When using udev-cache, the eudev init script had been explicitly calling 'setenforce 1'. That's no longer necessary with updates to other parts of eudev and the presence of the call prevented booting core-image-selinux* systems in permissive mode. Remove the call to allow permissive booting.
[YOCTO #7506] Signed-off-by: Joe MacDonald <joe_macdon...@mentor.com> --- The Yocto bug mentions asked whether removing this setenforce call (that is, allowing booting in permissive mode) would cause new warnings / errors / whatever or would potentially even prevent booting at all. I tried to cover the various cases in my testing and I've captured the boot logs here: http://pastebin.com/EEahVmzd http://pastebin.com/Qxa3BHHE http://pastebin.com/4XE9Zhg8 And on review I don't see anything significant in the differences. That said, an extra set of eyes (or two) would be appropriate, I think, which is why I posted the logs. I zeroed out all the timestamps for the sake of making diffs less noisy. Philip: Since you authored the original commit here, I'd like you to weigh in on the sanity of this change, even though the bug is specifically referencing a commit I did long ago. One caveat with this, and you'll see it in the logs, I'm right now observing that if the system doesn't boot into enforcing mode on the first boot, switching to enforcing mode requires a reboot, but I think that's a function of the first boot relabling and udev-cache squabbling. Subsequent boots of all three scenarios didn't have any issues with logins, as far as I could tell, and requiring a reboot when doing policy-related work on a first boot of an SELinux system isn't all that unexpected, from my experience. Thoughts? -J. recipes-core/eudev/eudev/init | 1 - 1 file changed, 1 deletion(-) diff --git a/recipes-core/eudev/eudev/init b/recipes-core/eudev/eudev/init index 9a4b293..ee64f86 100644 --- a/recipes-core/eudev/eudev/init +++ b/recipes-core/eudev/eudev/init @@ -89,7 +89,6 @@ case "$1" in fi echo "$NEWDATA" > /dev/shm/udev.cache fi - /usr/sbin/setenforce 1 else if [ "$ROOTFS_READ_ONLY" != "yes" ]; then # If rootfs is not read-only, it's possible that a new udev cache would be generated; -- 1.9.1 -- _______________________________________________ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto