On Thu, 2017-10-19 at 23:34 +0000, Nathan Owen wrote: > Hi Stephen, > > Thanks for the help. Based on the information you provided, I think > we will try to make a modified version of restorecon which can run on > the development PC, load a specified set of policies, and apply the > correct xattrs to the files immediately before we invoke > mksqaushfs. Since our development PCs do not yet use SElinux I do > not think this should cause a problem in the short term (though I may > be wrong). Then we will just need to figure out how to build > policies for the embedded device from the development PC. Use setfiles instead of restorecon (same program, but different usage; setfiles takes the path to the file_contexts file you want to use for labeling and supports use on non-SELinux hosts; restorecon uses the system file_contexts file and only runs if SELinux is enabled in the host). setfiles also supports a -r option for specifying an alternate root path; this is used by meta-selinux in OE/Yocto to label the tree (under pseudo), ala: setfiles -r /path/to/rootdir /path/to/rootdir/etc/selinux/targeted/contexts/files/file_contexts /path/to/rootdir This will label the tree rooted at /path/to/rootdir based on /path/to/rootdir/etc/selinux/targeted/contexts/files/file_contexts, stripping the /path/to/rootdir prefix before matching the pathname regexes. OE/Yocto does this under pseudo so that setting the xattrs and other meta-data are redirected to a database and don't require running as root, then later fetches them under pseudo and sets them in the generated filesystem image. The Android build tools just directly look up the contexts themselves using selabel_lookup and set them directly in the image without going through the indirection of setting them on the local filesystem first; you pass the file_contexts file and the mountpoint directory as arguments to make_ext4fs and it does it all internally. _______________________________________________ selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
