[yocto] [meta-selinux][PATCH V2] selinux-autorelabel: disable enforcing mode before relabel
Yi Zhao
yi.zhao at windriver.com
Sun Sep 8 19:03:49 PDT 2019
The commit b0d31db104d9a4e94bc1409c2ffcc1d82f4a780f introduced an issue
when first boot with bootparams="selinux=1 enforcing=1". At first boot,
all files are unlabeled including /sbin/setfiles. The relabel operations
are not permitted under enforcing mode. So we need to disable enforcing
mode before relabel.
Signed-off-by: Yi Zhao <yi.zhao at windriver.com>
---
.../selinux/selinux-autorelabel/selinux-autorelabel.sh | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/recipes-security/selinux/selinux-autorelabel/selinux-autorelabel.sh b/recipes-security/selinux/selinux-autorelabel/selinux-autorelabel.sh
index 154dad1..25b6921 100644
--- a/recipes-security/selinux/selinux-autorelabel/selinux-autorelabel.sh
+++ b/recipes-security/selinux/selinux-autorelabel/selinux-autorelabel.sh
@@ -3,16 +3,19 @@
/usr/sbin/selinuxenabled 2>/dev/null || exit 0
FIXFILES=/sbin/fixfiles
+SETENFORCE=/usr/sbin/setenforce
-if ! test -x ${FIXFILES}; then
- echo "${FIXFILES} is missing in the system."
+for i in ${FIXFILES} ${SETENFORCE}; do
+ test -x $i && continue
+ echo "$i is missing in the system."
echo "Please add \"selinux=0\" in the kernel command line to disable SELinux."
exit 1
-fi
+done
# If /.autorelabel placed, the whole file system should be relabeled
if [ -f /.autorelabel ]; then
echo "SELinux: /.autorelabel placed, filesystem will be relabeled..."
+ ${SETENFORCE} 0
${FIXFILES} -F -f relabel
/bin/rm -f /.autorelabel
echo " * Relabel done, rebooting the system."
--
2.7.4
More information about the yocto
mailing list