From 5aa4b7da2a435e08f1377806cb44eb1fa7090614 Mon Sep 17 00:00:00 2001 From: Krzesimir Nowak Date: Fri, 5 Sep 2025 15:55:28 +0200 Subject: [PATCH] build_library: Forbid SELinux policy packages in sysexts Signed-off-by: Krzesimir Nowak --- build_library/prod_image_util.sh | 2 ++ build_library/sysext_prod_builder | 1 + 2 files changed, 3 insertions(+) diff --git a/build_library/prod_image_util.sh b/build_library/prod_image_util.sh index b6d760fba2..d327a5096f 100755 --- a/build_library/prod_image_util.sh +++ b/build_library/prod_image_util.sh @@ -267,6 +267,7 @@ create_prod_sysexts() { --image_builddir="${BUILD_DIR}" \ --install_root_basename="${name}-extra-sysext-rootfs" \ ${mangle_script:+--manglefs_script=${mangle_script}} \ + --forbidden_packages='sec-policy/selinux-.*;selinux policy packages must be in base image' \ "${name}" "${pkg_array[@]}" delta_generator \ -private_key "/usr/share/update_engine/update-payload-key.key.pem" \ @@ -311,6 +312,7 @@ create_oem_sysexts() { --image_builddir="${BUILD_DIR}" \ --metapkgs="${metapkg}" \ --install_root_basename="${name}-oem-sysext-rootfs" \ + --forbidden_packages='sec-policy/selinux-.*;selinux policy packages must be in base image' \ --compression=none \ ${mangle_script:+--manglefs_script="${mangle_script}"} \ "${name}" diff --git a/build_library/sysext_prod_builder b/build_library/sysext_prod_builder index 8e57080630..73363ce5ba 100755 --- a/build_library/sysext_prod_builder +++ b/build_library/sysext_prod_builder @@ -73,6 +73,7 @@ create_prod_sysext() { --generate_pkginfo \ --compression=none \ --install_root_basename="${name}-base-sysext-rootfs" \ + --forbidden_packages='sec-policy/selinux-.*;selinux policy packages must be in base image' \ "${build_sysext_opts[@]}" \ "${name}" "${grp_pkg[@]}"