[yocto] [meta-selinux][PATCH V2] selinux-autorelabel: disable enforcing mode before relabel

[Yi Zhao]

The commit b0d31db104d9a4e94bc1409c2ffcc1d82f4a780f introduced an issue
when first boot with bootparams="selinux=1 enforcing=1". At first boot,
all files are unlabeled including /sbin/setfiles. The relabel operations
are not permitted under enforcing mode. So we need to disable enforcing
mode before relabel.

Signed-off-by: Yi Zhao <yi.zhao at windriver.com>
---
 .../selinux/selinux-autorelabel/selinux-autorelabel.sh           | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/recipes-security/selinux/selinux-autorelabel/selinux-autorelabel.sh b/recipes-security/selinux/selinux-autorelabel/selinux-autorelabel.sh
index 154dad1..25b6921 100644
--- a/recipes-security/selinux/selinux-autorelabel/selinux-autorelabel.sh
+++ b/recipes-security/selinux/selinux-autorelabel/selinux-autorelabel.sh
@@ -3,16 +3,19 @@
 /usr/sbin/selinuxenabled 2>/dev/null || exit 0
 
 FIXFILES=/sbin/fixfiles
+SETENFORCE=/usr/sbin/setenforce
 
-if ! test -x ${FIXFILES}; then
-	echo "${FIXFILES} is missing in the system."
+for i in ${FIXFILES} ${SETENFORCE}; do
+	test -x $i && continue
+	echo "$i is missing in the system."
 	echo "Please add \"selinux=0\" in the kernel command line to disable SELinux."
 	exit 1
-fi
+done
 
 # If /.autorelabel placed, the whole file system should be relabeled
 if [ -f /.autorelabel ]; then
 	echo "SELinux: /.autorelabel placed, filesystem will be relabeled..."
+	${SETENFORCE} 0
 	${FIXFILES} -F -f relabel
 	/bin/rm -f /.autorelabel
 	echo " * Relabel done, rebooting the system."
-- 
2.7.4