diskimage-builder/diskimage_builder/elements/rpm-distro/finalise.d/90-selinux-fixfiles-restore
Jesse Keating 84d10dce57 Remove use of 'which'.
Instead, either use the bash built-in of type to ensure it exists. Since
which is an external dep, things can fail oddly in a constrained
environment.

Also add a dib-lint test for this.

Change-Id: I645029f5b5bfe1198c89ce10fd3246be8636e8af
Signed-off-by: Jesse Keating <omgjlk@us.ibm.com>
2017-05-19 12:43:36 -07:00

26 lines
961 B
Bash
Executable file

#!/bin/bash
if [ ${DIB_DEBUG_TRACE:-1} -gt 0 ]; then
set -x
fi
set -eu
set -o pipefail
SETFILES=$(type -p setfiles || true)
if [ -e /etc/selinux/targeted/contexts/files/file_contexts -a -x "${SETFILES}" ]; then
# get all mounpoints in the system
IFS='|' read -ra SPLIT_MOUNTS <<< "$DIB_MOUNTPOINTS"
for MOUNTPOINT in "${SPLIT_MOUNTS[@]}"; do
# Without fixing selinux file labels, sshd will run in the kernel_t domain
# instead of the sshd_t domain, making ssh connections fail with
# "Unable to get valid context for <user>" error message
if [ "${MOUNTPOINT}" != "/tmp/in_target.d" ] && [ "${MOUNTPOINT}" != "/dev" ]; then
$SETFILES /etc/selinux/targeted/contexts/files/file_contexts ${MOUNTPOINT}
fi
done
else
echo "Skipping SELinux relabel, since setfiles is not available."
echo "Touching /.autorelabel to schedule a relabel when the image boots."
touch /.autorelabel
fi