From 849cd74b5ff3c915356ae7411746194728594212 Mon Sep 17 00:00:00 2001
From: Joe MacDonald <joe_macdonald@mentor.com>
Date: Tue, 2 May 2017 21:17:20 -0400
Subject: selinux-image: enable image labelling

selinux images attempt to label the filesystem image at creation time.
This depends on a native setfiles, though, which isn't guaranteed to be
present without the DEPEND addition.

If the 'setfiles' call fails, that shouldn't be fatal, though, it can
always be run at first boot time, as is commonly done with desktop and
server distros.

Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
---
 classes/selinux-image.bbclass | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

(limited to 'classes')

diff --git a/classes/selinux-image.bbclass b/classes/selinux-image.bbclass
index 9303610..90ead2f 100644
--- a/classes/selinux-image.bbclass
+++ b/classes/selinux-image.bbclass
@@ -1,8 +1,15 @@
 selinux_set_labels () {
     POL_TYPE=$(sed -n -e "s&^SELINUXTYPE[[:space:]]*=[[:space:]]*\([0-9A-Za-z_]\+\)&\1&p" ${IMAGE_ROOTFS}/${sysconfdir}/selinux/config)
-    setfiles -r ${IMAGE_ROOTFS} ${IMAGE_ROOTFS}/${sysconfdir}/selinux/${POL_TYPE}/contexts/files/file_contexts ${IMAGE_ROOTFS} || exit 1;
+    if ! setfiles -r ${IMAGE_ROOTFS} ${IMAGE_ROOTFS}/${sysconfdir}/selinux/${POL_TYPE}/contexts/files/file_contexts ${IMAGE_ROOTFS}
+    then
+        echo WARNING: Unable to set filesystem context, setfiles / restorecon must be run on the live image.
+        touch ${IMAGE_ROOTFS}/.autorelabel
+        exit 0
+    fi
 }
 
+DEPENDS += "policycoreutils-native"
+
 IMAGE_PREPROCESS_COMMAND += "selinux_set_labels ;"
 
 inherit core-image
-- 
cgit v1.2.3-54-g00ecf