diff --git a/functions/configuration.sh b/functions/configuration.sh index 712398e37..5c125f811 100755 --- a/functions/configuration.sh +++ b/functions/configuration.sh @@ -414,6 +414,30 @@ Prepare_config () ;; esac + LB_SELINUX="${LB_SELINUX:-disable}" + + case "${LB_SELINUX}" in + enforced) + SELINUX_ENFORCED_CMDLINE="selinux=1 security=selinux enforcing=1" + if ! echo "${LB_BOOTAPPEND_LIVE}" | grep -q "${SELINUX_ENFORCED_CMDLINE}" + then + LB_BOOTAPPEND_LIVE="${LB_BOOTAPPEND_LIVE} ${SELINUX_ENFORCED_CMDLINE}" + fi + ;; + + permissive) + SELINUX_PERMISSIVE_CMDLINE="selinux=1 security=selinux enforcing=0" + if ! echo "${LB_BOOTAPPEND_LIVE}" | grep -q "${SELINUX_PERMISSIVE_CMDLINE}" + then + LB_BOOTAPPEND_LIVE="${LB_BOOTAPPEND_LIVE} ${SELINUX_PERMISSIVE_CMDLINE}" + fi + ;; + + disable) + ;; + + esac + local _LB_BOOTAPPEND_PRESEED if [ -n "${LB_DEBIAN_INSTALLER_PRESEEDFILE}" ] then @@ -781,6 +805,11 @@ Validate_config_permitted_values () exit 1 fi + if ! In_list "${LB_SELINUX}" enforced permissive disable; then + Echo_error "You have specified an invalid value for LB_SELINUX (--selinux)." + exit 1 + fi + if ! In_list "${LB_SOURCE_IMAGES}" iso netboot tar hdd; then Echo_error "You have specified an invalid value for LB_SOURCE_IMAGES (--source-images)." exit 1 @@ -843,6 +872,17 @@ Validate_config_dependencies () fi fi + if In_list "${LB_SELINUX}" permissive enforced; then + if [ "${LB_CHROOT_FILESYSTEM}" != "squashfs" ]; then + Echo_error "You have selected values of LB_SELINUX and LB_CHROOT_FILESYSTEM which are incompatible. SELinux only supports squashfs as the chroot filesystem." + exit 1 + fi + fi + + if [ "${LB_SELINUX}" = "enforced" ]; then + Echo_warning "A value of 'enforced' for option LB_SELINUX is known not to boot onto an usable Live CD." + fi + Validate_http_proxy } diff --git a/manpages/en/lb_config.1 b/manpages/en/lb_config.1 index 3a1aa1d49..580bde651 100644 --- a/manpages/en/lb_config.1 +++ b/manpages/en/lb_config.1 @@ -205,6 +205,8 @@ [\fB\-\-quiet\fR] .br [\fB\-\-security\fR true|false] +.br + [\fB\-\-selinux\fR Ienforced|permissive|disable] .br [\fB\-\-source\fR true|false] .br @@ -438,6 +440,8 @@ sets the location of the mirror that will be used to fetch the debian installer reduces the verbosity of messages output by \fBlb build\fR. .IP "\fB\-\-security\fR true|false" 4 defines if the security repositories specified in the security mirror options should be used or not. +.IP "\fB\-\-selinux\fR \fIenforced|permissive|disable\fR" 4 +enables with enforcing or not Secure Enhanced Linux (SELinux). By default, this is set to disabled. .IP "\fB\-\-source\fR true|false" 4 defines if a corresponding source image to the binary image should be built. By default this is false because most people do not require this and it involves downloading quite a few source packages. However, if you distribute your live image to others, you should make sure you build it with a source image alongside to help enable you to comply with licensing terms. .IP "\fB\-s\fR|\fB\-\-source\-images\fR iso|netboot|tar|hdd" 4 diff --git a/scripts/build/binary_rootfs b/scripts/build/binary_rootfs index 041b33087..3982740f8 100755 --- a/scripts/build/binary_rootfs +++ b/scripts/build/binary_rootfs @@ -263,6 +263,16 @@ case "${LB_CHROOT_FILESYSTEM}" in squashfs) # Checking depends Check_package chroot /usr/share/doc/squashfs-tools squashfs-tools + case "${LB_SELINUX}" in + enforced|permissive) + Check_package host /sbin/setfiles policycoreutils + Check_package host /etc/selinux/default/contexts/files/file_contexts selinux-policy-default + ;; + + disable) + ;; + + esac # Restoring cache Restore_package_cache binary @@ -323,6 +333,16 @@ case "${LB_CHROOT_FILESYSTEM}" in MKSQUASHFS_OPTIONS="-Xcompression-level ${LB_CHROOT_SQUASHFS_COMPRESSION_LEVEL} ${MKSQUASHFS_OPTIONS}" fi + case "${LB_SELINUX}" in + enforced|permissive) + MKSQUASHFS_OPTIONS="-xattrs ${MKSQUASHFS_OPTIONS}" + ;; + + disable) + ;; + + esac + case "${LB_BUILD_WITH_CHROOT}" in true) if [ -e config/rootfs/excludes ] @@ -332,6 +352,17 @@ case "${LB_CHROOT_FILESYSTEM}" in MKSQUASHFS_OPTIONS="-wildcards -ef /excludes ${MKSQUASHFS_OPTIONS}" fi + case "${LB_SELINUX}" in + enforced|permissive) + # TODO: Since bookworm parallel relabelling with -T 0 is possible and faster + setfiles -F -r chroot/chroot /etc/selinux/default/contexts/files/file_contexts chroot/chroot + ;; + + disable) + ;; + + esac + # Create image Chroot chroot "nice -n 17 mksquashfs chroot filesystem.squashfs ${MKSQUASHFS_OPTIONS}" @@ -368,6 +399,17 @@ case "${LB_CHROOT_FILESYSTEM}" in MKSQUASHFS_OPTIONS="-wildcards -ef config/rootfs/excludes ${MKSQUASHFS_OPTIONS}" fi + case "${LB_SELINUX}" in + enforced|permissive) + # TODO: Since bookworm parallel relabelling with -T 0 is possible and faster + setfiles -F -r chroot /etc/selinux/default/contexts/files/file_contexts chroot + ;; + + disable) + ;; + + esac + nice -n 19 mksquashfs chroot binary/${INITFS}/filesystem.squashfs ${MKSQUASHFS_OPTIONS} ;; esac diff --git a/scripts/build/chroot b/scripts/build/chroot index a0aa10be0..f66f0c6d0 100755 --- a/scripts/build/chroot +++ b/scripts/build/chroot @@ -37,6 +37,7 @@ lb chroot_prep install all mode-archives-chroot "${@}" lb chroot_linux-image "${@}" lb chroot_firmware "${@}" lb chroot_preseed "${@}" +lb chroot_selinux "${@}" lb chroot_includes_before_packages "${@}" for _PASS in install live; do diff --git a/scripts/build/chroot_selinux b/scripts/build/chroot_selinux new file mode 100755 index 000000000..c884928d9 --- /dev/null +++ b/scripts/build/chroot_selinux @@ -0,0 +1,52 @@ +#!/bin/sh + +## live-build(7) - System Build Scripts +## Copyright (C) 2016-2020 The Debian Live team +## Copyright (C) 2006-2015 Daniel Baumann +## +## This program comes with ABSOLUTELY NO WARRANTY; for details see COPYING. +## This is free software, and you are welcome to redistribute it +## under certain conditions; see COPYING for details. + + +set -e + +# Including common functions +[ -e "${LIVE_BUILD}/scripts/build.sh" ] && . "${LIVE_BUILD}/scripts/build.sh" || . /usr/lib/live/build.sh + +# Setting static variables +DESCRIPTION="Schedule SELinux packages for installation" +USAGE="${PROGRAM} [--force]" + +# Processing arguments and configuration files +Init_config_data "${@}" + +# Requiring stage file +Require_stagefiles config bootstrap + +case "${LB_SELINUX}" in + enforced|permissive) + Echo_message "Begin scheduling SELinux installation..." + + # Checking stage file + Check_stagefile + + # Acquire lock file + Acquire_lockfile + + SELINUX_CHROOT_PACKAGES="selinux-basics selinux-policy-default auditd" + + # Drop section and keep package names only + for _PACKAGE in ${SELINUX_CHROOT_PACKAGES} + do + echo $(echo ${_PACKAGE} | awk -F/ '{ print $NF }') >> chroot/root/packages.chroot + done + ;; + + disable) + ;; + +esac + +# Creating stage file +Create_stagefile diff --git a/scripts/build/config b/scripts/build/config index be2627305..65577de67 100755 --- a/scripts/build/config +++ b/scripts/build/config @@ -117,6 +117,7 @@ USAGE="${PROGRAM} [--apt apt|apt-get|aptitude]\n\ \t [--proposed-updates true|false]\n\ \t [--quiet]\n\ \t [--security true|false]\n\ +\t [--selinux enforced|permissive|disable]\n\ \t [--source true|false]\n\ \t [-s|--source-images iso|netboot|tar|hdd]\n\ \t [--swap-file-path PATH]\n\ @@ -173,7 +174,7 @@ Local_arguments () parent-mirror-debian-installer:, proposed-updates:, quiet, - security:,source:,source-images:,swap-file-path:,swap-file-size:,system:, + security:,selinux:,source:,source-images:,swap-file-path:,swap-file-size:,system:, tasksel:, uefi-secure-boot:,updates:,utc-time:,usage, validate,verbose,version, @@ -787,6 +788,11 @@ Local_arguments () shift 2 ;; + --selinux) + LB_SELINUX="${2}" + shift 2 + ;; + --source) LB_SOURCE="${2}" shift 2 @@ -1321,6 +1327,9 @@ LB_SWAP_FILE_SIZE="${LB_SWAP_FILE_SIZE}" # Enable/disable UEFI secure boot support LB_UEFI_SECURE_BOOT="${LB_UEFI_SECURE_BOOT}" + +# Enforce/disable SELinux +LB_SELINUX="${LB_SELINUX}" EOF # Creating lb_source_* configuration