Merge "Apply setfiles on all mountpoints"

2017-05-16 08:10:25 +00:00 · 2017-05-16 08:10:25 +00:00 · 1c0a5d995a
commit 1c0a5d995a
parent 72117965df 6d0b9abc0f
3 changed files with 20 additions and 5 deletions
--- a/diskimage_builder/block_device/blockdevice.py
+++ b/diskimage_builder/block_device/blockdevice.py
@ -298,7 +298,10 @@ class BlockDevice(object):
            return 0
        if symbol == 'mount-points':
            mount_points = self._config_get_all_mount_points()
-            print("%s" % " ".join(mount_points))
+            # we return the mountpoints joined by a pipe, because it is not
+            # a valid char in directories, so it is a safe separator for the
+            # mountpoints list
+            print("%s" % "|".join(mount_points))
            return 0
        if symbol == 'image-block-partition':
            # If there is no partition needed, pass back directly the
--- a/diskimage_builder/elements/rpm-distro/finalise.d/90-selinux-fixfiles-restore
+++ b/diskimage_builder/elements/rpm-distro/finalise.d/90-selinux-fixfiles-restore
@ -5,14 +5,22 @@ if [ ${DIB_DEBUG_TRACE:-1} -gt 0 ]; then
 fi
 set -eu
 set -o pipefail
+
 SETFILES=$(which setfiles || true)
 if [ -e /etc/selinux/targeted/contexts/files/file_contexts -a -x "${SETFILES}" ]; then
+    # get all mounpoints in the system
+    IFS='|' read -ra SPLIT_MOUNTS <<< "$DIB_MOUNTPOINTS"
+    for MOUNTPOINT in "${SPLIT_MOUNTS[@]}"; do
        # Without fixing selinux file labels, sshd will run in the kernel_t domain
        # instead of the sshd_t domain, making ssh connections fail with
        # "Unable to get valid context for <user>" error message
-    setfiles /etc/selinux/targeted/contexts/files/file_contexts /
+        if [ "${MOUNTPOINT}" != "/tmp/in_target.d" ] && [ "${MOUNTPOINT}" != "/dev" ]; then
+            $SETFILES /etc/selinux/targeted/contexts/files/file_contexts ${MOUNTPOINT}
+        fi
+    done
 else
    echo "Skipping SELinux relabel, since setfiles is not available."
    echo "Touching /.autorelabel to schedule a relabel when the image boots."
    touch /.autorelabel
 fi
+
--- a/diskimage_builder/lib/disk-image-create
+++ b/diskimage_builder/lib/disk-image-create
@ -290,6 +290,10 @@ export DIB_ROOT_LABEL
 DIB_ROOT_FSTYPE=$(dib-block-device getval root-fstype)
 export DIB_ROOT_FSTYPE

+# retrieve mount points so we can reuse in elements
+DIB_MOUNTPOINTS=$(dib-block-device getval mount-points)
+export DIB_MOUNTPOINTS
+
 create_base
 # This variable needs to be propagated into the chroot
 mkdir -p $TMP_HOOKS_PATH/environment.d