[yocto] [meta-selinux][PATCH] selinux-autorelabel: disable enforcing mode before relabel

[Joe MacDonald]

[[meta-selinux][PATCH] selinux-autorelabel: disable enforcing mode before relabel] On 19.09.05 (Thu 16:57) Yi Zhao wrote:

> The commit b0d31db104d9a4e94bc1409c2ffcc1d82f4a780f introduced an issue
> when first boot with bootparams="selinux=1 enforcing=1". At first boot,
> all files are unlabeled including /sbin/fixfiles. The relabel operation
> is not permitted under enforcing mode. Set /sys/fs/selinux/enforce to 0
> to ensure the enforcing mode is disabled before relabel.

Did you try this with '/usr/sbin/setenforce 0' instead?  The rationale
makes sense but going straight at sysfs like that isn't the right
approach intuitively.  If that's not working, please just include a bit
of an explanation for why this is the best option.

Thanks.
-J.

> 
> Signed-off-by: Yi Zhao <yi.zhao at windriver.com>
> ---
>  recipes-security/selinux/selinux-autorelabel/selinux-autorelabel.sh | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/recipes-security/selinux/selinux-autorelabel/selinux-autorelabel.sh b/recipes-security/selinux/selinux-autorelabel/selinux-autorelabel.sh
> index 154dad1..cb40971 100644
> --- a/recipes-security/selinux/selinux-autorelabel/selinux-autorelabel.sh
> +++ b/recipes-security/selinux/selinux-autorelabel/selinux-autorelabel.sh
> @@ -13,6 +13,7 @@ fi
>  # If /.autorelabel placed, the whole file system should be relabeled
>  if [ -f /.autorelabel ]; then
>  	echo "SELinux: /.autorelabel placed, filesystem will be relabeled..."
> +	echo "0" > /sys/fs/selinux/enforce
>  	${FIXFILES} -F -f relabel
>  	/bin/rm -f /.autorelabel
>  	echo " * Relabel done, rebooting the system."
> -- 
> 2.7.4
> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
URL: <http://lists.yoctoproject.org/pipermail/yocto/attachments/20190905/0d1bdd11/attachment.pgp>