sig_cloud/diskimage-builder
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Apply setfiles on all mountpoints

Browse Source 
With new block device definition, where content of the image
can be mounted on different partitions, is not enough with
executing setfiles on root directory. Instead of that, expose
all the mountpoints on the image, and apply setfiles on them.

Change-Id: I153f979722eaec49eab93d7cd398c5589b9bfc44
This commit is contained in:
Yolanda Robla 2017-03-17 18:22:17 +01:00
parent e4e23897a1
commit 6d0b9abc0f
3 changed files with 20 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
diskimage_builder/block_device/blockdevice.py
View File

@ -298,7 +298,10 @@ class BlockDevice(object):
return 0 return 0
if symbol == 'mount-points': if symbol == 'mount-points':
mount_points = self._config_get_all_mount_points() mount_points = self._config_get_all_mount_points()
print("%s" % " ".join(mount_points)) # we return the mountpoints joined by a pipe, because it is not
# a valid char in directories, so it is a safe separator for the
# mountpoints list
print("%s" % "|".join(mount_points))
return 0 return 0
if symbol == 'image-block-partition': if symbol == 'image-block-partition':
# If there is no partition needed, pass back directly the # If there is no partition needed, pass back directly the

16
diskimage_builder/elements/rpm-distro/finalise.d/90-selinux-fixfiles-restore
View File

@ -5,14 +5,22 @@ if [ ${DIB_DEBUG_TRACE:-1} -gt 0 ]; then
fi fi
set -eu set -eu
set -o pipefail set -o pipefail
SETFILES=$(which setfiles || true) SETFILES=$(which setfiles || true)
if [ -e /etc/selinux/targeted/contexts/files/file_contexts -a -x "${SETFILES}" ]; then if [ -e /etc/selinux/targeted/contexts/files/file_contexts -a -x "${SETFILES}" ]; then
# Without fixing selinux file labels, sshd will run in the kernel_t domain # get all mounpoints in the system
# instead of the sshd_t domain, making ssh connections fail with IFS='|' read -ra SPLIT_MOUNTS <<< "$DIB_MOUNTPOINTS"
# "Unable to get valid context for <user>" error message for MOUNTPOINT in "${SPLIT_MOUNTS[@]}"; do
setfiles /etc/selinux/targeted/contexts/files/file_contexts / # Without fixing selinux file labels, sshd will run in the kernel_t domain
# instead of the sshd_t domain, making ssh connections fail with
# "Unable to get valid context for <user>" error message
if [ "${MOUNTPOINT}" != "/tmp/in_target.d" ] && [ "${MOUNTPOINT}" != "/dev" ]; then
$SETFILES /etc/selinux/targeted/contexts/files/file_contexts ${MOUNTPOINT}
fi
done
else else
echo "Skipping SELinux relabel, since setfiles is not available." echo "Skipping SELinux relabel, since setfiles is not available."
echo "Touching /.autorelabel to schedule a relabel when the image boots." echo "Touching /.autorelabel to schedule a relabel when the image boots."
touch /.autorelabel touch /.autorelabel
fi fi

4
diskimage_builder/lib/disk-image-create
View File

@ -290,6 +290,10 @@ export DIB_ROOT_LABEL
DIB_ROOT_FSTYPE=$(dib-block-device getval root-fstype) DIB_ROOT_FSTYPE=$(dib-block-device getval root-fstype)
export DIB_ROOT_FSTYPE export DIB_ROOT_FSTYPE
# retrieve mount points so we can reuse in elements
DIB_MOUNTPOINTS=$(dib-block-device getval mount-points)
export DIB_MOUNTPOINTS
create_base create_base
# This variable needs to be propagated into the chroot # This variable needs to be propagated into the chroot
mkdir -p $TMP_HOOKS_PATH/environment.d mkdir -p $TMP_HOOKS_PATH/environment.d