From 2938a46726efeb31b1dada241068efe3fdcfb44e Mon Sep 17 00:00:00 2001 From: David Michael Date: Sun, 24 Sep 2017 22:43:07 -0700 Subject: [PATCH] build_library: Use qemu-aarch64-static to install SELinux modules This also moves the SELinux policy build step before the fstrim for maximum compressibility. --- build_library/build_image_util.sh | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/build_library/build_image_util.sh b/build_library/build_image_util.sh index ccf24bd749..2b01fbf6b9 100755 --- a/build_library/build_image_util.sh +++ b/build_library/build_image_util.sh @@ -508,6 +508,13 @@ EOF write_contents "${root_fs_dir}" "${BUILD_DIR}/${image_contents}" + # Build the selinux policy + if pkg_use_enabled coreos-base/coreos selinux; then + setup_qemu_static "${root_fs_dir}" + sudo chroot "${root_fs_dir}" bash -c "cd /usr/share/selinux/mcs && semodule -s mcs -i *.pp" + clean_qemu_static "${root_fs_dir}" + fi + # Zero all fs free space to make it more compressible so auto-update # payloads become smaller, not fatal since it won't work on linux < 3.2 sudo fstrim "${root_fs_dir}" || true @@ -515,11 +522,6 @@ EOF sudo fstrim "${root_fs_dir}/usr" || true fi - # Build the selinux policy - if pkg_use_enabled coreos-base/coreos selinux; then - sudo chroot "${root_fs_dir}" bash -c "cd /usr/share/selinux/mcs && semodule -s mcs -i *.pp" - fi - # Make the filesystem un-mountable as read-write and setup verity. if [[ ${disable_read_write} -eq ${FLAGS_TRUE} ]]; then # Unmount /usr partition