|permissive|disable]\n\
 \t    [--source true|false]\n\
 \t    [-s|--source-images iso|netboot|tar|hdd]\n\
 \t    [--swap-file-path PATH]\n\
@@ -173,7 +174,7 @@ Local_arguments ()
 		parent-mirror-debian-installer:,
 		proposed-updates:,
 		quiet,
-		security:,source:,source-images:,swap-file-path:,swap-file-size:,system:,
+		security:,selinux:,source:,source-images:,swap-file-path:,swap-file-size:,system:,
 		tasksel:,
 		uefi-secure-boot:,updates:,utc-time:,usage,
 		validate,verbose,version,
@@ -787,6 +788,11 @@ Local_arguments ()
 				shift 2
 				;;
 
+			--selinux)
+				LB_SELINUX="${2}"
+				shift 2
+				;;
+
 			--source)
 				LB_SOURCE="${2}"
 				shift 2
@@ -1321,6 +1327,9 @@ LB_SWAP_FILE_SIZE="${LB_SWAP_FILE_SIZE}"
 
 # Enable/disable UEFI secure boot support
 LB_UEFI_SECURE_BOOT="${LB_UEFI_SECURE_BOOT}"
+
+# Enforce/disable SELinux
+LB_SELINUX="${LB_SELINUX}"
 EOF
 
 # Creating lb_source_* configuration