mirror of
git://git.yoctoproject.org/meta-selinux
synced 2026-01-01 13:58:04 +00:00
3f850b745c
Fix AVC denied error when booting:
type=AVC msg=audit(1548055920.478:86): avc: denied { execute } for
pid=366 comm="audispd" path="/lib/ld-2.28.so" dev="vda" ino=7545
scontext=system_u:system_r:audisp_t:s15:c0.c1023
tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1
type=AVC msg=audit(1548055920.478:87): avc: denied { open } for
pid=366 comm="audispd" path="/lib/libc-2.28.so" dev="vda" ino=7558
scontext=system_u:system_r:audisp_t:s15:c0.c1023
tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1
When using "+=" for IMAGE_PREPROCESS_COMMAND, the selinux_set_labels
process would run before prelink process to set the security labels for
the files. But the label for /lib/libc-2.28.so and /lib/ld-2.28.so would
be changed after run prelink process. Use "_append" to make sure the
selinux_set_labels process run after prelink process.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
16 lines
596 B
Plaintext
16 lines
596 B
Plaintext
selinux_set_labels () {
|
|
POL_TYPE=$(sed -n -e "s&^SELINUXTYPE[[:space:]]*=[[:space:]]*\([0-9A-Za-z_]\+\)&\1&p" ${IMAGE_ROOTFS}/${sysconfdir}/selinux/config)
|
|
if ! setfiles -m -r ${IMAGE_ROOTFS} ${IMAGE_ROOTFS}/${sysconfdir}/selinux/${POL_TYPE}/contexts/files/file_contexts ${IMAGE_ROOTFS}
|
|
then
|
|
echo WARNING: Unable to set filesystem context, setfiles / restorecon must be run on the live image.
|
|
touch ${IMAGE_ROOTFS}/.autorelabel
|
|
exit 0
|
|
fi
|
|
}
|
|
|
|
DEPENDS += "policycoreutils-native"
|
|
|
|
IMAGE_PREPROCESS_COMMAND_append = " selinux_set_labels ;"
|
|
|
|
inherit core-image
|