selinux-image.bbclass: refactor bbclass

The selinux_set_labels function should run as late as possible. To guarantee that, we append it to IMAGE_PREPROCESS_COMMAND in RecipePreFinalise event handler, this ensures it is the last function in IMAGE_PREPROCESS_COMMAND. After refactoring, system using systemd can also label selinux contexts during build. Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Joe MacDonald <joe@deserted.net>
2026-01-01 13:58:04 +00:00 · 2023-09-22 10:22:34 +08:00 · 2023-09-22 10:22:34 +08:00 · 46ec0414b4
commit 46ec0414b4
parent ce049565e1
1 changed files with 23 additions and 9 deletions
--- a/classes/selinux-image.bbclass
+++ b/classes/selinux-image.bbclass
@ -1,15 +1,29 @@
-selinux_set_labels () {
-    POL_TYPE=$(sed -n -e "s&^SELINUXTYPE[[:space:]]*=[[:space:]]*\([0-9A-Za-z_]\+\)&\1&p" ${IMAGE_ROOTFS}/${sysconfdir}/selinux/config)
-    if ! setfiles -m -r ${IMAGE_ROOTFS} ${IMAGE_ROOTFS}/${sysconfdir}/selinux/${POL_TYPE}/contexts/files/file_contexts ${IMAGE_ROOTFS}
-    then
-        echo WARNING: Unable to set filesystem context, setfiles / restorecon must be run on the live image.
-        touch ${IMAGE_ROOTFS}/.autorelabel
-        exit 0
+selinux_set_labels() {
+    if [ -f ${IMAGE_ROOTFS}/${sysconfdir}/selinux/config ]; then
+        POL_TYPE=$(sed -n -e "s&^SELINUXTYPE[[:space:]]*=[[:space:]]*\([0-9A-Za-z_]\+\)&\1&p" ${IMAGE_ROOTFS}/${sysconfdir}/selinux/config)
+        if ! setfiles -m -r ${IMAGE_ROOTFS} ${IMAGE_ROOTFS}/${sysconfdir}/selinux/${POL_TYPE}/contexts/files/file_contexts ${IMAGE_ROOTFS}
+        then
+            bbwarn "Failed to set security contexts. Restoring security contexts will run on first boot."
+            echo "# first boot relabelling" > ${IMAGE_ROOTFS}/.autorelabel
+        fi
    fi
 }

-DEPENDS += "policycoreutils-native"
+# The selinux_set_labels function should run as late as possible. Append
+# it to IMAGE_PREPROCESS_COMMAND in RecipePreFinalise event handler,
+# this ensures it is the last function in IMAGE_PREPROCESS_COMMAND.
+python selinux_setlabels_handler() {
+    if not d or 'selinux' not in d.getVar('DISTRO_FEATURES').split():
+        return

-IMAGE_PREPROCESS_COMMAND:append = " selinux_set_labels ;"
+    if d.getVar('FIRST_BOOT_RELABEL') == '1':
+        return
+
+    d.appendVar('IMAGE_PREPROCESS_COMMAND', ' selinux_set_labels; ')
+    d.appendVarFlag('do_image', 'depends', ' policycoreutils-native:do_populate_sysroot')
+}
+
+addhandler selinux_setlabels_handler
+selinux_setlabels_handler[eventmask] = "bb.event.RecipePreFinalise"

 inherit core-image