By default /var/volatile will be mounted with tmpfs_t instead of var_t
label, which will cause us to have to add some extra rules to eliminate
avc denials of some services.
Set rootcontext for /var/volatile in fstab to make sure it is mounted
with correct label.
Signed-off-by: Yi Zhao <yi.z...@windriver.com>
---
recipes-core/base-files/base-files_%.bbappend | 1 +
recipes-core/base-files/base-files_selinux.inc | 13 +++++++++++++
2 files changed, 14 insertions(+)
create mode 100644 recipes-core/base-files/base-files_%.bbappend
create mode 100644 recipes-core/base-files/base-files_selinux.inc
diff --git a/recipes-core/base-files/base-files_%.bbappend
b/recipes-core/base-files/base-files_%.bbappend
new file mode 100644
index 0000000..f167033
--- /dev/null
+++ b/recipes-core/base-files/base-files_%.bbappend
@@ -0,0 +1 @@
+require ${@bb.utils.contains('DISTRO_FEATURES', 'selinux',
'base-files_selinux.inc', '', d)}
diff --git a/recipes-core/base-files/base-files_selinux.inc
b/recipes-core/base-files/base-files_selinux.inc
new file mode 100644
index 0000000..f2373aa
--- /dev/null
+++ b/recipes-core/base-files/base-files_selinux.inc
@@ -0,0 +1,13 @@
+REFPOLICY_TYPE =
"${@d.getVar('PREFERRED_PROVIDER_virtual/refpolicy').split('-')[1] or ''}"
+
+do_install:append () {
+ if [ -n "${REFPOLICY_TYPE}" ]; then
+ if [ "${REFPOLICY_TYPE}" = "standard" ]; then
+ sed -i
's/\s*\/var\/volatile\s*tmpfs\s*defaults/&,rootcontext=system_u:object_r:var_t/'
\
+ ${D}${sysconfdir}/fstab
+ else
+ sed -i
's/\s*\/var\/volatile\s*tmpfs\s*defaults/&,rootcontext=system_u:object_r:var_t:s0/'
\
+ ${D}${sysconfdir}/fstab
+ fi
+ fi
+}
--
2.25.1
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#58467): https://lists.yoctoproject.org/g/yocto/message/58467
Mute This Topic: https://lists.yoctoproject.org/mt/94729414/21656
Group Owner: yocto+ow...@lists.yoctoproject.org
Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
