[yocto] [meta-selinux][PATCH] eudev: remove explicit setenforce call in init

Joe MacDonald joe_macdonald at mentor.com
Thu Oct 27 08:29:48 PDT 2016 

When using udev-cache, the eudev init script had been explicitly calling
'setenforce 1'. That's no longer necessary with updates to other parts of
eudev and the presence of the call prevented booting core-image-selinux*
systems in permissive mode.  Remove the call to allow permissive booting.

[YOCTO #7506]

Signed-off-by: Joe MacDonald <joe_macdonald at mentor.com>
---

The Yocto bug mentions asked whether removing this setenforce call (that is,
allowing booting in permissive mode) would cause new warnings / errors /
whatever or would potentially even prevent booting at all.  I tried to cover the
various cases in my testing and I've captured the boot logs here:

   http://pastebin.com/EEahVmzd
   http://pastebin.com/Qxa3BHHE
   http://pastebin.com/4XE9Zhg8

And on review I don't see anything significant in the differences.  That said,
an extra set of eyes (or two) would be appropriate, I think, which is why I
posted the logs.  I zeroed out all the timestamps for the sake of making diffs
less noisy.

Philip: Since you authored the original commit here, I'd like you to weigh in on
the sanity of this change, even though the bug is specifically referencing a
commit I did long ago.

One caveat with this, and you'll see it in the logs, I'm right now observing
that if the system doesn't boot into enforcing mode on the first boot, switching
to enforcing mode requires a reboot, but I think that's a function of the first
boot relabling and udev-cache squabbling.  Subsequent boots of all three
scenarios didn't have any issues with logins, as far as I could tell, and
requiring a reboot when doing policy-related work on a first boot of an SELinux
system isn't all that unexpected, from my experience.

Thoughts?

-J.

 recipes-core/eudev/eudev/init | 1 -
 1 file changed, 1 deletion(-)

diff --git a/recipes-core/eudev/eudev/init b/recipes-core/eudev/eudev/init
index 9a4b293..ee64f86 100644
--- a/recipes-core/eudev/eudev/init
+++ b/recipes-core/eudev/eudev/init
@@ -89,7 +89,6 @@ case "$1" in
 				    fi
 				    echo "$NEWDATA" > /dev/shm/udev.cache
 			    fi
-			    /usr/sbin/setenforce 1
 		    else
 			    if [ "$ROOTFS_READ_ONLY" != "yes" ]; then
 				    # If rootfs is not read-only, it's possible that a new udev cache would be generated;
-- 
1.9.1

More information about the yocto mailing list