From 14163c3c0a4c30df3cada9f80578c69c98c0a72c Mon Sep 17 00:00:00 2001
From: Matthew Garrett <mjg59@coreos.com>
Date: Wed, 24 Jun 2015 16:45:10 -0700
Subject: [PATCH] Build selinux policy

Create an selinux policy at image build time - despite the -i flag, this
won't attempt to install it into the running kernel.
---
 build_library/build_image_util.sh | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/build_library/build_image_util.sh b/build_library/build_image_util.sh
index ff03d929d7..c277c59519 100755
--- a/build_library/build_image_util.sh
+++ b/build_library/build_image_util.sh
@@ -298,6 +298,11 @@ finish_image() {
     sudo fstrim "${root_fs_dir}/usr" || true
   fi
 
+  # Build the selinux policy
+  if [[ "$BOARD" = amd64* ]]; then
+      sudo chroot ${root_fs_dir} bash -c "cd /usr/share/selinux/mcs; semodule -i *.pp"
+  fi
+
   # Sign the kernels after /usr is in a consistent state
   if [[ ${COREOS_OFFICIAL:-0} -ne 1 ]]; then
       sudo sbsign --key /usr/share/sb_keys/DB.key \