selinux-autorelabel: disable enforcing mode before relabel

The commit b0d31db104d9a4e94bc1409c2ffcc1d82f4a780f introduced an issue
when first boot with bootparams="selinux=1 enforcing=1". At first boot,
all files are unlabeled including /sbin/setfiles. The relabel operations
are not permitted under enforcing mode. So we need to disable enforcing
mode before relabel.

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>

1 files changed, 6 insertions, 3 deletions

diff --git a/recipes-security/selinux/selinux-autorelabel/selinux-autorelabel.sh b/recipes-security/selinux/selinux-autorelabel/selinux-autorelabel.sh
index 154dad1..25b6921 100644
--- a/recipes-security/selinux/selinux-autorelabel/selinux-autorelabel.sh
+++ b/recipes-security/selinux/selinux-autorelabel/selinux-autorelabel.sh
@@ -3,16 +3,19 @@
 /usr/sbin/selinuxenabled 2>/dev/null || exit 0
 
 FIXFILES=/sbin/fixfiles
+SETENFORCE=/usr/sbin/setenforce
 
-if ! test -x ${FIXFILES}; then
-        echo "${FIXFILES} is missing in the system."
+for i in ${FIXFILES} ${SETENFORCE}; do
+        test -x $i && continue
+        echo "$i is missing in the system."
         echo "Please add \"selinux=0\" in the kernel command line to disable SELinux."
         exit 1
-fi
+done
 
 # If /.autorelabel placed, the whole file system should be relabeled
 if [ -f /.autorelabel ]; then
         echo "SELinux: /.autorelabel placed, filesystem will be relabeled..."
+        ${SETENFORCE} 0
         ${FIXFILES} -F -f relabel
         /bin/rm -f /.autorelabel
         echo " * Relabel done, rebooting the system."