| Message ID | 20251222111523.2837748-1-jaihindy@qti.qualcomm.com |
|---|---|
| State | New |
| Headers | show |
| Series | [meta-selinux,1/1] systemd: create backlight directory via tmpfiles for SELinux compliance | expand |
I think this should go to the yocto-patches ML instead of this one, otherwise the relevant layer maintainers might miss this. On 12/22/25 12:15, Jaihind Yadav via lists.openembedded.org wrote: > Ideally, /var/lib/systemd/backlight should be created and labeled at > runtime, not at build time. The previous approach installed this > directory during image build, which can cause issues with features like > OSTree when SELinux is enabled. > > This change ships a tmpfiles configuration to ensure the directory is > created and labeled correctly during first boot, allowing SELinux > relabeling to work as intended. > > Reference: > Previous discussion and initial fix: > https://docs.yoctoproject.org/pipermail/yocto/2018-April/040854.html > > Signed-off-by: Jaihind Yadav <jaihindy@qti.qualcomm.com> > --- > recipes-core/systemd/systemd_selinux.inc | 12 +++++++++--- > 1 file changed, 9 insertions(+), 3 deletions(-) > > diff --git a/recipes-core/systemd/systemd_selinux.inc b/recipes-core/systemd/systemd_selinux.inc > index 7d466ee..f36519c 100644 > --- a/recipes-core/systemd/systemd_selinux.inc > +++ b/recipes-core/systemd/systemd_selinux.inc > @@ -1,7 +1,13 @@ > inherit enable-selinux enable-audit > > +# Ship tmpfiles config for backlight > +SYSTEMD_TMPFILES += "systemd-backlight.conf" > do_install:append() { > - if ${@bb.utils.contains('PACKAGECONFIG', 'backlight', 'true', 'false', d)}; then > - install -d ${D}${localstatedir}/lib/systemd/backlight > - fi > + if ${@bb.utils.contains('PACKAGECONFIG', 'backlight', 'true', 'false', d)}; then > + install -d ${D}${sysconfdir}/tmpfiles.d > + cat > ${D}${sysconfdir}/tmpfiles.d/systemd-backlight.conf <<'EOF' > +d /var/lib/systemd/backlight 0755 root root - > +z /var/lib/systemd/backlight - - - - > +EOF > + fi > } > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#122787): https://lists.openembedded.org/g/openembedded-devel/message/122787 > Mute This Topic: https://lists.openembedded.org/mt/116900764/6084445 > Group Owner: openembedded-devel+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [skandigraun@gmail.com] > -=-=-=-=-=-=-=-=-=-=-=- >
diff --git a/recipes-core/systemd/systemd_selinux.inc b/recipes-core/systemd/systemd_selinux.inc index 7d466ee..f36519c 100644 --- a/recipes-core/systemd/systemd_selinux.inc +++ b/recipes-core/systemd/systemd_selinux.inc @@ -1,7 +1,13 @@ inherit enable-selinux enable-audit +# Ship tmpfiles config for backlight +SYSTEMD_TMPFILES += "systemd-backlight.conf" do_install:append() { - if ${@bb.utils.contains('PACKAGECONFIG', 'backlight', 'true', 'false', d)}; then - install -d ${D}${localstatedir}/lib/systemd/backlight - fi + if ${@bb.utils.contains('PACKAGECONFIG', 'backlight', 'true', 'false', d)}; then + install -d ${D}${sysconfdir}/tmpfiles.d + cat > ${D}${sysconfdir}/tmpfiles.d/systemd-backlight.conf <<'EOF' +d /var/lib/systemd/backlight 0755 root root - +z /var/lib/systemd/backlight - - - - +EOF + fi }
Ideally, /var/lib/systemd/backlight should be created and labeled at runtime, not at build time. The previous approach installed this directory during image build, which can cause issues with features like OSTree when SELinux is enabled. This change ships a tmpfiles configuration to ensure the directory is created and labeled correctly during first boot, allowing SELinux relabeling to work as intended. Reference: Previous discussion and initial fix: https://docs.yoctoproject.org/pipermail/yocto/2018-April/040854.html Signed-off-by: Jaihind Yadav <jaihindy@qti.qualcomm.com> --- recipes-core/systemd/systemd_selinux.inc | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-)