sig_cloud/diskimage-builder
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

rpm-distro: ensure we selinux relabel underlying directories

Browse Source 
As described inline, we need to ensure the underlying directories in
the image are correctly labeled, or we get all manner of services
failing during boot with selinux in enforcing mode.  Although the
problem is generic, this first shows up in Fedora 30 as systemd has
become more strict about namespace failures (I think) [1].

[1] https://bugzilla.redhat.com/show_bug.cgi?id=1663040#c22

Change-Id: I52c1cc719884879169b606b00651aa26f5b783f1
This commit is contained in:
Ian Wienand 2019-08-16 15:40:39 +10:00
parent efa3f3675a
commit f23318d579
1 changed files with 32 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

35
diskimage_builder/elements/rpm-distro/cleanup.d/99-selinux-fixfiles-restore
View File

@ -70,9 +70,38 @@ for MOUNTPOINT in "${SPLIT_MOUNTS[@]}"; do
echo "*** SELinux enabled and kauditd not found, suggesting auditing support is disabled in the host kernel. setfiles will fail without this, please enable and rebuild" echo "*** SELinux enabled and kauditd not found, suggesting auditing support is disabled in the host kernel. setfiles will fail without this, please enable and rebuild"
exit 1 exit 1
fi fi
sudo ${_runcon} chroot ${TARGET_ROOT} \
/usr/sbin/setfiles -F ${_dash_m} \ if [[ ${MOUNTPOINT} == "/" ]]; then
/etc/selinux/targeted/contexts/files/file_contexts ${MOUNTPOINT} # If you don't label /dev, /proc and /sys (the actual,
# on-disk directory in the image) correctly, it will have
# bad effects when things like systemd try to do things
# like make network or process namespaces. This generally
# leads to obscure and hard-to-debug failures; [1] has
# plenty of examples.
#
# But right now, /{dev,proc,sys} are mounted! With the
# extant block-device code, we do not have a point to
# break in when these are unmounted, but before we've
# unmounted everything. So we do a hack; for the root
# directory, we bind mount the target so we see the
# underlying directories, and then run setfiles on that.
#
# XXX: we might be able to uncondtionally do this for all
# mountpoints? leaving well enough alone for now...
#
# [1] https://bugzilla.redhat.com/show_bug.cgi?id=1663040
TMP_BIND_MOUNT=$(mktemp -d)
sudo mount --bind ${TARGET_ROOT} ${TMP_BIND_MOUNT}
sudo ${_runcon} chroot ${TMP_BIND_MOUNT} \
/usr/sbin/setfiles -F ${_dash_m} \
/etc/selinux/targeted/contexts/files/file_contexts /
sudo umount ${TMP_BIND_MOUNT}
sudo rmdir ${TMP_BIND_MOUNT}
else
sudo ${_runcon} chroot ${TARGET_ROOT} \
/usr/sbin/setfiles -F ${_dash_m} \
/etc/selinux/targeted/contexts/files/file_contexts ${MOUNTPOINT}
fi
fi fi
done done