diskimage-builder/diskimage_builder/elements/rpm-distro/finalise.d/90-selinux-fixfiles-restore

#!/bin/bash

if [ ${DIB_DEBUG_TRACE:-1} -gt 0 ]; then
    set -x
fi
set -eu
set -o pipefail

SETFILES=$(type -p setfiles || true)
if [ -e /etc/selinux/targeted/contexts/files/file_contexts -a -x "${SETFILES}" ]; then
    # get all mounpoints in the system
    IFS='|' read -ra SPLIT_MOUNTS <<< "$DIB_MOUNTPOINTS"
    for MOUNTPOINT in "${SPLIT_MOUNTS[@]}"; do
        # Without fixing selinux file labels, sshd will run in the kernel_t domain
        # instead of the sshd_t domain, making ssh connections fail with
        # "Unable to get valid context for <user>" error message
        if [ "${MOUNTPOINT}" != "/tmp/in_target.d" ] && [ "${MOUNTPOINT}" != "/dev" ]; then
            # setfiles in > Fedora 26 added this flag:
            #   do not read /proc/mounts to obtain a list of
            #   non-seclabel mounts to be excluded from relabeling
            #   checks.  Setting this option is useful where there is
            #   a non-seclabel fs mounted with a seclabel fs
            # this describes our situation of being on a loopback device on
            # an ubuntu system, say.  See also
            #  https://bugzilla.redhat.com/show_bug.cgi?id=1472709
            _dash_m=""
            if [[ $DISTRO_NAME == "fedora" && $DIB_RELEASE -ge 26 ]]; then
                _dash_m+="-m"
            fi
            $SETFILES ${_dash_m} /etc/selinux/targeted/contexts/files/file_contexts ${MOUNTPOINT}
        fi
    done
else
    echo "Skipping SELinux relabel, since setfiles is not available."
    echo "Touching /.autorelabel to schedule a relabel when the image boots."
    touch /.autorelabel
fi
Trigger SELinux autorelabel on first boot. This adds about 30 seconds to my local boot time. Fixes bug #1179730 Change-Id: I519bb9289236abd43f8eb784768dcab10e2e5754 2013-05-14 00:03:24 +00:00			`#!/bin/bash`

Standarise tracing for scripts There is a wide variety of tracing options through the various shell scripts. Some use "set -eux", others explicity set xtrace and others do nothing. There is a "-x" option to bin/disk-image-create but it doesn't flow down to the many scripts it calls. This adds a global integer variable set by disk-image-create DIB_DEBUG_TRACE. All scripts have a stanza added to detect this and turn on tracing. Any other tracing methods are rolled into this. So the standard header is --- if [ "${DIB_DEBUG_TRACE:-0}" -gt 0 ]; then set -x fi set -eu set -o pipefail --- Multiple -x options can be specified to dib-create-image, which increases the value of DIB_DEBUG_TRACE. If script authors feel their script should only trace at higher levels, they should modify the "-gt" value. If they feel it should trace by default, they can modify the default value also. Changes to pachset 16 : scripts which currently trace themselves by default have retained this behaviour with DIB_DEBUG_TRACE defaulting to "1". This was done by running [1] on patch set 15. See the thread beginning at [2] dib-lint is also updated to look for the variable being matched. [1] https://gist.github.com/ianw/71bbda9e6acc74ccd0fd [2] http://lists.openstack.org/pipermail/openstack-dev/2014-November/051575.html Change-Id: I6c5a962260741dcf6f89da9a33b96372a719b7b0 2014-09-04 04:56:29 +00:00			`if [ ${DIB_DEBUG_TRACE:-1} -gt 0 ]; then`
			`set -x`
			`fi`
			`set -eu`
set -e all the things Using set -e in all of our scripts will prevent some subtle bugs from slipping in, and will allow us to enforce use of set -e with tooling. This change also adds -u and set -o pipefail in the less complex scripts where it is unlikely to cause problems. A follow-up change will enable those options in the complex scripts so that if it breaks something it can be reverted easily. Change-Id: I0ad358ccb98da7277a0ee2e9ce8fda98438675eb 2014-03-29 03:28:22 +00:00			`set -o pipefail`
Apply setfiles on all mountpoints With new block device definition, where content of the image can be mounted on different partitions, is not enough with executing setfiles on root directory. Instead of that, expose all the mountpoints on the image, and apply setfiles on them. Change-Id: I153f979722eaec49eab93d7cd398c5589b9bfc44 2017-03-17 17:22:17 +00:00
Remove use of 'which'. Instead, either use the bash built-in of type to ensure it exists. Since which is an external dep, things can fail oddly in a constrained environment. Also add a dib-lint test for this. Change-Id: I645029f5b5bfe1198c89ce10fd3246be8636e8af Signed-off-by: Jesse Keating <omgjlk@us.ibm.com> 2017-05-18 18:09:32 +00:00			`SETFILES=$(type -p setfiles \|\| true)`
Use environment setfiles Hard coded path fails on Distros (such as el6) with setfiles bin in different places, for example, rhel6 has this in /sbin/setfiles Change-Id: I7aff9cdadd9aed9cfc806a1010acbf36b7b6d0e7 2015-04-16 18:47:19 +00:00			`if [ -e /etc/selinux/targeted/contexts/files/file_contexts -a -x "${SETFILES}" ]; then`
Apply setfiles on all mountpoints With new block device definition, where content of the image can be mounted on different partitions, is not enough with executing setfiles on root directory. Instead of that, expose all the mountpoints on the image, and apply setfiles on them. Change-Id: I153f979722eaec49eab93d7cd398c5589b9bfc44 2017-03-17 17:22:17 +00:00			`# get all mounpoints in the system`
			`IFS='\|' read -ra SPLIT_MOUNTS <<< "$DIB_MOUNTPOINTS"`
			`for MOUNTPOINT in "${SPLIT_MOUNTS[@]}"; do`
			`# Without fixing selinux file labels, sshd will run in the kernel_t domain`
			`# instead of the sshd_t domain, making ssh connections fail with`
			`# "Unable to get valid context for <user>" error message`
			`if [ "${MOUNTPOINT}" != "/tmp/in_target.d" ] && [ "${MOUNTPOINT}" != "/dev" ]; then`
Add -m flag to setfiles for Fedora 26 As described in the comment and associated bugzilla, the behaviour of setfiles has changed in Fedora 26 to require "-m" situations where labeled file-systems are mounted below non-labeled file-systems. Our loopback/chroot system appears to trigger this nicely, leading to a setfiles call that does nothing without this. Change-Id: I276c6f6a4fb44f4bea5004f6b4214f94757728ae Signed-off-by: Paul Belanger <pabelanger@redhat.com> 2017-07-19 08:48:14 +00:00			`# setfiles in > Fedora 26 added this flag:`
			`# do not read /proc/mounts to obtain a list of`
			`# non-seclabel mounts to be excluded from relabeling`
			`# checks. Setting this option is useful where there is`
			`# a non-seclabel fs mounted with a seclabel fs`
			`# this describes our situation of being on a loopback device on`
			`# an ubuntu system, say. See also`
			`# https://bugzilla.redhat.com/show_bug.cgi?id=1472709`
			`_dash_m=""`
			`if [[ $DISTRO_NAME == "fedora" && $DIB_RELEASE -ge 26 ]]; then`
			`_dash_m+="-m"`
			`fi`
			`$SETFILES ${_dash_m} /etc/selinux/targeted/contexts/files/file_contexts ${MOUNTPOINT}`
Apply setfiles on all mountpoints With new block device definition, where content of the image can be mounted on different partitions, is not enough with executing setfiles on root directory. Instead of that, expose all the mountpoints on the image, and apply setfiles on them. Change-Id: I153f979722eaec49eab93d7cd398c5589b9bfc44 2017-03-17 17:22:17 +00:00			`fi`
			`done`
Skip relabel unless SELinux is enforcing The SELinux relabel of the filesystem is taking almost 2 minutes and isn't needed unless you actually plan to run with SELinux enforcing. Plus, it appears to "leak" out of the chroot, referencing filesystems on partitions that aren't even mounted in the chroot. Note you just can't use getenforce or selinuxenabled here to get the state of SELinux because those commands are not accurate inside a chroot. TBH, a downside of this is that if someone goes to try to enable SELinux in an image where it was built with it not enabled, the file contexts are going to be wrong. So they'd need to relabel themselves at that point. However, this saves me quite a bit of time during image builds, so I thought I'd submit to get other folks opinion on it. Change-Id: I2132060d573fc93cf974f3560fdc651ff8ba38b4 2014-01-23 12:21:58 +00:00			`else`
Relabel filesystem if SELinux is available Relabel the filesystem during image builds if SELinux is supported in the kernel of the build machine and userspace tools are available. Otherwise touch /.autorelabel to schedule a relabel the first time the image boots. We relabel when possible because it decreases first boot time. Change-Id: I0bec885d6e5d4f4e1106f3bd2a90ba5f86395b07 Partial-Bug: 1347845 2014-07-21 13:31:55 +00:00			`echo "Skipping SELinux relabel, since setfiles is not available."`
			`echo "Touching /.autorelabel to schedule a relabel when the image boots."`
			`touch /.autorelabel`
Skip relabel unless SELinux is enforcing The SELinux relabel of the filesystem is taking almost 2 minutes and isn't needed unless you actually plan to run with SELinux enforcing. Plus, it appears to "leak" out of the chroot, referencing filesystems on partitions that aren't even mounted in the chroot. Note you just can't use getenforce or selinuxenabled here to get the state of SELinux because those commands are not accurate inside a chroot. TBH, a downside of this is that if someone goes to try to enable SELinux in an image where it was built with it not enabled, the file contexts are going to be wrong. So they'd need to relabel themselves at that point. However, this saves me quite a bit of time during image builds, so I thought I'd submit to get other folks opinion on it. Change-Id: I2132060d573fc93cf974f3560fdc651ff8ba38b4 2014-01-23 12:21:58 +00:00			`fi`
Apply setfiles on all mountpoints With new block device definition, where content of the image can be mounted on different partitions, is not enough with executing setfiles on root directory. Instead of that, expose all the mountpoints on the image, and apply setfiles on them. Change-Id: I153f979722eaec49eab93d7cd398c5589b9bfc44 2017-03-17 17:22:17 +00:00