From 3f850b745ca5a640a38516fce5393318cc78cacc Mon Sep 17 00:00:00 2001 From: Yi Zhao Date: Fri, 25 Jan 2019 15:39:41 +0800 Subject: selinux-image.bbclass: using append instead of += for IMAGE_PREPROCESS_COMMAND Fix AVC denied error when booting: type=AVC msg=audit(1548055920.478:86): avc: denied { execute } for pid=366 comm="audispd" path="/lib/ld-2.28.so" dev="vda" ino=7545 scontext=system_u:system_r:audisp_t:s15:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1 type=AVC msg=audit(1548055920.478:87): avc: denied { open } for pid=366 comm="audispd" path="/lib/libc-2.28.so" dev="vda" ino=7558 scontext=system_u:system_r:audisp_t:s15:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1 When using "+=" for IMAGE_PREPROCESS_COMMAND, the selinux_set_labels process would run before prelink process to set the security labels for the files. But the label for /lib/libc-2.28.so and /lib/ld-2.28.so would be changed after run prelink process. Use "_append" to make sure the selinux_set_labels process run after prelink process. Signed-off-by: Yi Zhao Signed-off-by: Joe MacDonald --- classes/selinux-image.bbclass | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'classes') diff --git a/classes/selinux-image.bbclass b/classes/selinux-image.bbclass index 5174dc5..7f157d3 100644 --- a/classes/selinux-image.bbclass +++ b/classes/selinux-image.bbclass @@ -10,6 +10,6 @@ selinux_set_labels () { DEPENDS += "policycoreutils-native" -IMAGE_PREPROCESS_COMMAND += "selinux_set_labels ;" +IMAGE_PREPROCESS_COMMAND_append = " selinux_set_labels ;" inherit core-image -- cgit v1.2.3-54-g00ecf