diff options
| author | Yi Zhao <yi.zhao@windriver.com> | 2023-09-22 10:22:34 +0800 |
|---|---|---|
| committer | Joe MacDonald <joe@deserted.net> | 2023-10-12 10:14:19 -0400 |
| commit | 46ec0414b4dff45de7c44a11ae4cc275982eca6f (patch) | |
| tree | 31f02be6a26179962e2db06bd73da7b7c31fd9a2 | |
| parent | ce049565e1dc84f8ae323ec33ce5632f727900a4 (diff) | |
| download | meta-selinux-46ec0414b4dff45de7c44a11ae4cc275982eca6f.tar.gz | |
selinux-image.bbclass: refactor bbclass
The selinux_set_labels function should run as late as possible. To
guarantee that, we append it to IMAGE_PREPROCESS_COMMAND in
RecipePreFinalise event handler, this ensures it is the last function in
IMAGE_PREPROCESS_COMMAND.
After refactoring, system using systemd can also label selinux contexts
during build.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
| -rw-r--r-- | classes/selinux-image.bbclass | 32 |
1 files changed, 23 insertions, 9 deletions
diff --git a/classes/selinux-image.bbclass b/classes/selinux-image.bbclass index 23645b7..b4f9321 100644 --- a/classes/selinux-image.bbclass +++ b/classes/selinux-image.bbclass | |||
| @@ -1,15 +1,29 @@ | |||
| 1 | selinux_set_labels () { | 1 | selinux_set_labels() { |
| 2 | POL_TYPE=$(sed -n -e "s&^SELINUXTYPE[[:space:]]*=[[:space:]]*\([0-9A-Za-z_]\+\)&\1&p" ${IMAGE_ROOTFS}/${sysconfdir}/selinux/config) | 2 | if [ -f ${IMAGE_ROOTFS}/${sysconfdir}/selinux/config ]; then |
| 3 | if ! setfiles -m -r ${IMAGE_ROOTFS} ${IMAGE_ROOTFS}/${sysconfdir}/selinux/${POL_TYPE}/contexts/files/file_contexts ${IMAGE_ROOTFS} | 3 | POL_TYPE=$(sed -n -e "s&^SELINUXTYPE[[:space:]]*=[[:space:]]*\([0-9A-Za-z_]\+\)&\1&p" ${IMAGE_ROOTFS}/${sysconfdir}/selinux/config) |
| 4 | then | 4 | if ! setfiles -m -r ${IMAGE_ROOTFS} ${IMAGE_ROOTFS}/${sysconfdir}/selinux/${POL_TYPE}/contexts/files/file_contexts ${IMAGE_ROOTFS} |
| 5 | echo WARNING: Unable to set filesystem context, setfiles / restorecon must be run on the live image. | 5 | then |
| 6 | touch ${IMAGE_ROOTFS}/.autorelabel | 6 | bbwarn "Failed to set security contexts. Restoring security contexts will run on first boot." |
| 7 | exit 0 | 7 | echo "# first boot relabelling" > ${IMAGE_ROOTFS}/.autorelabel |
| 8 | fi | ||
| 8 | fi | 9 | fi |
| 9 | } | 10 | } |
| 10 | 11 | ||
| 11 | DEPENDS += "policycoreutils-native" | 12 | # The selinux_set_labels function should run as late as possible. Append |
| 13 | # it to IMAGE_PREPROCESS_COMMAND in RecipePreFinalise event handler, | ||
| 14 | # this ensures it is the last function in IMAGE_PREPROCESS_COMMAND. | ||
| 15 | python selinux_setlabels_handler() { | ||
| 16 | if not d or 'selinux' not in d.getVar('DISTRO_FEATURES').split(): | ||
| 17 | return | ||
| 12 | 18 | ||
| 13 | IMAGE_PREPROCESS_COMMAND:append = " selinux_set_labels ;" | 19 | if d.getVar('FIRST_BOOT_RELABEL') == '1': |
| 20 | return | ||
| 21 | |||
| 22 | d.appendVar('IMAGE_PREPROCESS_COMMAND', ' selinux_set_labels; ') | ||
| 23 | d.appendVarFlag('do_image', 'depends', ' policycoreutils-native:do_populate_sysroot') | ||
| 24 | } | ||
| 25 | |||
| 26 | addhandler selinux_setlabels_handler | ||
| 27 | selinux_setlabels_handler[eventmask] = "bb.event.RecipePreFinalise" | ||
| 14 | 28 | ||
| 15 | inherit core-image | 29 | inherit core-image |