6a1eb2457c
After a bit of spelunking, I90d0c96d5659326ba67d6119b96d9a4113adf7fe was the original change that introduced the setfiles here rather than autorelabel at boot time. Touching the autorelabel file probably makes sense somewhere low, but when we start relabling the file system we really should be doing that as late as possible so we fix up everything that has come before. Move this to 90 to capture this. Change-Id: Iae0afe850f52ec3b59c49507fa9bbcc1c8f8cfa1
18 lines
669 B
Bash
Executable file
18 lines
669 B
Bash
Executable file
#!/bin/bash
|
|
|
|
if [ ${DIB_DEBUG_TRACE:-1} -gt 0 ]; then
|
|
set -x
|
|
fi
|
|
set -eu
|
|
set -o pipefail
|
|
SETFILES=$(which setfiles || true)
|
|
if [ -e /etc/selinux/targeted/contexts/files/file_contexts -a -x "${SETFILES}" ]; then
|
|
# Without fixing selinux file labels, sshd will run in the kernel_t domain
|
|
# instead of the sshd_t domain, making ssh connections fail with
|
|
# "Unable to get valid context for <user>" error message
|
|
setfiles /etc/selinux/targeted/contexts/files/file_contexts /
|
|
else
|
|
echo "Skipping SELinux relabel, since setfiles is not available."
|
|
echo "Touching /.autorelabel to schedule a relabel when the image boots."
|
|
touch /.autorelabel
|
|
fi
|