Apply setfiles on all mountpoints

With new block device definition, where content of the image can be mounted on different partitions, is not enough with executing setfiles on root directory. Instead of that, expose all the mountpoints on the image, and apply setfiles on them. Change-Id: I153f979722eaec49eab93d7cd398c5589b9bfc44
2017-03-17 18:22:17 +01:00 · 2017-03-17 18:22:17 +01:00 · 6d0b9abc0f
commit 6d0b9abc0f
parent e4e23897a1
3 changed files with 20 additions and 5 deletions
--- a/diskimage_builder/block_device/blockdevice.py
+++ b/diskimage_builder/block_device/blockdevice.py
@ -298,7 +298,10 @@ class BlockDevice(object):
            return 0
        if symbol == 'mount-points':
            mount_points = self._config_get_all_mount_points()
-            print("%s" % " ".join(mount_points))
+            # we return the mountpoints joined by a pipe, because it is not
+            # a valid char in directories, so it is a safe separator for the
+            # mountpoints list
+            print("%s" % "|".join(mount_points))
            return 0
        if symbol == 'image-block-partition':
            # If there is no partition needed, pass back directly the
--- a/diskimage_builder/elements/rpm-distro/finalise.d/90-selinux-fixfiles-restore
+++ b/diskimage_builder/elements/rpm-distro/finalise.d/90-selinux-fixfiles-restore
@ -5,14 +5,22 @@ if [ ${DIB_DEBUG_TRACE:-1} -gt 0 ]; then
 fi
 set -eu
 set -o pipefail
+
 SETFILES=$(which setfiles || true)
 if [ -e /etc/selinux/targeted/contexts/files/file_contexts -a -x "${SETFILES}" ]; then
+    # get all mounpoints in the system
+    IFS='|' read -ra SPLIT_MOUNTS <<< "$DIB_MOUNTPOINTS"
+    for MOUNTPOINT in "${SPLIT_MOUNTS[@]}"; do
        # Without fixing selinux file labels, sshd will run in the kernel_t domain
        # instead of the sshd_t domain, making ssh connections fail with
        # "Unable to get valid context for <user>" error message
-    setfiles /etc/selinux/targeted/contexts/files/file_contexts /
+        if [ "${MOUNTPOINT}" != "/tmp/in_target.d" ] && [ "${MOUNTPOINT}" != "/dev" ]; then
+            $SETFILES /etc/selinux/targeted/contexts/files/file_contexts ${MOUNTPOINT}
+        fi
+    done
 else
    echo "Skipping SELinux relabel, since setfiles is not available."
    echo "Touching /.autorelabel to schedule a relabel when the image boots."
    touch /.autorelabel
 fi
+
--- a/diskimage_builder/lib/disk-image-create
+++ b/diskimage_builder/lib/disk-image-create
@ -290,6 +290,10 @@ export DIB_ROOT_LABEL
 DIB_ROOT_FSTYPE=$(dib-block-device getval root-fstype)
 export DIB_ROOT_FSTYPE

+# retrieve mount points so we can reuse in elements
+DIB_MOUNTPOINTS=$(dib-block-device getval mount-points)
+export DIB_MOUNTPOINTS
+
 create_base
 # This variable needs to be propagated into the chroot
 mkdir -p $TMP_HOOKS_PATH/environment.d