f6ba2aeaf4
Using set -e in all of our scripts will prevent some subtle bugs from slipping in, and will allow us to enforce use of set -e with tooling. This change also adds -u and set -o pipefail in the less complex scripts where it is unlikely to cause problems. A follow-up change will enable those options in the complex scripts so that if it breaks something it can be reverted easily. Change-Id: I0ad358ccb98da7277a0ee2e9ce8fda98438675eb
23 lines
781 B
Bash
Executable File
23 lines
781 B
Bash
Executable File
#!/bin/bash
|
|
|
|
set -eux
|
|
set -o pipefail
|
|
|
|
CONFIGURED_SELINUX=$(grep ^SELINUX= /etc/selinux/config | awk -F = '{print $2}')
|
|
|
|
if [ "$CONFIGURED_SELINUX" == "enforcing" ]; then
|
|
# Without fixing selinux file labels, sshd will run in the kernel_t domain
|
|
# instead of the sshd_t domain, making ssh connections fail with
|
|
# "Unable to get valid context for <user>" error message
|
|
setfiles /etc/selinux/targeted/contexts/files/file_contexts /
|
|
FIXFILES_LOG=$(mktemp)
|
|
fixfiles -l $FIXFILES_LOG restore
|
|
cat $FIXFILES_LOG
|
|
rm $FIXFILES_LOG
|
|
else
|
|
echo "Skipping SELinux relabel, since it is not Enforcing."
|
|
echo "To relabel once the image is running, use:"
|
|
echo "setfiles /etc/selinux/targeted/contexts/files/file_contexts /"
|
|
echo "fixfiles restore"
|
|
fi
|