When the read-only-rootfs feature (in IMAGE_FEATURES) is enabled, the
populate-volatile.sh script runs at build time. This compensates for the
fact that certain essential directories and files cannot be created at
runtime, since the root filesystem is read-only. This is handled in
oe-core's rootfs-postcommands.bbclass, in read_only_rootfs_hook.
However, initscripts-1.0_selinux.inc appends some shell code to
populate-volatile.sh considering it will be run in the target, not on
the host machine. So, if one uses both read-only-rootfs and selinux (in
DISTRO_FEATURES), the recursive call to restorecon is run in the host
machine, since populate-volatile.sh is called in build time. This leads
to errors such as:
| NOTE: Executing read_only_rootfs_hook ...
| DEBUG: Executing shell function read_only_rootfs_hook
| /sbin/restorecon: Could not read /var/lib/AccountsService/users: Permission denied.
| /sbin/restorecon: Could not read /var/lib/NetworkManager: Permission denied.
| /sbin/restorecon: Could not read /var/lib/bluetooth: Permission denied.
| /sbin/restorecon: Could not read /var/lib/chrony: Permission denied.
As a matter of fact, this scenario is a fair reminder not to call
bitbake with sudo.
This change makes sure the append is only performed if the
read-only-rootfs feature is not used.
Signed-off-by: João Marcos Costa <joaomarcos.costa@bootlin.com>
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
This is the result of automated script conversion:
poky/scripts/contrib/convert-overrides.py meta-selinux
Converting the metadata to use ":" as the override character instead of "_".
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
Some directories are created by populate-volatile.sh. We need to restore
their security contexts.
Before the patch:
$ ls -dZ /tmp /var/tmp /var/lock /var/run
system_u:object_r:root_t /tmp
system_u:object_r:var_t /var/lock
system_u:object_r:var_t /var/run
system_u:object_r:var_t /var/tmp
After the patch:
$ ls -dZ /tmp /var/tmp /var/lock /var/run
system_u:object_r:tmp_t /tmp
system_u:object_r:var_lock_t /var/lock
system_u:object_r:var_run_t /var/run
system_u:object_r:tmp_t /var/tmp
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
Change the references to check for the distribution flag of 'selinux' being
set before taking any action within the bbappends. This prevents the
signature from being modified.
Also remove PR changes, as they are no longer allowed.
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
