[[meta-selinux][PATCH] selinux-autorelabel: disable enforcing mode before relabel] On 19.09.05 (Thu 16:57) Yi Zhao wrote:
> The commit b0d31db104d9a4e94bc1409c2ffcc1d82f4a780f introduced an issue
> when first boot with bootparams="selinux=1 enforcing=1". At first boot,
> all files are unlabeled including /sbin/fixfiles. The relabel operation
> is not permitted under enforcing mode. Set /sys/fs/selinux/enforce to 0
> to ensure the enforcing mode is disabled before relabel.
Did you try this with '/usr/sbin/setenforce 0' instead? The rationale
makes sense but going straight at sysfs like that isn't the right
approach intuitively. If that's not working, please just include a bit
of an explanation for why this is the best option.
Thanks.
-J.
>
> Signed-off-by: Yi Zhao <yi.z...@windriver.com>
> ---
> recipes-security/selinux/selinux-autorelabel/selinux-autorelabel.sh | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git
> a/recipes-security/selinux/selinux-autorelabel/selinux-autorelabel.sh
> b/recipes-security/selinux/selinux-autorelabel/selinux-autorelabel.sh
> index 154dad1..cb40971 100644
> --- a/recipes-security/selinux/selinux-autorelabel/selinux-autorelabel.sh
> +++ b/recipes-security/selinux/selinux-autorelabel/selinux-autorelabel.sh
> @@ -13,6 +13,7 @@ fi
> # If /.autorelabel placed, the whole file system should be relabeled
> if [ -f /.autorelabel ]; then
> echo "SELinux: /.autorelabel placed, filesystem will be relabeled..."
> + echo "0" > /sys/fs/selinux/enforce
> ${FIXFILES} -F -f relabel
> /bin/rm -f /.autorelabel
> echo " * Relabel done, rebooting the system."
> --
> 2.7.4
>
signature.asc
Description: PGP signature
-- _______________________________________________ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
