base-files: set correct label for /var/volatile

By default /var/volatile will be mounted with tmpfs_t instead of var_t label, which will cause us to have to add some extra rules to eliminate avc denials of some services. Set rootcontext for /var/volatile in fstab to make sure it is mounted with correct label. Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Joe MacDonald <joe@deserted.net>
author: Yi Zhao <yi.zhao@windriver.com> 2022-11-02 15:30:50 +0800
committer: Joe MacDonald <joe@deserted.net> 2022-11-07 14:19:08 -0500
commit: 08a2705c007b046696457cbc83e5fc354e984659 (patch)
tree: 26aaf94d195c9bf210ffb5da9180dac4fe2aa5da
parent: cccf2bbe0251ad7aa04e7902f7edf754469745c2 (diff)
download: meta-selinux-08a2705c007b046696457cbc83e5fc354e984659.tar.gz
2 files changed, 14 insertions, 0 deletions
diff --git a/recipes-core/base-files/base-files_%.bbappend b/recipes-core/base-files/base-files_%.bbappend
new file mode 100644
index 0000000..f167033
--- /dev/null
+++ b/recipes-core/base-files/base-files_%.bbappend
@@ -0,0 +1 @@
+require ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'base-files_selinux.inc', '', d)}
diff --git a/recipes-core/base-files/base-files_selinux.inc b/recipes-core/base-files/base-files_selinux.inc
new file mode 100644
index 0000000..f2373aa
--- /dev/null
+++ b/recipes-core/base-files/base-files_selinux.inc
@@ -0,0 +1,13 @@
+REFPOLICY_TYPE = "${@d.getVar('PREFERRED_PROVIDER_virtual/refpolicy').split('-')[1] or ''}"
+do_install:append () {
+    if [ -n "${REFPOLICY_TYPE}" ]; then
+        if [ "${REFPOLICY_TYPE}" = "standard" ]; then
+            sed -i 's/\s*\/var\/volatile\s*tmpfs\s*defaults/&,rootcontext=system_u:object_r:var_t/' \
+                ${D}${sysconfdir}/fstab
+        else
+            sed -i 's/\s*\/var\/volatile\s*tmpfs\s*defaults/&,rootcontext=system_u:object_r:var_t:s0/' \
+                ${D}${sysconfdir}/fstab
+        fi
+    fi
+}
author	Yi Zhao <yi.zhao@windriver.com>	2022-11-02 15:30:50 +0800
committer	Joe MacDonald <joe@deserted.net>	2022-11-07 14:19:08 -0500
commit	08a2705c007b046696457cbc83e5fc354e984659 (patch)
tree	26aaf94d195c9bf210ffb5da9180dac4fe2aa5da
parent	cccf2bbe0251ad7aa04e7902f7edf754469745c2 (diff)
download	meta-selinux-08a2705c007b046696457cbc83e5fc354e984659.tar.gz

diff --git a/recipes-core/base-files/base-files_%.bbappend b/recipes-core/base-files/base-files_%.bbappend new file mode 100644 index 0000000..f167033 --- /dev/null +++ b/recipes-core/base-files/base-files_%.bbappend
@@ -0,0 +1 @@
		require ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'base-files_selinux.inc', '', d)}


diff --git a/recipes-core/base-files/base-files_selinux.inc b/recipes-core/base-files/base-files_selinux.inc new file mode 100644 index 0000000..f2373aa --- /dev/null +++ b/recipes-core/base-files/base-files_selinux.inc
@@ -0,0 +1,13 @@
	1	REFPOLICY_TYPE = "${@d.getVar('PREFERRED_PROVIDER_virtual/refpolicy').split('-')[1] or ''}"
	2
	3	do_install:append () {
	4	if [ -n "${REFPOLICY_TYPE}" ]; then
	5	if [ "${REFPOLICY_TYPE}" = "standard" ]; then
	6	sed -i 's/\s\/var\/volatile\stmpfs\s*defaults/&,rootcontext=system_u:object_r:var_t/' \
	7	${D}${sysconfdir}/fstab
	8	else
	9	sed -i 's/\s\/var\/volatile\stmpfs\s*defaults/&,rootcontext=system_u:object_r:var_t:s0/' \
	10	${D}${sysconfdir}/fstab
	11	fi
	12	fi
	13	}