base-files: set correct label for /var/volatile

By default /var/volatile will be mounted with tmpfs_t instead of var_t
label, which will cause us to have to add some extra rules to eliminate
avc denials of some services.

Set rootcontext for /var/volatile in fstab to make sure it is mounted
with correct label.

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>

recipes-core/base-files/base-files_%.bbappend

@@ -0,0 +1 @@
+require ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'base-files_selinux.inc', '', d)}

recipes-core/base-files/base-files_selinux.inc

@@ -0,0 +1,13 @@
+REFPOLICY_TYPE = "${@d.getVar('PREFERRED_PROVIDER_virtual/refpolicy').split('-')[1] or ''}"
+
+do_install:append () {
+    if [ -n "${REFPOLICY_TYPE}" ]; then
+        if [ "${REFPOLICY_TYPE}" = "standard" ]; then
+            sed -i 's/\s*\/var\/volatile\s*tmpfs\s*defaults/&,rootcontext=system_u:object_r:var_t/' \
+                ${D}${sysconfdir}/fstab
+        else
+            sed -i 's/\s*\/var\/volatile\s*tmpfs\s*defaults/&,rootcontext=system_u:object_r:var_t:s0/' \
+                ${D}${sysconfdir}/fstab
+        fi
+    fi
+}