move everything configurable to /cfg and try selinux
This commit is contained in:
Harald Hoyer
parent
a95907fd97
commit
8dfaa0d4be
|
|
@ -158,7 +158,7 @@ fi
|
|||
mkdir -p boot
|
||||
mount ${OUT}1 boot
|
||||
mkdir -p boot/EFI/FedoraBook
|
||||
cp /efi/EFI/FedoraBook/bootx64.efi boot/EFI/FedoraBook/1.efi
|
||||
cp /efi/EFI/FedoraBook/1.efi boot/EFI/FedoraBook/1.efi
|
||||
[[ -e /efi/Lockdown.efi ]] && cp /efi/Lockdown.efi boot
|
||||
[[ -e /efi/Shell.efi ]] && cp /efi/Lockdown.efi boot/EFI/Boot/bootx64.efi
|
||||
|
||||
|
|
|
|||
|
|
@ -3,7 +3,5 @@ systemd-bootchart
|
|||
grubby
|
||||
grub*
|
||||
plymouth
|
||||
selinux-policy-targeted
|
||||
libselinux-utils
|
||||
httpd
|
||||
gnome-boxes
|
||||
|
|
|
|||
|
|
@ -169,12 +169,13 @@ mkdir -p "$MY_TMPDIR"/boot/EFI/Boot
|
|||
mkdir -p "$MY_TMPDIR"/boot/EFI/FedoraBook
|
||||
|
||||
if [[ $USE_EFISHELL ]]; then
|
||||
[[ -e "${SOURCE}"/startup.nsh ]] && cp "${SOURCE}"/startup.nsh "$MY_TMPDIR"/boot/
|
||||
[[ -e "${SOURCE}"/LockDown.efi ]] && cp "${SOURCE}"/LockDown.efi "$MY_TMPDIR"/boot/
|
||||
cp "${SOURCE}"/Shell.efi "$MY_TMPDIR"/boot/EFI/Boot/bootx64.efi
|
||||
cp "$SOURCE"/bootx64.efi "$MY_TMPDIR"/boot/EFI/FedoraBook/bootx64.efi
|
||||
[[ -e "${SOURCE}"/efi/startup.nsh ]] && cp "${SOURCE}"/efi/startup.nsh "$MY_TMPDIR"/boot/
|
||||
[[ -e "${SOURCE}"/efi/LockDown.efi ]] && cp "${SOURCE}"/efi/LockDown.efi "$MY_TMPDIR"/boot/
|
||||
cp "${SOURCE}"/efi/Shell.efi "$MY_TMPDIR"/boot/EFI/Boot/bootx64.efi
|
||||
cp "$SOURCE"/bootx64.efi "$MY_TMPDIR"/boot/EFI/FedoraBook/1.efi
|
||||
else
|
||||
cp "$SOURCE"/bootx64.efi "$MY_TMPDIR"/boot/EFI/Boot/bootx64.efi
|
||||
cp "$SOURCE"/bootx64.efi "$MY_TMPDIR"/boot/EFI/FedoraBook/1.efi
|
||||
fi
|
||||
|
||||
umount "$MY_TMPDIR"/boot
|
||||
|
|
|
|||
23
mkrelease.sh
23
mkrelease.sh
|
|
@ -66,21 +66,24 @@ JSON="$(realpath -e $1)"
|
|||
BASEDIR="${JSON%/*}"
|
||||
IMAGE="${BASEDIR}/$(jq -r '.name' ${JSON})-$(jq -r '.version' ${JSON})"
|
||||
|
||||
(
|
||||
cd "$IMAGE"
|
||||
if ! [[ $NOSIGN ]]; then
|
||||
pushd "$IMAGE"
|
||||
if ! [[ $NOSIGN ]]; then
|
||||
if ! [[ $DBKEY ]] || ! [[ $DBCRT ]]; then
|
||||
echo "Need --dbkey KEY --dbcrt CRT options"
|
||||
exit 1
|
||||
fi
|
||||
if ! sbverify --cert "$DBCRT" bootx64.efi &>/dev/null ; then
|
||||
sbsign --key "$DBKEY" --cert "$DBCRT" --output bootx64-signed.efi bootx64.efi
|
||||
mv bootx64-signed.efi bootx64.efi
|
||||
for i in $(find . -type f -name '*.efi'); do
|
||||
[[ -f "$i" ]] || continue
|
||||
if ! sbverify --cert "$DBCRT" "$i" &>/dev/null ; then
|
||||
sbsign --key "$DBKEY" --cert "$DBCRT" --output "${i}signed" "$i"
|
||||
mv "${i}signed" "$i"
|
||||
fi
|
||||
fi
|
||||
[[ -f sha512sum.txt ]] || sha512sum * > sha512sum.txt
|
||||
[[ -f sha512sum.txt.sig ]] || gpg2 --detach-sign sha512sum.txt
|
||||
)
|
||||
done
|
||||
fi
|
||||
[[ -f sha512sum.txt ]] || sha512sum $(find . -type f) > sha512sum.txt
|
||||
[[ -f sha512sum.txt.sig ]] || gpg2 --detach-sign sha512sum.txt
|
||||
|
||||
popd
|
||||
|
||||
if ! [[ $NOTAR ]] && ! [[ -e "$IMAGE".tgz ]]; then
|
||||
tar cf - -C "${IMAGE%/*}" "${IMAGE##*/}" | pigz -c > "$IMAGE".tgz
|
||||
|
|
|
|||
|
|
@ -48,6 +48,7 @@ gobject-introspection-devel
|
|||
gperf
|
||||
help2man
|
||||
iptables-devel
|
||||
iputils
|
||||
ipw2100-firmware
|
||||
ipw2200-firmware
|
||||
iscan-firmware
|
||||
|
|
@ -84,6 +85,8 @@ libseccomp-devel
|
|||
libselinux-devel
|
||||
libvirt-daemon-config-network
|
||||
libvirt-daemon-kvm
|
||||
libvirt-client
|
||||
libvirt-bash-completion
|
||||
libxkbcommon-devel
|
||||
libxslt
|
||||
linux-firmware
|
||||
|
|
|
|||
29
pre-pivot.sh
29
pre-pivot.sh
|
|
@ -107,17 +107,24 @@ if [[ $(blkid -o value -s TYPE "$datadev") != "xfs" ]]; then
|
|||
mkfs.xfs -f -L data "$datadev"
|
||||
fi
|
||||
|
||||
mount -o discard $datadev /sysroot/data || die "Failed to mount $datadev"
|
||||
mount -o discard $datadev /sysroot/mnt || die "Failed to mount $datadev"
|
||||
|
||||
[[ -d /sysroot/data/var ]] || mkdir /sysroot/data/var
|
||||
[[ -d /sysroot/data/home ]] || mkdir /sysroot/data/home
|
||||
|
||||
mount -o bind /sysroot/data/var /sysroot/var
|
||||
mount -o bind /sysroot/data/home /sysroot/home
|
||||
|
||||
for i in passwd shadow group gshadow subuid subgid; do
|
||||
[[ -f /sysroot/var/$i ]] && continue
|
||||
cp -a /sysroot/usr/share/factory/var/$i /sysroot/var/$i
|
||||
for i in var home cfg; do
|
||||
if ! [[ -d /sysroot/mnt/$i ]]; then
|
||||
mkdir /sysroot/mnt/$i
|
||||
FIRST_TIME=1
|
||||
fi
|
||||
done
|
||||
|
||||
chroot /sysroot /usr/bin/systemd-tmpfiles --create --remove --boot --exclude-prefix=/dev --exclude-prefix=/run --exclude-prefix=/tmp --exclude-prefix=/etc 2>&1 | vinfo
|
||||
mount -o bind /sysroot/mnt/var /sysroot/var
|
||||
mount -o bind /sysroot/mnt/home /sysroot/home
|
||||
mount -o bind /sysroot/mnt/cfg /sysroot/cfg
|
||||
umount -l /sysroot/mnt
|
||||
|
||||
#for i in passwd shadow group gshadow subuid subgid; do
|
||||
# [[ -f /sysroot/cfg/$i ]] && continue
|
||||
# cp -a /sysroot/usr/share/factory/cfg/$i /sysroot/cfg/$i
|
||||
#done
|
||||
if [[ $FIRST_TIME ]]; then
|
||||
chroot /sysroot bash -c '/usr/bin/systemd-tmpfiles --create --remove --boot --exclude-prefix=/dev --exclude-prefix=/run --exclude-prefix=/tmp --exclude-prefix=/etc 2>&1; restorecon -R -v /cfg /var 2>&1'| vinfo
|
||||
fi
|
||||
|
|
|
|||
128
prepare-root.sh
128
prepare-root.sh
|
|
@ -220,6 +220,11 @@ dnf -v --nogpgcheck \
|
|||
jq \
|
||||
gnupg2 \
|
||||
veritysetup \
|
||||
policycoreutils \
|
||||
selinux-policy-targeted \
|
||||
selinux-policy-devel \
|
||||
libselinux-utils \
|
||||
audit \
|
||||
$PKGLIST
|
||||
|
||||
for i in passwd shadow group gshadow subuid subgid; do
|
||||
|
|
@ -241,6 +246,8 @@ for i in passwd shadow group gshadow subuid subgid; do
|
|||
chmod u+r "${BASEDIR}/${NAME}/$i"
|
||||
done
|
||||
|
||||
# chroot "$sysroot" bash -i
|
||||
|
||||
cp "$CURDIR/clonedisk.sh" "$sysroot"/usr/bin/clonedisk
|
||||
cp "$CURDIR/update.sh" "$sysroot"/usr/bin/update
|
||||
cp "$CURDIR/update.sh" "$sysroot"/usr/bin/update
|
||||
|
|
@ -267,7 +274,8 @@ chroot "$sysroot" \
|
|||
dracut -N --kver $KVER --force \
|
||||
--filesystems "squashfs vfat xfs" \
|
||||
--add-drivers "=drivers/char/tpm" \
|
||||
-m "bash systemd systemd-initrd modsign crypt dm kernel-modules qemu rootfs-block udev-rules dracut-systemd base fs-lib shutdown terminfo resume verity" \
|
||||
-m "bash systemd systemd-initrd modsign crypt dm kernel-modules qemu rootfs-block" \
|
||||
-m "udev-rules dracut-systemd base fs-lib shutdown terminfo resume verity selinux" \
|
||||
--install "clonedisk wipefs sfdisk dd mkfs.xfs mkswap chroot mountpoint mkdir stat openssl" \
|
||||
--install "clevis clevis-luks-bind jose clevis-encrypt-tpm2 clevis-decrypt clevis-luks-unlock clevis-decrypt-tpm2" \
|
||||
--install "cryptsetup tail sort pwmake mktemp swapon" \
|
||||
|
|
@ -289,7 +297,7 @@ rm -fr "$sysroot"/overlay
|
|||
|
||||
umount "$sysroot"/var/cache/dnf
|
||||
|
||||
mkdir -p "$sysroot"/usr/share/factory/{var/etc,home}
|
||||
mkdir -p "$sysroot"/usr/share/factory/{var,cfg}
|
||||
|
||||
chroot "$sysroot" update-ca-trust
|
||||
|
||||
|
|
@ -319,21 +327,21 @@ ln -fsnr "$sysroot"/usr/lib/systemd/system/dbus-broker.service "$sysroot"/etc/sy
|
|||
#---------------
|
||||
# ssh
|
||||
if [[ -d "$sysroot"/etc/ssh ]]; then
|
||||
mv "$sysroot"/etc/ssh "$sysroot"/usr/share/factory/var/etc/ssh
|
||||
ln -sfnr "$sysroot"/var/etc/ssh "$sysroot"/etc/ssh
|
||||
mv "$sysroot"/etc/ssh "$sysroot"/usr/share/factory/cfg/ssh
|
||||
ln -sfnr "$sysroot"/cfg/ssh "$sysroot"/etc/ssh
|
||||
cat >> "$sysroot"/usr/lib/tmpfiles.d/ssh.conf <<EOF
|
||||
C /var/etc/ssh - - - - -
|
||||
C /cfg/ssh - - - - -
|
||||
EOF
|
||||
fi
|
||||
|
||||
#---------------
|
||||
# NetworkManager
|
||||
if [[ -d "$sysroot"/etc/NetworkManager ]]; then
|
||||
mv "$sysroot"/etc/NetworkManager "$sysroot"/usr/share/factory/var/etc/
|
||||
ln -fsnr "$sysroot"/var/etc/NetworkManager "$sysroot"/etc/NetworkManager
|
||||
mv "$sysroot"/etc/NetworkManager "$sysroot"/usr/share/factory/cfg/
|
||||
ln -fsnr "$sysroot"/cfg/NetworkManager "$sysroot"/etc/NetworkManager
|
||||
cat >> "$sysroot"/usr/lib/tmpfiles.d/NetworkManager.conf <<EOF
|
||||
d /var/lib/NetworkManager 0755 root root - -
|
||||
C /var/etc/NetworkManager - - - - -
|
||||
C /cfg/NetworkManager - - - - -
|
||||
d /run/NetworkManager 0755 root root - -
|
||||
EOF
|
||||
rm -fr "$sysroot"/etc/sysconfig/network-scripts
|
||||
|
|
@ -343,10 +351,10 @@ fi
|
|||
#---------------
|
||||
# libvirt
|
||||
if [[ -d "$sysroot"/etc/libvirt ]]; then
|
||||
mv "$sysroot"/etc/libvirt "$sysroot"/usr/share/factory/var/etc/
|
||||
ln -fsnr "$sysroot"/var/etc/libvirt "$sysroot"/etc/libvirt
|
||||
mv "$sysroot"/etc/libvirt "$sysroot"/usr/share/factory/cfg/
|
||||
ln -fsnr "$sysroot"/cfg/libvirt "$sysroot"/etc/libvirt
|
||||
cat >> "$sysroot"/usr/lib/tmpfiles.d/libvirt.conf <<EOF
|
||||
C /var/etc/libvirt - - - - -
|
||||
C /cfg/libvirt - - - - -
|
||||
EOF
|
||||
fi
|
||||
|
||||
|
|
@ -355,62 +363,63 @@ fi
|
|||
ln -fsrn "$sysroot"/run/NetworkManager/resolv.conf "$sysroot"/etc/resolv.conf
|
||||
echo 'f /run/NetworkManager/resolv.conf 0755 root root - ' >> "$sysroot"/usr/lib/tmpfiles.d/resolv.conf
|
||||
|
||||
#---------------
|
||||
# hostname
|
||||
ln -sfrn "$sysroot"/var/hostname "$sysroot"/etc/hostname
|
||||
echo "FedoraBook" > "$sysroot"/usr/share/factory/var/hostname
|
||||
|
||||
#---------------
|
||||
# vconsole.conf
|
||||
ln -fsnr "$sysroot"/var/vconsole.conf "$sysroot"/etc/vconsole.conf
|
||||
echo -e 'FONT=latarcyrheb-sun16\nKEYMAP=us' > "$sysroot"/usr/share/factory/var/vconsole.conf
|
||||
ln -fsnr "$sysroot"/cfg/vconsole.conf "$sysroot"/etc/vconsole.conf
|
||||
echo -e 'FONT=latarcyrheb-sun16\nKEYMAP=us' > "$sysroot"/usr/share/factory/cfg/vconsole.conf
|
||||
|
||||
#---------------
|
||||
# locale.conf
|
||||
ln -fsnr "$sysroot"/var/locale.conf "$sysroot"/etc/locale.conf
|
||||
echo 'LANG=en_US.UTF-8' > "$sysroot"/usr/share/factory/var/locale.conf
|
||||
ln -fsnr "$sysroot"/cfg/locale.conf "$sysroot"/etc/locale.conf
|
||||
echo 'LANG=en_US.UTF-8' > "$sysroot"/usr/share/factory/cfg/locale.conf
|
||||
|
||||
#---------------
|
||||
# localtime
|
||||
mv "$sysroot"/etc/localtime "$sysroot"/usr/share/factory/var/localtime
|
||||
ln -fsnr "$sysroot"/var/localtime "$sysroot"/etc/localtime
|
||||
mv "$sysroot"/etc/localtime "$sysroot"/usr/share/factory/cfg/localtime
|
||||
ln -fsnr "$sysroot"/cfg/localtime "$sysroot"/etc/localtime
|
||||
|
||||
#---------------
|
||||
# machine-id
|
||||
rm -f "$sysroot"/etc/machine-id
|
||||
ln -fsnr "$sysroot"/var/machine-id "$sysroot"/etc/machine-id
|
||||
ln -fsnr "$sysroot"/cfg/machine-id "$sysroot"/etc/machine-id
|
||||
|
||||
#---------------
|
||||
# adjtime
|
||||
mv "$sysroot"/etc/adjtime "$sysroot"/usr/share/factory/var/adjtime
|
||||
ln -fsnr "$sysroot"/var/adjtime "$sysroot"/etc/adjtime
|
||||
mv "$sysroot"/etc/adjtime "$sysroot"/usr/share/factory/cfg/adjtime
|
||||
ln -fsnr "$sysroot"/cfg/adjtime "$sysroot"/etc/adjtime
|
||||
|
||||
sed -i -e 's#/etc/locale.conf#/var/locale.conf#g;s#/etc/vconsole.conf#/var/vconsole.conf#g' "$sysroot"/usr/lib/systemd/systemd-localed
|
||||
sed -i -e 's#/etc/adjtime#/var/adjtime#g;s#/etc/localtime#/var/localtime#g' \
|
||||
sed -i -e 's#/etc/locale.conf#/cfg/locale.conf#g;s#/etc/vconsole.conf#/cfg/vconsole.conf#g;s#/etc/X11/xorg.conf.d#/cfg/X11/xorg.conf.d#g' \
|
||||
"$sysroot"/usr/lib/systemd/systemd-localed
|
||||
|
||||
sed -i -e 's#/etc/adjtime#/cfg/adjtime#g;s#/etc/localtime#/cfg/localtime#g' \
|
||||
"$sysroot"/usr/lib/systemd/systemd-timedated \
|
||||
"$sysroot"/usr/lib/systemd/libsystemd-shared*.so \
|
||||
"$sysroot"/lib*/libc.so.*
|
||||
|
||||
sed -i -e 's#ReadWritePaths=/etc#ReadWritePaths=/var#g' "$sysroot"/lib/systemd/system/systemd-localed.service
|
||||
sed -i -e 's#ReadWritePaths=/etc#ReadWritePaths=/var#g' "$sysroot"/lib/systemd/system/systemd-timedated.service
|
||||
sed -i -e 's#ReadWritePaths=/etc#ReadWritePaths=/cfg#g' \
|
||||
"$sysroot"/lib/systemd/system/systemd-localed.service \
|
||||
"$sysroot"/lib/systemd/system/systemd-timedated.service \
|
||||
"$sysroot"/lib/systemd/system/systemd-hostnamed.service
|
||||
|
||||
cat >> "$sysroot"/usr/lib/tmpfiles.d/00-basics.conf <<EOF
|
||||
C /var/hostname - - - - -
|
||||
C /var/vconsole.conf - - - - -
|
||||
C /var/locale.conf - - - - -
|
||||
C /var/localtime - - - - -
|
||||
C /var/adjtime - - - - -
|
||||
C /cfg/hostname - - - - -
|
||||
C /cfg/vconsole.conf - - - - -
|
||||
C /cfg/locale.conf - - - - -
|
||||
C /cfg/localtime - - - - -
|
||||
C /cfg/adjtime - - - - -
|
||||
Z /cfg 0755 root root - -
|
||||
Z /var 0755 root root - -
|
||||
EOF
|
||||
|
||||
|
||||
#---------------
|
||||
# X11
|
||||
if [[ -d "$sysroot"/etc/X11/xorg.conf.d ]]; then
|
||||
mkdir -p "$sysroot"/usr/share/factory/var/etc
|
||||
mv "$sysroot"/etc/X11 "$sysroot"/usr/share/factory/var/etc/X11
|
||||
ln -fsnr "$sysroot"/var/etc/X11 "$sysroot"/etc/X11
|
||||
mkdir -p "$sysroot"/usr/share/factory/cfg
|
||||
mv "$sysroot"/etc/X11 "$sysroot"/usr/share/factory/cfg/X11
|
||||
ln -fsnr "$sysroot"/cfg/X11 "$sysroot"/etc/X11
|
||||
cat >> "$sysroot"/usr/lib/tmpfiles.d/X11.conf <<EOF
|
||||
C /var/etc/X11 - - - - -
|
||||
C /cfg/X11 - - - - -
|
||||
EOF
|
||||
fi
|
||||
|
||||
|
|
@ -442,16 +451,24 @@ cat > "$sysroot"/etc/sysctl.d/inotify.conf <<EOF
|
|||
fs.inotify.max_user_watches = $((8192*10))
|
||||
EOF
|
||||
|
||||
cat >"$sysroot"/etc/fstab <<EOF
|
||||
LABEL=data /data xfs defaults,discard 0 0
|
||||
/data/var /var - bind 0 0
|
||||
/data/home /home - bind 0 0
|
||||
EOF
|
||||
#---------------
|
||||
# gnome-initial-setup
|
||||
> "$sysroot"/usr/share/gnome-initial-setup/vendor.conf
|
||||
|
||||
|
||||
# ------------------------------------------------------------------------------
|
||||
# selinux
|
||||
sed -i -e 's#^SELINUX=.*#SELINUX=permissive#g' "$sysroot"/etc/selinux/config
|
||||
chroot "$sysroot" semanage fcontext -a -e /etc /cfg
|
||||
chroot "$sysroot" semanage fcontext -a -e /etc /usr/share/factory/etc
|
||||
chroot "$sysroot" semanage fcontext -a -e /var /usr/share/factory/var
|
||||
chroot "$sysroot" fixfiles -v -F -f relabel || :
|
||||
chroot "$sysroot" restorecon -v -R /usr/share/factory/ || :
|
||||
rm -fr "$sysroot"/var/lib/selinux
|
||||
|
||||
#---------------
|
||||
# var
|
||||
rm -fr "$sysroot"/var/lib/rpm
|
||||
rm -fr "$sysroot"/var/lib/selinux
|
||||
rm -fr "$sysroot"/var/log/dnf*
|
||||
rm -fr "$sysroot"/var/cache/*/*
|
||||
rm -fr "$sysroot"/var/tmp/*
|
||||
|
|
@ -461,7 +478,9 @@ chroot "$sysroot" bash -c 'for i in $(find -H /var -xdev -type d); do grep " $i
|
|||
cp -avxr "$sysroot"/var/* "$sysroot"/usr/share/factory/var/
|
||||
rm -fr "$sysroot"/usr/share/factory/var/{run,lock}
|
||||
|
||||
chroot "$sysroot" bash -c 'for i in $(find -H /var -xdev -maxdepth 2 -mindepth 1 -type d); do echo "C $i - - - - -"; done > /usr/lib/tmpfiles.d/var-quirk.conf; :'
|
||||
chroot "$sysroot" bash -c 'for i in $(find -H /var -xdev -maxdepth 2 -mindepth 1 -type d); do echo "C $i - - - - -"; done >> /usr/lib/tmpfiles.d/var-quirk.conf; :'
|
||||
echo 'C /var/mail - - - - -' >> "$sysroot"/usr/lib/tmpfiles.d/var-quirk.conf
|
||||
|
||||
mv "$sysroot"/lib/tmpfiles.d-var.conf "$sysroot"/lib/tmpfiles.d/var.conf
|
||||
|
||||
sed -i -e "s#VERSION_ID=.*#VERSION_ID=$VERSION_ID#" "$sysroot"/etc/os-release
|
||||
|
|
@ -470,6 +489,11 @@ sed -i -e "s#NAME=.*#NAME=$NAME#" "$sysroot"/etc/os-release
|
|||
mv -v "$sysroot"/boot/*/*/initrd "$MY_TMPDIR"/
|
||||
cp "$sysroot"/lib/modules/*/vmlinuz "$MY_TMPDIR"/linux
|
||||
|
||||
if [[ -d "$sysroot"/boot/efi/EFI/fedora ]]; then
|
||||
mkdir -p "$MY_TMPDIR"/efi/EFI
|
||||
mv "$sysroot"/boot/efi/EFI/fedora "$MY_TMPDIR"/efi/EFI
|
||||
fi
|
||||
|
||||
rm -fr "$sysroot"/{boot,root}
|
||||
ln -sfnr "$sysroot"/var/root "$sysroot"/root
|
||||
mkdir "$sysroot"/efi
|
||||
|
|
@ -477,13 +501,12 @@ rm -fr "$sysroot"/var/*
|
|||
rm -fr "$sysroot"/home/*
|
||||
rm -f "$sysroot"/etc/yum.repos.d/*
|
||||
mkdir -p "$sysroot"/home
|
||||
rm -fr "$sysroot"/etc/selinux
|
||||
mkdir "$sysroot"/data
|
||||
mkdir -p "$sysroot"/cfg
|
||||
|
||||
for i in "$sysroot"/{dev,sys,proc,run}; do
|
||||
[[ -d "$i" ]] && mountpoint -q "$i" && umount "$i"
|
||||
done
|
||||
|
||||
|
||||
# ------------------------------------------------------------------------------
|
||||
# sysroot
|
||||
mksquashfs "$MY_TMPDIR"/sysroot "$MY_TMPDIR"/root.squashfs.img \
|
||||
|
|
@ -504,7 +527,10 @@ IMAGE_SIZE=$(stat --printf '%s' "$MY_TMPDIR"/root.img)
|
|||
|
||||
# ------------------------------------------------------------------------------
|
||||
# make bootx64.efi
|
||||
echo -n "lockdown=1 quiet rd.shell=0 video=efifb:nobgrt audit=0 selinux=0 verity.imagesize=$IMAGE_SIZE verity.roothash=$ROOT_HASH verity.root=PARTUUID=$ROOT_UUID verity.hashoffset=$ROOT_SIZE raid=noautodetect root=/dev/mapper/root" > "$MY_TMPDIR"/options.txt
|
||||
echo -n "lockdown=1 quiet rd.shell=0 video=efifb:nobgrt "\
|
||||
"verity.imagesize=$IMAGE_SIZE verity.roothash=$ROOT_HASH verity.root=PARTUUID=$ROOT_UUID " \
|
||||
"verity.hashoffset=$ROOT_SIZE raid=noautodetect root=/dev/mapper/root" > "$MY_TMPDIR"/options.txt
|
||||
|
||||
echo -n "${NAME}-${VERSION_ID}" > "$MY_TMPDIR"/release.txt
|
||||
objcopy \
|
||||
--add-section .release="$MY_TMPDIR"/release.txt --change-section-vma .release=0x20000 \
|
||||
|
|
@ -525,9 +551,11 @@ mv "$MY_TMPDIR"/root-hash.txt \
|
|||
"$MY_TMPDIR"/initrd \
|
||||
"$OUTDIR"
|
||||
|
||||
[[ -d "$MY_TMPDIR"/efi ]] && mv "$MY_TMPDIR"/efi "$OUTDIR"/efi
|
||||
|
||||
for i in LockDown.efi Shell.efi startup.nsh; do
|
||||
[[ -e "${BASEDIR}"/$i ]] || continue
|
||||
cp "$i" "$OUTDIR"
|
||||
cp "$i" "$OUTDIR"/efi
|
||||
done
|
||||
|
||||
chown -R "$USER" "$OUTDIR"
|
||||
|
|
|
|||
|
|
@ -1,65 +1,73 @@
|
|||
chroot "$sysroot" bash -c 'useradd -M -G wheel admin'
|
||||
#!/usr/bin/bash -ex
|
||||
|
||||
sed -i -e 's#^\(passwd:.*\) files#\1 files db altfile#g;s#^\(shadow:.*\) files#\1 files altfiles db#g;s#^\(group:.*\) files#\1 files altfiles db#g' \
|
||||
"$sysroot"/etc/nsswitch.conf
|
||||
mkdir -p "$sysroot"/usr/db
|
||||
sed -i -e 's#/var/db#/usr/db#g' "$sysroot"/lib64/libnss_db-2*.so "$sysroot"/var/db/Makefile
|
||||
sed -i -e 's#/var/db#/usr/db#g' "$sysroot"/lib*/libnss_db-2*.so "$sysroot"/var/db/Makefile
|
||||
|
||||
egrep -e '^(adm|wheel):.*' "$sysroot"/etc/group > "$sysroot"/etc/group.admin
|
||||
egrep -e '^(adm|wheel):.*' "$sysroot"/etc/gshadow > "$sysroot"/etc/gshadow.admin
|
||||
egrep -e '^(adm|wheel):.*' "$sysroot"/etc/group > "$sysroot"/etc/group.adm
|
||||
egrep -e '^(adm|wheel):.*' "$sysroot"/etc/gshadow > "$sysroot"/etc/gshadow.adm
|
||||
|
||||
sed -i -e 's#:/root:#:/var/root:#g' "$sysroot"/etc/passwd
|
||||
|
||||
sed -i -e '/^wheel:.*/d;/^adm:.*/d' "$sysroot"/etc/group "$sysroot"/etc/gshadow
|
||||
sed -i -e '/^admin:.*/d' "$sysroot"/etc/passwd "$sysroot"/etc/shadow "$sysroot"/etc/group "$sysroot"/etc/gshadow
|
||||
|
||||
chroot "$sysroot" bash -c 'make -C /var/db /usr/db/passwd.db /usr/db/shadow.db /usr/db/gshadow.db /usr/db/group.db && mv /etc/{passwd,shadow,group,gshadow} /lib && >/etc/passwd && > /etc/shadow && >/etc/group && >/etc/gshadow'
|
||||
|
||||
mv "$sysroot"/etc/group.admin "$sysroot"/etc/group
|
||||
mv "$sysroot"/etc/gshadow.admin "$sysroot"/etc/gshadow
|
||||
chmod 0000 "$sysroot"/etc/gshadow
|
||||
mv "$sysroot"/etc/group.adm "$sysroot"/etc/group
|
||||
mv "$sysroot"/etc/gshadow.adm "$sysroot"/etc/gshadow
|
||||
chmod 0000 "$sysroot"/etc/gshadow "$sysroot"/etc/shadow
|
||||
|
||||
chroot "$sysroot" bash -c 'useradd admin; usermod -a -G wheel admin; echo -n admin | passwd --stdin admin'
|
||||
chroot "$sysroot" bash -c 'passwd -e admin'
|
||||
|
||||
mkdir -p "$sysroot"/usr/share/factory/var
|
||||
mv "$sysroot"/etc/passwd "$sysroot"/etc/sub{u,g}id "$sysroot"/etc/shadow "$sysroot"/etc/group "$sysroot"/etc/gshadow "$sysroot"/usr/share/factory/var/
|
||||
mkdir -p "$sysroot"/usr/share/factory/cfg
|
||||
mv "$sysroot"/etc/passwd \
|
||||
"$sysroot"/etc/sub{u,g}id \
|
||||
"$sysroot"/etc/shadow \
|
||||
"$sysroot"/etc/group \
|
||||
"$sysroot"/etc/gshadow \
|
||||
"$sysroot"/usr/share/factory/cfg/
|
||||
|
||||
rm -f "$sysroot"/etc/shadow- "$sysroot"/etc/gshadow-
|
||||
|
||||
sed -i -e 's!^# directory = /etc!directory = /var!g' "$sysroot"/etc/libuser.conf
|
||||
|
||||
for i in passwd shadow group gshadow .pwd.lock subuid subgid; do
|
||||
ln -sfnr "$sysroot"/var/"$i" "$sysroot"/etc/"$i"
|
||||
ln -sfnr "$sysroot"/cfg/"$i" "$sysroot"/etc/"$i"
|
||||
done
|
||||
|
||||
sed -i -e 's#/etc/passwd#/var/passwd#g;s#/etc/npasswd#/var/npasswd#g' "$sysroot"/usr/lib64/security/pam_unix.so
|
||||
sed -i -e 's#/etc/shadow#/var/shadow#g;s#/etc/nshadow#/var/nshadow#g' "$sysroot"/usr/lib64/security/pam_unix.so
|
||||
sed -i -e 's#/etc/.pwdXXXXXX#/var/.pwdXXXXXX#g' "$sysroot"/usr/lib64/security/pam_unix.so
|
||||
sed -i -e 's#/etc/passwd#/var/passwd#g;s#/etc/shadow#/var/shadow#g;s#/etc/gshadow#/var/gshadow#g;s#/etc/group#/var/group#g;s#/etc/subuid#/var/subuid#g;s#/etc/subgid#/var/subgid#g' "$sysroot"/usr/sbin/user{add,mod,del} "$sysroot"/usr/sbin/group{add,mod,del}
|
||||
sed -i -e 's#/etc/.pwd.lock#/var/.pwd.lock#g' \
|
||||
sed -i -e 's#/etc/passwd#/cfg/passwd#g;s#/etc/npasswd#/cfg/npasswd#g' \
|
||||
"$sysroot"/usr/lib*/security/pam_unix.so
|
||||
|
||||
sed -i -e 's#/etc/shadow#/cfg/shadow#g;s#/etc/nshadow#/cfg/nshadow#g' \
|
||||
"$sysroot"/usr/lib*/security/pam_unix.so
|
||||
|
||||
sed -i -e 's#/etc/.pwdXXXXXX#/cfg/.pwdXXXXXX#g' \
|
||||
"$sysroot"/usr/lib*/security/pam_unix.so
|
||||
|
||||
sed -i -e 's#/etc/passwd#/cfg/passwd#g;s#/etc/shadow#/cfg/shadow#g;s#/etc/gshadow#/cfg/gshadow#g;s#/etc/group#/cfg/group#g;s#/etc/subuid#/cfg/subuid#g;s#/etc/subgid#/cfg/subgid#g' \
|
||||
"$sysroot"/usr/sbin/user{add,mod,del} \
|
||||
"$sysroot"/usr/sbin/group{add,mod,del} \
|
||||
"$sysroot"/usr/bin/newgidmap \
|
||||
"$sysroot"/usr/bin/newuidmap \
|
||||
"$sysroot"/usr/sbin/newusers
|
||||
|
||||
sed -i -e 's#/etc/.pwd.lock#/cfg/.pwd.lock#g' \
|
||||
"$sysroot"/lib*/libc.so.* \
|
||||
"$sysroot"/usr/lib/systemd/libsystemd-shared*.so
|
||||
|
||||
[[ -e "$sysroot"/usr/lib*/librpmostree-1.so.1 ]] \
|
||||
&& sed -i -e 's#/etc/.pwd.lock#/var/.pwd.lock#g' \
|
||||
&& sed -i -e 's#/etc/.pwd.lock#/cfg/.pwd.lock#g' \
|
||||
"$sysroot"/usr/lib*/librpmostree-1.so.1
|
||||
|
||||
mkdir -p "$sysroot"/usr/share/factory/home
|
||||
cp -avxr "$sysroot"/etc/skel "$sysroot"/usr/share/factory/home/admin
|
||||
chown -R +1000.+1000 "$sysroot"/usr/share/factory/home/admin
|
||||
|
||||
mkdir -p "$sysroot"/usr/share/factory/var/root
|
||||
cp -avxr "$sysroot"/etc/skel "$sysroot"/usr/share/factory/var/root
|
||||
chown -R +0.+0 "$sysroot"/usr/share/factory/var/root
|
||||
chown +0.+0 "$sysroot"/usr/share/factory/var/root
|
||||
|
||||
cat > "$sysroot"/usr/lib/tmpfiles.d/home.conf <<EOF
|
||||
C /home/admin - - - - -
|
||||
C /var/root - - - - -
|
||||
C /var/passwd - - - - -
|
||||
C /var/shadow - - - - -
|
||||
C /var/group - - - - -
|
||||
C /var/gshadow - - - - -
|
||||
C /var/subuid - - - - -
|
||||
C /var/subgid - - - - -
|
||||
C /cfg/passwd - - - - -
|
||||
C /cfg/shadow - - - - -
|
||||
C /cfg/group - - - - -
|
||||
C /cfg/gshadow - - - - -
|
||||
C /cfg/subuid - - - - -
|
||||
C /cfg/subgid - - - - -
|
||||
EOF
|
||||
|
||||
|
|
|
|||
10
update.sh
10
update.sh
|
|
@ -184,9 +184,9 @@ if ! [[ $NO_CHECK ]]; then
|
|||
while read _ file || [[ $file ]]; do
|
||||
FILES["$file"]="1"
|
||||
done < sha512sum.txt
|
||||
for i in $(ls -1); do
|
||||
[[ $i == sha512sum.txt ]] && continue
|
||||
[[ $i == sha512sum.txt.sig ]] && continue
|
||||
for i in $(find . -type f); do
|
||||
[[ $i == ./sha512sum.txt ]] && continue
|
||||
[[ $i == ./sha512sum.txt.sig ]] && continue
|
||||
if ! [[ ${FILES["$i"]} ]]; then
|
||||
echo "File $i not signed"
|
||||
exit 1
|
||||
|
|
@ -210,6 +210,10 @@ sfdisk --part-uuid ${ROOT_DEV} ${NEW_ROOT_PARTNO} ${ROOT_UUID}
|
|||
mkdir -p /efi/EFI/${NAME}
|
||||
cp bootx64.efi /efi/EFI/${NAME}/${NEW_ROOT_NUM}.efi
|
||||
|
||||
if [[ -d efi ]]; then
|
||||
cp -vr efi/* /efi/
|
||||
fi
|
||||
|
||||
mv /efi/EFI/${NAME}/${OLD_ROOT_NUM}.efi /efi/EFI/${NAME}/_${OLD_ROOT_NUM}.efi || :
|
||||
rm -f /efi/EFI/${NAME}/_${NEW_ROOT_NUM}.efi
|
||||
|
||||
|
|
|
|||
Loading…
Reference in a new issue