diff options
| author | João Marcos Costa <joaomarcos.costa@bootlin.com> | 2025-09-29 18:20:57 +0200 |
|---|---|---|
| committer | Yi Zhao <yi.zhao@windriver.com> | 2025-10-08 18:52:07 +0800 |
| commit | 91bf2937722476fe2b8f9d787300cfcd04670c5e (patch) | |
| tree | 7cf61022608b6c3094bcc40b0e3bb45c6e3cb8e3 | |
| parent | 6f88a2fba508d217003609addc117d095b602145 (diff) | |
| download | meta-selinux-master.tar.gz | |
When the read-only-rootfs feature (in IMAGE_FEATURES) is enabled, the
populate-volatile.sh script runs at build time. This compensates for the
fact that certain essential directories and files cannot be created at
runtime, since the root filesystem is read-only. This is handled in
oe-core's rootfs-postcommands.bbclass, in read_only_rootfs_hook.
However, initscripts-1.0_selinux.inc appends some shell code to
populate-volatile.sh considering it will be run in the target, not on
the host machine. So, if one uses both read-only-rootfs and selinux (in
DISTRO_FEATURES), the recursive call to restorecon is run in the host
machine, since populate-volatile.sh is called in build time. This leads
to errors such as:
| NOTE: Executing read_only_rootfs_hook ...
| DEBUG: Executing shell function read_only_rootfs_hook
| /sbin/restorecon: Could not read /var/lib/AccountsService/users: Permission denied.
| /sbin/restorecon: Could not read /var/lib/NetworkManager: Permission denied.
| /sbin/restorecon: Could not read /var/lib/bluetooth: Permission denied.
| /sbin/restorecon: Could not read /var/lib/chrony: Permission denied.
As a matter of fact, this scenario is a fair reminder not to call
bitbake with sudo.
This change makes sure the append is only performed if the
read-only-rootfs feature is not used.
Signed-off-by: João Marcos Costa <joaomarcos.costa@bootlin.com>
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
| -rw-r--r-- | recipes-core/initscripts/initscripts-1.0_selinux.inc | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/recipes-core/initscripts/initscripts-1.0_selinux.inc b/recipes-core/initscripts/initscripts-1.0_selinux.inc index 6530a87..6d912cd 100644 --- a/recipes-core/initscripts/initscripts-1.0_selinux.inc +++ b/recipes-core/initscripts/initscripts-1.0_selinux.inc | |||
| @@ -1,6 +1,6 @@ | |||
| 1 | FILESEXTRAPATHS:prepend := "${THISDIR}/files:" | 1 | FILESEXTRAPATHS:prepend := "${THISDIR}/files:" |
| 2 | 2 | ||
| 3 | do_install:append () { | 3 | restore_context() { |
| 4 | cat <<-EOF >> ${D}${sysconfdir}/init.d/populate-volatile.sh | 4 | cat <<-EOF >> ${D}${sysconfdir}/init.d/populate-volatile.sh |
| 5 | touch /var/log/lastlog | 5 | touch /var/log/lastlog |
| 6 | test ! -x /sbin/restorecon || /sbin/restorecon -iRF /var/volatile/ /var/lib /run \ | 6 | test ! -x /sbin/restorecon || /sbin/restorecon -iRF /var/volatile/ /var/lib /run \ |
| @@ -9,3 +9,5 @@ EOF | |||
| 9 | sed -i '/mount -n -o remount,$rootmode/i\test ! -x /sbin/restorecon || /sbin/restorecon -iRF /run' \ | 9 | sed -i '/mount -n -o remount,$rootmode/i\test ! -x /sbin/restorecon || /sbin/restorecon -iRF /run' \ |
| 10 | ${D}${sysconfdir}/init.d/checkroot.sh | 10 | ${D}${sysconfdir}/init.d/checkroot.sh |
| 11 | } | 11 | } |
| 12 | |||
| 13 | do_install[postfuncs] += "${@'' if 'read-only-rootfs' in d.getVar('IMAGE_FEATURES') else 'restore_context'}" | ||