[[meta-selinux][PATCH] selinux-autorelabel: disable enforcing mode before relabel] On 19.09.05 (Thu 16:57) Yi Zhao wrote:
> The commit b0d31db104d9a4e94bc1409c2ffcc1d82f4a780f introduced an issue > when first boot with bootparams="selinux=1 enforcing=1". At first boot, > all files are unlabeled including /sbin/fixfiles. The relabel operation > is not permitted under enforcing mode. Set /sys/fs/selinux/enforce to 0 > to ensure the enforcing mode is disabled before relabel. Did you try this with '/usr/sbin/setenforce 0' instead? The rationale makes sense but going straight at sysfs like that isn't the right approach intuitively. If that's not working, please just include a bit of an explanation for why this is the best option. Thanks. -J. > > Signed-off-by: Yi Zhao <yi.z...@windriver.com> > --- > recipes-security/selinux/selinux-autorelabel/selinux-autorelabel.sh | 1 + > 1 file changed, 1 insertion(+) > > diff --git > a/recipes-security/selinux/selinux-autorelabel/selinux-autorelabel.sh > b/recipes-security/selinux/selinux-autorelabel/selinux-autorelabel.sh > index 154dad1..cb40971 100644 > --- a/recipes-security/selinux/selinux-autorelabel/selinux-autorelabel.sh > +++ b/recipes-security/selinux/selinux-autorelabel/selinux-autorelabel.sh > @@ -13,6 +13,7 @@ fi > # If /.autorelabel placed, the whole file system should be relabeled > if [ -f /.autorelabel ]; then > echo "SELinux: /.autorelabel placed, filesystem will be relabeled..." > + echo "0" > /sys/fs/selinux/enforce > ${FIXFILES} -F -f relabel > /bin/rm -f /.autorelabel > echo " * Relabel done, rebooting the system." > -- > 2.7.4 >
signature.asc
Description: PGP signature
-- _______________________________________________ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto