6d0b9abc0f
With new block device definition, where content of the image can be mounted on different partitions, is not enough with executing setfiles on root directory. Instead of that, expose all the mountpoints on the image, and apply setfiles on them. Change-Id: I153f979722eaec49eab93d7cd398c5589b9bfc44
26 lines
959 B
Bash
Executable file
26 lines
959 B
Bash
Executable file
#!/bin/bash
|
|
|
|
if [ ${DIB_DEBUG_TRACE:-1} -gt 0 ]; then
|
|
set -x
|
|
fi
|
|
set -eu
|
|
set -o pipefail
|
|
|
|
SETFILES=$(which setfiles || true)
|
|
if [ -e /etc/selinux/targeted/contexts/files/file_contexts -a -x "${SETFILES}" ]; then
|
|
# get all mounpoints in the system
|
|
IFS='|' read -ra SPLIT_MOUNTS <<< "$DIB_MOUNTPOINTS"
|
|
for MOUNTPOINT in "${SPLIT_MOUNTS[@]}"; do
|
|
# Without fixing selinux file labels, sshd will run in the kernel_t domain
|
|
# instead of the sshd_t domain, making ssh connections fail with
|
|
# "Unable to get valid context for <user>" error message
|
|
if [ "${MOUNTPOINT}" != "/tmp/in_target.d" ] && [ "${MOUNTPOINT}" != "/dev" ]; then
|
|
$SETFILES /etc/selinux/targeted/contexts/files/file_contexts ${MOUNTPOINT}
|
|
fi
|
|
done
|
|
else
|
|
echo "Skipping SELinux relabel, since setfiles is not available."
|
|
echo "Touching /.autorelabel to schedule a relabel when the image boots."
|
|
touch /.autorelabel
|
|
fi
|
|
|