The commit b0d31db104d9a4e94bc1409c2ffcc1d82f4a780f introduced an issue
when first boot with bootparams="selinux=1 enforcing=1". At first boot,
all files are unlabeled including /sbin/fixfiles. The relabel operation
is not permitted under enforcing mode. Set /sys/fs/selinux/enforce to 0
to ensure the enforcing mode is disabled before relabel.
Signed-off-by: Yi Zhao <yi.z...@windriver.com>
---
recipes-security/selinux/selinux-autorelabel/selinux-autorelabel.sh | 1 +
1 file changed, 1 insertion(+)
diff --git
a/recipes-security/selinux/selinux-autorelabel/selinux-autorelabel.sh
b/recipes-security/selinux/selinux-autorelabel/selinux-autorelabel.sh
index 154dad1..cb40971 100644
--- a/recipes-security/selinux/selinux-autorelabel/selinux-autorelabel.sh
+++ b/recipes-security/selinux/selinux-autorelabel/selinux-autorelabel.sh
@@ -13,6 +13,7 @@ fi
# If /.autorelabel placed, the whole file system should be relabeled
if [ -f /.autorelabel ]; then
echo "SELinux: /.autorelabel placed, filesystem will be relabeled..."
+ echo "0" > /sys/fs/selinux/enforce
${FIXFILES} -F -f relabel
/bin/rm -f /.autorelabel
echo " * Relabel done, rebooting the system."
--
2.7.4
--
_______________________________________________
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
