[yocto] [meta-selinux][PATCH 2/2] selinux-image.bbclass: using append instead of += for IMAGE_PREPROCESS_COMMAND
Yi Zhao
yi.zhao at windriver.com
Thu Jan 24 23:39:41 PST 2019
Fix AVC denied error when booting:
type=AVC msg=audit(1548055920.478:86): avc: denied { execute } for
pid=366 comm="audispd" path="/lib/ld-2.28.so" dev="vda" ino=7545
scontext=system_u:system_r:audisp_t:s15:c0.c1023
tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1
type=AVC msg=audit(1548055920.478:87): avc: denied { open } for
pid=366 comm="audispd" path="/lib/libc-2.28.so" dev="vda" ino=7558
scontext=system_u:system_r:audisp_t:s15:c0.c1023
tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1
When using "+=" for IMAGE_PREPROCESS_COMMAND, the selinux_set_labels
process would run before prelink process to set the security labels for
the files. But the label for /lib/libc-2.28.so and /lib/ld-2.28.so would
be changed after run prelink process. Use "_append" to make sure the
selinux_set_labels process run after prelink process.
Signed-off-by: Yi Zhao <yi.zhao at windriver.com>
---
classes/selinux-image.bbclass | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/classes/selinux-image.bbclass b/classes/selinux-image.bbclass
index 5174dc5..7f157d3 100644
--- a/classes/selinux-image.bbclass
+++ b/classes/selinux-image.bbclass
@@ -10,6 +10,6 @@ selinux_set_labels () {
DEPENDS += "policycoreutils-native"
-IMAGE_PREPROCESS_COMMAND += "selinux_set_labels ;"
+IMAGE_PREPROCESS_COMMAND_append = " selinux_set_labels ;"
inherit core-image
--
2.7.4
More information about the yocto
mailing list