By default /var/volatile will be mounted with tmpfs_t instead of var_t
label, which will cause us to have to add some extra rules to eliminate
avc denials of some services.

Set rootcontext for /var/volatile in fstab to make sure it is mounted
with correct label.

Signed-off-by: Yi Zhao <yi.zhao@...>
---
recipes-core/base-files/base-files_%.bbappend | 1 +
recipes-core/base-files/base-files_selinux.inc | 13 +++++++++++++
2 files changed, 14 insertions(+)
create mode 100644 recipes-core/base-files/base-files_%.bbappend
create mode 100644 recipes-core/base-files/base-files_selinux.inc

diff --git a/recipes-core/base-files/base-files_%.bbappend b/recipes-core/base-files/base-files_%.bbappend
new file mode 100644
index 0000000..f167033
--- /dev/null
+++ b/recipes-core/base-files/base-files_%.bbappend
@@ -0,0 +1 @@
+require ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'base-files_selinux.inc', '', d)}
diff --git a/recipes-core/base-files/base-files_selinux.inc b/recipes-core/base-files/base-files_selinux.inc
new file mode 100644
index 0000000..f2373aa
--- /dev/null
+++ b/recipes-core/base-files/base-files_selinux.inc
@@ -0,0 +1,13 @@
+REFPOLICY_TYPE = "${@d.getVar('PREFERRED_PROVIDER_virtual/refpolicy').split('-')[1] or ''}"
+
+do_install:append () {
+ if [ -n "${REFPOLICY_TYPE}" ]; then
+ if [ "${REFPOLICY_TYPE}" = "standard" ]; then
+ sed -i 's/\s*\/var\/volatile\s*tmpfs\s*defaults/&,rootcontext=system_u:object_r:var_t/' \
+ ${D}${sysconfdir}/fstab
+ else
+ sed -i 's/\s*\/var\/volatile\s*tmpfs\s*defaults/&,rootcontext=system_u:object_r:var_t:s0/' \
+ ${D}${sysconfdir}/fstab
+ fi
+ fi
+}
--
2.25.1