diff --git a/diskimage_builder/block_device/blockdevice.py b/diskimage_builder/block_device/blockdevice.py index 9ff49182..4d10bb92 100644 --- a/diskimage_builder/block_device/blockdevice.py +++ b/diskimage_builder/block_device/blockdevice.py @@ -298,7 +298,10 @@ class BlockDevice(object): return 0 if symbol == 'mount-points': mount_points = self._config_get_all_mount_points() - print("%s" % " ".join(mount_points)) + # we return the mountpoints joined by a pipe, because it is not + # a valid char in directories, so it is a safe separator for the + # mountpoints list + print("%s" % "|".join(mount_points)) return 0 if symbol == 'image-block-partition': # If there is no partition needed, pass back directly the diff --git a/diskimage_builder/elements/rpm-distro/finalise.d/90-selinux-fixfiles-restore b/diskimage_builder/elements/rpm-distro/finalise.d/90-selinux-fixfiles-restore index 84ff7e58..0598d63e 100755 --- a/diskimage_builder/elements/rpm-distro/finalise.d/90-selinux-fixfiles-restore +++ b/diskimage_builder/elements/rpm-distro/finalise.d/90-selinux-fixfiles-restore @@ -5,14 +5,22 @@ if [ ${DIB_DEBUG_TRACE:-1} -gt 0 ]; then fi set -eu set -o pipefail + SETFILES=$(which setfiles || true) if [ -e /etc/selinux/targeted/contexts/files/file_contexts -a -x "${SETFILES}" ]; then - # Without fixing selinux file labels, sshd will run in the kernel_t domain - # instead of the sshd_t domain, making ssh connections fail with - # "Unable to get valid context for " error message - setfiles /etc/selinux/targeted/contexts/files/file_contexts / + # get all mounpoints in the system + IFS='|' read -ra SPLIT_MOUNTS <<< "$DIB_MOUNTPOINTS" + for MOUNTPOINT in "${SPLIT_MOUNTS[@]}"; do + # Without fixing selinux file labels, sshd will run in the kernel_t domain + # instead of the sshd_t domain, making ssh connections fail with + # "Unable to get valid context for " error message + if [ "${MOUNTPOINT}" != "/tmp/in_target.d" ] && [ "${MOUNTPOINT}" != "/dev" ]; then + $SETFILES /etc/selinux/targeted/contexts/files/file_contexts ${MOUNTPOINT} + fi + done else echo "Skipping SELinux relabel, since setfiles is not available." echo "Touching /.autorelabel to schedule a relabel when the image boots." touch /.autorelabel fi + diff --git a/diskimage_builder/lib/disk-image-create b/diskimage_builder/lib/disk-image-create index 3b76af66..88c64ed3 100644 --- a/diskimage_builder/lib/disk-image-create +++ b/diskimage_builder/lib/disk-image-create @@ -290,6 +290,10 @@ export DIB_ROOT_LABEL DIB_ROOT_FSTYPE=$(dib-block-device getval root-fstype) export DIB_ROOT_FSTYPE +# retrieve mount points so we can reuse in elements +DIB_MOUNTPOINTS=$(dib-block-device getval mount-points) +export DIB_MOUNTPOINTS + create_base # This variable needs to be propagated into the chroot mkdir -p $TMP_HOOKS_PATH/environment.d