[OE-core] SELinux support
Enrico Scholz
enrico.scholz at sigma-chemnitz.de
Mon Jul 28 17:01:50 UTC 2014
[ https://bugzilla.yoctoproject.org/show_bug.cgi?id=6580 ]
Hi,
after upgrade to recent pseudo 1.6+, oe-core stops to build as a
confined SELinux now. This happens because SELinux provides more
than the xattr file api and 'pseudo' does not intercept e.g. writing
into '/proc/self/attr/fscreate'.
IMO, turning off every SELinux related operation in do_install() (which
is wrapped by 'pseudo') is a clean way to fix and improve building. If
OE supports SELinux for targets sometime, the file relabeling should be
done in do_rootfs() by using a chroot aware 'restorecon' (e.g. which
reads the file context policy from the chroot but not from system wide
/etc/selinux).
Unfortunately, I do not know a way to make applications think they are
running without SELinux. But patching 'pseudo' to return faked values
for 'is_selinux_enabled()' seems to be a good solution.
Bug #6580 mentioned at the beginning contains some discussion and a
patch. What do other people think about it?
Enrico
More information about the Openembedded-core
mailing list