I am currently working on enabling SELinux on an x86 system (Yocto version 2.4). I was able to successfully enable SELinux on the target but need to set SELinux file contexts during the build. I have inherited the selinux-image.bbclass in my image recipe and can confirm that it's executed during the build. But, when I boot up the image on target all the files have the wrong (or default) file contexts. For e.g. all files in /etc have system_u:object_r:root_t:s0 labels. When I run restorecon, the files get the correct labels. I have managed to narrow it down to the following two issues:
1. setfiles fails during the build but doesn't return any error or error msg causing the build to pass
I looked into the pseudo database table xattr to check if the xattrs are set during the build and found the table empty. So I modified the selinux-image.bbclass and added a setfattr to set xattr for a single file in /etc before it runs setfiles. After the build, I found one entry for the same file for which I was using the setfattr command in the xattr table of pseudo db and was also able to get the xattr using getfattr in the modified selinux-image.bbclass. So that means setfattr was working as expected but not setfiles. Next, I enabled some debug logs for pseudo and found the following that points to setfiles failing after it tries to read security.restorecon_last. Any pointer as to why it is trying to read security.restorecon_last xattr (even though we are not using -d option for setfiles) and fails if it doesn't find it?
27286: wrapper called: getxattr 27286: getxattr - signals blocked, obtaining lock 27286: <nil> + build/tmp/work/x86_ctm-poky-linux-musl/custom-image/1.0-r0/rootfs => <build/tmp/work/x86_ctm-poky-linux-musl/custom-image/1.0-r0/rootfs>
2. xattrs set during the build are not present on the target
As mentioned above, I modified to selinux-image.bbclass to set xattr for a single file in /etc. This works during the build since I can see the corresponding entry in pseudo db and also can get the set xattr using getfattr in the same selinux-image.bbclass. But when I boot up the image on target the xattr is replaced by (I am guessing) the default SELinux label of system_u:object_r:root_t:s0. I am using initramfs for packaging the root filesystem and I found that cpio ignores xattrs and also initramfs doesn't support xattrs. Does that mean I can't set the file contexts during the build because I am using initramfs and cpio?