Add -m flag to setfiles for Fedora 26
As described in the comment and associated bugzilla, the behaviour of setfiles has changed in Fedora 26 to require "-m" situations where labeled file-systems are mounted below non-labeled file-systems. Our loopback/chroot system appears to trigger this nicely, leading to a setfiles call that does nothing without this. Change-Id: I276c6f6a4fb44f4bea5004f6b4214f94757728ae Signed-off-by: Paul Belanger <pabelanger@redhat.com>
This commit is contained in:
parent
6ffde2e596
commit
7ffe6856d6
@ -15,7 +15,19 @@ if [ -e /etc/selinux/targeted/contexts/files/file_contexts -a -x "${SETFILES}" ]
|
|||||||
# instead of the sshd_t domain, making ssh connections fail with
|
# instead of the sshd_t domain, making ssh connections fail with
|
||||||
# "Unable to get valid context for <user>" error message
|
# "Unable to get valid context for <user>" error message
|
||||||
if [ "${MOUNTPOINT}" != "/tmp/in_target.d" ] && [ "${MOUNTPOINT}" != "/dev" ]; then
|
if [ "${MOUNTPOINT}" != "/tmp/in_target.d" ] && [ "${MOUNTPOINT}" != "/dev" ]; then
|
||||||
$SETFILES /etc/selinux/targeted/contexts/files/file_contexts ${MOUNTPOINT}
|
# setfiles in > Fedora 26 added this flag:
|
||||||
|
# do not read /proc/mounts to obtain a list of
|
||||||
|
# non-seclabel mounts to be excluded from relabeling
|
||||||
|
# checks. Setting this option is useful where there is
|
||||||
|
# a non-seclabel fs mounted with a seclabel fs
|
||||||
|
# this describes our situation of being on a loopback device on
|
||||||
|
# an ubuntu system, say. See also
|
||||||
|
# https://bugzilla.redhat.com/show_bug.cgi?id=1472709
|
||||||
|
_dash_m=""
|
||||||
|
if [[ $DISTRO_NAME == "fedora" && $DIB_RELEASE -ge 26 ]]; then
|
||||||
|
_dash_m+="-m"
|
||||||
|
fi
|
||||||
|
$SETFILES ${_dash_m} /etc/selinux/targeted/contexts/files/file_contexts ${MOUNTPOINT}
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
else
|
else
|
||||||
|
Loading…
Reference in New Issue
Block a user