From 7ffe6856d61e79498da5892d687b2085b561529a Mon Sep 17 00:00:00 2001 From: Ian Wienand Date: Wed, 19 Jul 2017 18:48:14 +1000 Subject: [PATCH] Add -m flag to setfiles for Fedora 26 As described in the comment and associated bugzilla, the behaviour of setfiles has changed in Fedora 26 to require "-m" situations where labeled file-systems are mounted below non-labeled file-systems. Our loopback/chroot system appears to trigger this nicely, leading to a setfiles call that does nothing without this. Change-Id: I276c6f6a4fb44f4bea5004f6b4214f94757728ae Signed-off-by: Paul Belanger --- .../finalise.d/90-selinux-fixfiles-restore | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/diskimage_builder/elements/rpm-distro/finalise.d/90-selinux-fixfiles-restore b/diskimage_builder/elements/rpm-distro/finalise.d/90-selinux-fixfiles-restore index 9abdda0b..ebe6ddfa 100755 --- a/diskimage_builder/elements/rpm-distro/finalise.d/90-selinux-fixfiles-restore +++ b/diskimage_builder/elements/rpm-distro/finalise.d/90-selinux-fixfiles-restore @@ -15,7 +15,19 @@ if [ -e /etc/selinux/targeted/contexts/files/file_contexts -a -x "${SETFILES}" ] # instead of the sshd_t domain, making ssh connections fail with # "Unable to get valid context for " error message if [ "${MOUNTPOINT}" != "/tmp/in_target.d" ] && [ "${MOUNTPOINT}" != "/dev" ]; then - $SETFILES /etc/selinux/targeted/contexts/files/file_contexts ${MOUNTPOINT} + # setfiles in > Fedora 26 added this flag: + # do not read /proc/mounts to obtain a list of + # non-seclabel mounts to be excluded from relabeling + # checks. Setting this option is useful where there is + # a non-seclabel fs mounted with a seclabel fs + # this describes our situation of being on a loopback device on + # an ubuntu system, say. See also + # https://bugzilla.redhat.com/show_bug.cgi?id=1472709 + _dash_m="" + if [[ $DISTRO_NAME == "fedora" && $DIB_RELEASE -ge 26 ]]; then + _dash_m+="-m" + fi + $SETFILES ${_dash_m} /etc/selinux/targeted/contexts/files/file_contexts ${MOUNTPOINT} fi done else