From 6d0b9abc0f100ebd5cd5b83836697e2d0fc3430b Mon Sep 17 00:00:00 2001 From: Yolanda Robla Date: Fri, 17 Mar 2017 18:22:17 +0100 Subject: [PATCH] Apply setfiles on all mountpoints With new block device definition, where content of the image can be mounted on different partitions, is not enough with executing setfiles on root directory. Instead of that, expose all the mountpoints on the image, and apply setfiles on them. Change-Id: I153f979722eaec49eab93d7cd398c5589b9bfc44 --- diskimage_builder/block_device/blockdevice.py | 5 ++++- .../finalise.d/90-selinux-fixfiles-restore | 16 ++++++++++++---- diskimage_builder/lib/disk-image-create | 4 ++++ 3 files changed, 20 insertions(+), 5 deletions(-) diff --git a/diskimage_builder/block_device/blockdevice.py b/diskimage_builder/block_device/blockdevice.py index 9ff49182..4d10bb92 100644 --- a/diskimage_builder/block_device/blockdevice.py +++ b/diskimage_builder/block_device/blockdevice.py @@ -298,7 +298,10 @@ class BlockDevice(object): return 0 if symbol == 'mount-points': mount_points = self._config_get_all_mount_points() - print("%s" % " ".join(mount_points)) + # we return the mountpoints joined by a pipe, because it is not + # a valid char in directories, so it is a safe separator for the + # mountpoints list + print("%s" % "|".join(mount_points)) return 0 if symbol == 'image-block-partition': # If there is no partition needed, pass back directly the diff --git a/diskimage_builder/elements/rpm-distro/finalise.d/90-selinux-fixfiles-restore b/diskimage_builder/elements/rpm-distro/finalise.d/90-selinux-fixfiles-restore index 84ff7e58..0598d63e 100755 --- a/diskimage_builder/elements/rpm-distro/finalise.d/90-selinux-fixfiles-restore +++ b/diskimage_builder/elements/rpm-distro/finalise.d/90-selinux-fixfiles-restore @@ -5,14 +5,22 @@ if [ ${DIB_DEBUG_TRACE:-1} -gt 0 ]; then fi set -eu set -o pipefail + SETFILES=$(which setfiles || true) if [ -e /etc/selinux/targeted/contexts/files/file_contexts -a -x "${SETFILES}" ]; then - # Without fixing selinux file labels, sshd will run in the kernel_t domain - # instead of the sshd_t domain, making ssh connections fail with - # "Unable to get valid context for " error message - setfiles /etc/selinux/targeted/contexts/files/file_contexts / + # get all mounpoints in the system + IFS='|' read -ra SPLIT_MOUNTS <<< "$DIB_MOUNTPOINTS" + for MOUNTPOINT in "${SPLIT_MOUNTS[@]}"; do + # Without fixing selinux file labels, sshd will run in the kernel_t domain + # instead of the sshd_t domain, making ssh connections fail with + # "Unable to get valid context for " error message + if [ "${MOUNTPOINT}" != "/tmp/in_target.d" ] && [ "${MOUNTPOINT}" != "/dev" ]; then + $SETFILES /etc/selinux/targeted/contexts/files/file_contexts ${MOUNTPOINT} + fi + done else echo "Skipping SELinux relabel, since setfiles is not available." echo "Touching /.autorelabel to schedule a relabel when the image boots." touch /.autorelabel fi + diff --git a/diskimage_builder/lib/disk-image-create b/diskimage_builder/lib/disk-image-create index 3b76af66..88c64ed3 100644 --- a/diskimage_builder/lib/disk-image-create +++ b/diskimage_builder/lib/disk-image-create @@ -290,6 +290,10 @@ export DIB_ROOT_LABEL DIB_ROOT_FSTYPE=$(dib-block-device getval root-fstype) export DIB_ROOT_FSTYPE +# retrieve mount points so we can reuse in elements +DIB_MOUNTPOINTS=$(dib-block-device getval mount-points) +export DIB_MOUNTPOINTS + create_base # This variable needs to be propagated into the chroot mkdir -p $TMP_HOOKS_PATH/environment.d