| Message ID | 20251222111523.2837748-1-jaihindy@qti.qualcomm.com |
|---|---|
| State | New |
| Headers | show |
| Series | [meta-selinux,1/1] systemd: create backlight directory via tmpfiles for SELinux compliance | expand |
I think this should go to the yocto-patches ML instead of this one, otherwise the relevant layer maintainers might miss this. On 12/22/25 12:15, Jaihind Yadav via lists.openembedded.org wrote: > Ideally, /var/lib/systemd/backlight should be created and labeled at > runtime, not at build time. The previous approach installed this > directory during image build, which can cause issues with features like > OSTree when SELinux is enabled. > > This change ships a tmpfiles configuration to ensure the directory is > created and labeled correctly during first boot, allowing SELinux > relabeling to work as intended. > > Reference: > Previous discussion and initial fix: > https://docs.yoctoproject.org/pipermail/yocto/2018-April/040854.html > > Signed-off-by: Jaihind Yadav <jaihindy@qti.qualcomm.com> > --- > recipes-core/systemd/systemd_selinux.inc | 12 +++++++++--- > 1 file changed, 9 insertions(+), 3 deletions(-) > > diff --git a/recipes-core/systemd/systemd_selinux.inc b/recipes-core/systemd/systemd_selinux.inc > index 7d466ee..f36519c 100644 > --- a/recipes-core/systemd/systemd_selinux.inc > +++ b/recipes-core/systemd/systemd_selinux.inc > @@ -1,7 +1,13 @@ > inherit enable-selinux enable-audit > > +# Ship tmpfiles config for backlight > +SYSTEMD_TMPFILES += "systemd-backlight.conf" > do_install:append() { > - if ${@bb.utils.contains('PACKAGECONFIG', 'backlight', 'true', 'false', d)}; then > - install -d ${D}${localstatedir}/lib/systemd/backlight > - fi > + if ${@bb.utils.contains('PACKAGECONFIG', 'backlight', 'true', 'false', d)}; then > + install -d ${D}${sysconfdir}/tmpfiles.d > + cat > ${D}${sysconfdir}/tmpfiles.d/systemd-backlight.conf <<'EOF' > +d /var/lib/systemd/backlight 0755 root root - > +z /var/lib/systemd/backlight - - - - > +EOF > + fi > } > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#122787): https://lists.openembedded.org/g/openembedded-devel/message/122787 > Mute This Topic: https://lists.openembedded.org/mt/116900764/6084445 > Group Owner: openembedded-devel+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [skandigraun@gmail.com] > -=-=-=-=-=-=-=-=-=-=-=- >
On Mon, Dec 22, 2025 at 9:05 PM Jaihind Yadav via lists.openembedded.org <jaihindy=qti.qualcomm.com@lists.openembedded.org> wrote: > > Ideally, /var/lib/systemd/backlight should be created and labeled at > runtime, not at build time. The previous approach installed this > directory during image build, which can cause issues with features like > OSTree when SELinux is enabled. It seems you are talking about OSTree and relabeling interchangeably. Is the issue that OSTree doesn't want things to be present in /var? How is relabeling a problem if it's already present at build time? > > This change ships a tmpfiles configuration to ensure the directory is > created and labeled correctly during first boot, allowing SELinux > relabeling to work as intended. It looks like this is what the original code did as well by letting StateDirectory= in the unit create backlight directory before it switched to creating this at build time in link mentioned below. Why is this a problem specifically only for backlight? > > Reference: > Previous discussion and initial fix: > https://docs.yoctoproject.org/pipermail/yocto/2018-April/040854.html > > Signed-off-by: Jaihind Yadav <jaihindy@qti.qualcomm.com> > --- > recipes-core/systemd/systemd_selinux.inc | 12 +++++++++--- > 1 file changed, 9 insertions(+), 3 deletions(-) > > diff --git a/recipes-core/systemd/systemd_selinux.inc b/recipes-core/systemd/systemd_selinux.inc > index 7d466ee..f36519c 100644 > --- a/recipes-core/systemd/systemd_selinux.inc > +++ b/recipes-core/systemd/systemd_selinux.inc > @@ -1,7 +1,13 @@ > inherit enable-selinux enable-audit > > +# Ship tmpfiles config for backlight > +SYSTEMD_TMPFILES += "systemd-backlight.conf" What is SYSTEMD_TMPFILES? > do_install:append() { > - if ${@bb.utils.contains('PACKAGECONFIG', 'backlight', 'true', 'false', d)}; then > - install -d ${D}${localstatedir}/lib/systemd/backlight > - fi > + if ${@bb.utils.contains('PACKAGECONFIG', 'backlight', 'true', 'false', d)}; then > + install -d ${D}${sysconfdir}/tmpfiles.d > + cat > ${D}${sysconfdir}/tmpfiles.d/systemd-backlight.conf <<'EOF' > +d /var/lib/systemd/backlight 0755 root root - > +z /var/lib/systemd/backlight - - - - > +EOF > + fi > } > -- > 2.43.0 > > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#122787): https://lists.openembedded.org/g/openembedded-devel/message/122787 > Mute This Topic: https://lists.openembedded.org/mt/116900764/3616702 > Group Owner: openembedded-devel+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [anuj.mittal@oss.qualcomm.com] > -=-=-=-=-=-=-=-=-=-=-=- >
Hi @Anuj Mittal, Thank you for your comment. Let me clarify the reasoning behind this change: OSTree treats /usr as immutable and expects /var to be initialized at runtime. As you mentioned, OSTree doesn’t want pre-created content in /var. Creating /var/lib/systemd/backlight during image build is what causes the issue. While StateDirectory= can create the directory, it doesn’t guarantee SELinux relabel before the service runs. Using tmpfiles with d + z ensures correct creation and labeling early in boot, avoiding race conditions. systemd-backlight.service runs very early and writes to this directory. If SELinux denies access due to incorrect labeling, brightness restoration fails. This change makes the process more robust. Thanks, Jaihind Yadav -----Original Message----- From: Anuj Mittal <anuj.mittal@oss.qualcomm.com> Sent: Tuesday, December 23, 2025 6:30 AM To: Jaihind Yadav <jaihindy@qti.qualcomm.com> Cc: openembedded-devel@lists.openembedded.org Subject: Re: [oe] [meta-selinux] [PATCH 1/1] systemd: create backlight directory via tmpfiles for SELinux compliance On Mon, Dec 22, 2025 at 9:05 PM Jaihind Yadav via lists.openembedded.org <jaihindy=qti.qualcomm.com@lists.openembedded.org> wrote: > > Ideally, /var/lib/systemd/backlight should be created and labeled at > runtime, not at build time. The previous approach installed this > directory during image build, which can cause issues with features > like OSTree when SELinux is enabled. It seems you are talking about OSTree and relabeling interchangeably. Is the issue that OSTree doesn't want things to be present in /var? How is relabeling a problem if it's already present at build time? > > This change ships a tmpfiles configuration to ensure the directory is > created and labeled correctly during first boot, allowing SELinux > relabeling to work as intended. It looks like this is what the original code did as well by letting StateDirectory= in the unit create backlight directory before it switched to creating this at build time in link mentioned below. Why is this a problem specifically only for backlight? > > Reference: > Previous discussion and initial fix: > https://docs.yoctoproject.org/pipermail/yocto/2018-April/040854.html > > Signed-off-by: Jaihind Yadav <jaihindy@qti.qualcomm.com> > --- > recipes-core/systemd/systemd_selinux.inc | 12 +++++++++--- > 1 file changed, 9 insertions(+), 3 deletions(-) > > diff --git a/recipes-core/systemd/systemd_selinux.inc > b/recipes-core/systemd/systemd_selinux.inc > index 7d466ee..f36519c 100644 > --- a/recipes-core/systemd/systemd_selinux.inc > +++ b/recipes-core/systemd/systemd_selinux.inc > @@ -1,7 +1,13 @@ > inherit enable-selinux enable-audit > > +# Ship tmpfiles config for backlight > +SYSTEMD_TMPFILES += "systemd-backlight.conf" What is SYSTEMD_TMPFILES? > do_install:append() { > - if ${@bb.utils.contains('PACKAGECONFIG', 'backlight', 'true', 'false', d)}; then > - install -d ${D}${localstatedir}/lib/systemd/backlight > - fi > + if ${@bb.utils.contains('PACKAGECONFIG', 'backlight', 'true', 'false', d)}; then > + install -d ${D}${sysconfdir}/tmpfiles.d > + cat > ${D}${sysconfdir}/tmpfiles.d/systemd-backlight.conf <<'EOF' > +d /var/lib/systemd/backlight 0755 root root - z > +/var/lib/systemd/backlight - - - - EOF > + fi > } > -- > 2.43.0 > > > >
diff --git a/recipes-core/systemd/systemd_selinux.inc b/recipes-core/systemd/systemd_selinux.inc index 7d466ee..f36519c 100644 --- a/recipes-core/systemd/systemd_selinux.inc +++ b/recipes-core/systemd/systemd_selinux.inc @@ -1,7 +1,13 @@ inherit enable-selinux enable-audit +# Ship tmpfiles config for backlight +SYSTEMD_TMPFILES += "systemd-backlight.conf" do_install:append() { - if ${@bb.utils.contains('PACKAGECONFIG', 'backlight', 'true', 'false', d)}; then - install -d ${D}${localstatedir}/lib/systemd/backlight - fi + if ${@bb.utils.contains('PACKAGECONFIG', 'backlight', 'true', 'false', d)}; then + install -d ${D}${sysconfdir}/tmpfiles.d + cat > ${D}${sysconfdir}/tmpfiles.d/systemd-backlight.conf <<'EOF' +d /var/lib/systemd/backlight 0755 root root - +z /var/lib/systemd/backlight - - - - +EOF + fi }
Ideally, /var/lib/systemd/backlight should be created and labeled at runtime, not at build time. The previous approach installed this directory during image build, which can cause issues with features like OSTree when SELinux is enabled. This change ships a tmpfiles configuration to ensure the directory is created and labeled correctly during first boot, allowing SELinux relabeling to work as intended. Reference: Previous discussion and initial fix: https://docs.yoctoproject.org/pipermail/yocto/2018-April/040854.html Signed-off-by: Jaihind Yadav <jaihindy@qti.qualcomm.com> --- recipes-core/systemd/systemd_selinux.inc | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-)