Hi @Anuj Mittal, Thank you for your comment. Let me clarify the reasoning behind this change: OSTree treats /usr as immutable and expects /var to be initialized at runtime. As you mentioned, OSTree doesn’t want pre-created content in /var. Creating /var/lib/systemd/backlight during image build is what causes the issue. While StateDirectory= can create the directory, it doesn’t guarantee SELinux relabel before the service runs. Using tmpfiles with d + z ensures correct creation and labeling early in boot, avoiding race conditions. systemd-backlight.service runs very early and writes to this directory. If SELinux denies access due to incorrect labeling, brightness restoration fails. This change makes the process more robust.
Thanks, Jaihind Yadav -----Original Message----- From: Anuj Mittal <[email protected]> Sent: Tuesday, December 23, 2025 6:30 AM To: Jaihind Yadav <[email protected]> Cc: [email protected] Subject: Re: [oe] [meta-selinux] [PATCH 1/1] systemd: create backlight directory via tmpfiles for SELinux compliance On Mon, Dec 22, 2025 at 9:05 PM Jaihind Yadav via lists.openembedded.org <[email protected]> wrote: > > Ideally, /var/lib/systemd/backlight should be created and labeled at > runtime, not at build time. The previous approach installed this > directory during image build, which can cause issues with features > like OSTree when SELinux is enabled. It seems you are talking about OSTree and relabeling interchangeably. Is the issue that OSTree doesn't want things to be present in /var? How is relabeling a problem if it's already present at build time? > > This change ships a tmpfiles configuration to ensure the directory is > created and labeled correctly during first boot, allowing SELinux > relabeling to work as intended. It looks like this is what the original code did as well by letting StateDirectory= in the unit create backlight directory before it switched to creating this at build time in link mentioned below. Why is this a problem specifically only for backlight? > > Reference: > Previous discussion and initial fix: > https://docs.yoctoproject.org/pipermail/yocto/2018-April/040854.html > > Signed-off-by: Jaihind Yadav <[email protected]> > --- > recipes-core/systemd/systemd_selinux.inc | 12 +++++++++--- > 1 file changed, 9 insertions(+), 3 deletions(-) > > diff --git a/recipes-core/systemd/systemd_selinux.inc > b/recipes-core/systemd/systemd_selinux.inc > index 7d466ee..f36519c 100644 > --- a/recipes-core/systemd/systemd_selinux.inc > +++ b/recipes-core/systemd/systemd_selinux.inc > @@ -1,7 +1,13 @@ > inherit enable-selinux enable-audit > > +# Ship tmpfiles config for backlight > +SYSTEMD_TMPFILES += "systemd-backlight.conf" What is SYSTEMD_TMPFILES? > do_install:append() { > - if ${@bb.utils.contains('PACKAGECONFIG', 'backlight', 'true', > 'false', d)}; then > - install -d ${D}${localstatedir}/lib/systemd/backlight > - fi > + if ${@bb.utils.contains('PACKAGECONFIG', 'backlight', 'true', 'false', > d)}; then > + install -d ${D}${sysconfdir}/tmpfiles.d > + cat > ${D}${sysconfdir}/tmpfiles.d/systemd-backlight.conf <<'EOF' > +d /var/lib/systemd/backlight 0755 root root - z > +/var/lib/systemd/backlight - - - - EOF > + fi > } > -- > 2.43.0 > > > >
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#122936): https://lists.openembedded.org/g/openembedded-devel/message/122936 Mute This Topic: https://lists.openembedded.org/mt/116900764/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
