[meta-selinux,2/2] selinux-image.bbclass: using append instead of += for IMAGE_PREPROCESS_COMMAND

Submitted by Yi Zhao on Jan. 25, 2019, 7:39 a.m. | Patch ID: 158227

Details

Message ID 1548401981-18083-2-git-send-email-yi.zhao@windriver.com
State New
Headers show

Commit Message

Yi Zhao Jan. 25, 2019, 7:39 a.m.
Fix AVC denied error when booting:

type=AVC msg=audit(1548055920.478:86): avc:  denied  { execute } for
pid=366 comm="audispd" path="/lib/ld-2.28.so" dev="vda" ino=7545
scontext=system_u:system_r:audisp_t:s15:c0.c1023
tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1

type=AVC msg=audit(1548055920.478:87): avc:  denied  { open } for
pid=366 comm="audispd" path="/lib/libc-2.28.so" dev="vda" ino=7558
scontext=system_u:system_r:audisp_t:s15:c0.c1023
tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1

When using "+=" for IMAGE_PREPROCESS_COMMAND, the selinux_set_labels
process would run before prelink process to set the security labels for
the files. But the label for /lib/libc-2.28.so and /lib/ld-2.28.so would
be changed after run prelink process. Use "_append" to make sure the
selinux_set_labels process run after prelink process.

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
---
 classes/selinux-image.bbclass | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Patch hide | download patch | download mbox

diff --git a/classes/selinux-image.bbclass b/classes/selinux-image.bbclass
index 5174dc5..7f157d3 100644
--- a/classes/selinux-image.bbclass
+++ b/classes/selinux-image.bbclass
@@ -10,6 +10,6 @@  selinux_set_labels () {
 
 DEPENDS += "policycoreutils-native"
 
-IMAGE_PREPROCESS_COMMAND += "selinux_set_labels ;"
+IMAGE_PREPROCESS_COMMAND_append = " selinux_set_labels ;"
 
 inherit core-image