7ffe6856d6
As described in the comment and associated bugzilla, the behaviour of setfiles has changed in Fedora 26 to require "-m" situations where labeled file-systems are mounted below non-labeled file-systems. Our loopback/chroot system appears to trigger this nicely, leading to a setfiles call that does nothing without this. Change-Id: I276c6f6a4fb44f4bea5004f6b4214f94757728ae Signed-off-by: Paul Belanger <pabelanger@redhat.com>
39 lines
1.6 KiB
Bash
Executable File
39 lines
1.6 KiB
Bash
Executable File
#!/bin/bash
|
|
|
|
if [ ${DIB_DEBUG_TRACE:-1} -gt 0 ]; then
|
|
set -x
|
|
fi
|
|
set -eu
|
|
set -o pipefail
|
|
|
|
SETFILES=$(type -p setfiles || true)
|
|
if [ -e /etc/selinux/targeted/contexts/files/file_contexts -a -x "${SETFILES}" ]; then
|
|
# get all mounpoints in the system
|
|
IFS='|' read -ra SPLIT_MOUNTS <<< "$DIB_MOUNTPOINTS"
|
|
for MOUNTPOINT in "${SPLIT_MOUNTS[@]}"; do
|
|
# Without fixing selinux file labels, sshd will run in the kernel_t domain
|
|
# instead of the sshd_t domain, making ssh connections fail with
|
|
# "Unable to get valid context for <user>" error message
|
|
if [ "${MOUNTPOINT}" != "/tmp/in_target.d" ] && [ "${MOUNTPOINT}" != "/dev" ]; then
|
|
# setfiles in > Fedora 26 added this flag:
|
|
# do not read /proc/mounts to obtain a list of
|
|
# non-seclabel mounts to be excluded from relabeling
|
|
# checks. Setting this option is useful where there is
|
|
# a non-seclabel fs mounted with a seclabel fs
|
|
# this describes our situation of being on a loopback device on
|
|
# an ubuntu system, say. See also
|
|
# https://bugzilla.redhat.com/show_bug.cgi?id=1472709
|
|
_dash_m=""
|
|
if [[ $DISTRO_NAME == "fedora" && $DIB_RELEASE -ge 26 ]]; then
|
|
_dash_m+="-m"
|
|
fi
|
|
$SETFILES ${_dash_m} /etc/selinux/targeted/contexts/files/file_contexts ${MOUNTPOINT}
|
|
fi
|
|
done
|
|
else
|
|
echo "Skipping SELinux relabel, since setfiles is not available."
|
|
echo "Touching /.autorelabel to schedule a relabel when the image boots."
|
|
touch /.autorelabel
|
|
fi
|
|
|