#!/bin/bash

if [ ${DIB_DEBUG_TRACE:-1} -gt 0 ]; then
    set -x
fi
set -eu
set -o pipefail

SETFILES=$(type -p setfiles || true)
if [ -e /etc/selinux/targeted/contexts/files/file_contexts -a -x "${SETFILES}" ]; then
    # get all mounpoints in the system
    IFS='|' read -ra SPLIT_MOUNTS <<< "$DIB_MOUNTPOINTS"
    for MOUNTPOINT in "${SPLIT_MOUNTS[@]}"; do
        # Without fixing selinux file labels, sshd will run in the kernel_t domain
        # instead of the sshd_t domain, making ssh connections fail with
        # "Unable to get valid context for <user>" error message
        if [ "${MOUNTPOINT}" != "/tmp/in_target.d" ] && [ "${MOUNTPOINT}" != "/dev" ]; then
            # setfiles in > Fedora 26 added this flag:
            #   do not read /proc/mounts to obtain a list of
            #   non-seclabel mounts to be excluded from relabeling
            #   checks.  Setting this option is useful where there is
            #   a non-seclabel fs mounted with a seclabel fs
            # this describes our situation of being on a loopback device on
            # an ubuntu system, say.  See also
            #  https://bugzilla.redhat.com/show_bug.cgi?id=1472709
            _dash_m=""
            if [[ $DISTRO_NAME == "fedora" && $DIB_RELEASE -ge 26 ]]; then
                _dash_m+="-m"
            fi
            $SETFILES ${_dash_m} /etc/selinux/targeted/contexts/files/file_contexts ${MOUNTPOINT}
        fi
    done
else
    echo "Skipping SELinux relabel, since setfiles is not available."
    echo "Touching /.autorelabel to schedule a relabel when the image boots."
    touch /.autorelabel
fi