diff options
author | Yi Zhao <yi.zhao@windriver.com> | 2022-11-02 15:30:50 +0800 |
---|---|---|
committer | Joe MacDonald <joe@deserted.net> | 2022-11-07 14:19:08 -0500 |
commit | 08a2705c007b046696457cbc83e5fc354e984659 (patch) | |
tree | 26aaf94d195c9bf210ffb5da9180dac4fe2aa5da | |
parent | cccf2bbe0251ad7aa04e7902f7edf754469745c2 (diff) | |
download | meta-selinux-08a2705c007b046696457cbc83e5fc354e984659.tar.gz |
base-files: set correct label for /var/volatile
By default /var/volatile will be mounted with tmpfs_t instead of var_t
label, which will cause us to have to add some extra rules to eliminate
avc denials of some services.
Set rootcontext for /var/volatile in fstab to make sure it is mounted
with correct label.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
-rw-r--r-- | recipes-core/base-files/base-files_%.bbappend | 1 | ||||
-rw-r--r-- | recipes-core/base-files/base-files_selinux.inc | 13 |
2 files changed, 14 insertions, 0 deletions
diff --git a/recipes-core/base-files/base-files_%.bbappend b/recipes-core/base-files/base-files_%.bbappend new file mode 100644 index 0000000..f167033 --- /dev/null +++ b/recipes-core/base-files/base-files_%.bbappend | |||
@@ -0,0 +1 @@ | |||
require ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'base-files_selinux.inc', '', d)} | |||
diff --git a/recipes-core/base-files/base-files_selinux.inc b/recipes-core/base-files/base-files_selinux.inc new file mode 100644 index 0000000..f2373aa --- /dev/null +++ b/recipes-core/base-files/base-files_selinux.inc | |||
@@ -0,0 +1,13 @@ | |||
1 | REFPOLICY_TYPE = "${@d.getVar('PREFERRED_PROVIDER_virtual/refpolicy').split('-')[1] or ''}" | ||
2 | |||
3 | do_install:append () { | ||
4 | if [ -n "${REFPOLICY_TYPE}" ]; then | ||
5 | if [ "${REFPOLICY_TYPE}" = "standard" ]; then | ||
6 | sed -i 's/\s*\/var\/volatile\s*tmpfs\s*defaults/&,rootcontext=system_u:object_r:var_t/' \ | ||
7 | ${D}${sysconfdir}/fstab | ||
8 | else | ||
9 | sed -i 's/\s*\/var\/volatile\s*tmpfs\s*defaults/&,rootcontext=system_u:object_r:var_t:s0/' \ | ||
10 | ${D}${sysconfdir}/fstab | ||
11 | fi | ||
12 | fi | ||
13 | } | ||