Merge "Apply setfiles on all mountpoints"

This commit is contained in:
Jenkins 2017-05-16 08:10:25 +00:00 committed by Gerrit Code Review
commit 1c0a5d995a
3 changed files with 20 additions and 5 deletions

View File

@ -298,7 +298,10 @@ class BlockDevice(object):
return 0 return 0
if symbol == 'mount-points': if symbol == 'mount-points':
mount_points = self._config_get_all_mount_points() mount_points = self._config_get_all_mount_points()
print("%s" % " ".join(mount_points)) # we return the mountpoints joined by a pipe, because it is not
# a valid char in directories, so it is a safe separator for the
# mountpoints list
print("%s" % "|".join(mount_points))
return 0 return 0
if symbol == 'image-block-partition': if symbol == 'image-block-partition':
# If there is no partition needed, pass back directly the # If there is no partition needed, pass back directly the

View File

@ -5,14 +5,22 @@ if [ ${DIB_DEBUG_TRACE:-1} -gt 0 ]; then
fi fi
set -eu set -eu
set -o pipefail set -o pipefail
SETFILES=$(which setfiles || true) SETFILES=$(which setfiles || true)
if [ -e /etc/selinux/targeted/contexts/files/file_contexts -a -x "${SETFILES}" ]; then if [ -e /etc/selinux/targeted/contexts/files/file_contexts -a -x "${SETFILES}" ]; then
# Without fixing selinux file labels, sshd will run in the kernel_t domain # get all mounpoints in the system
# instead of the sshd_t domain, making ssh connections fail with IFS='|' read -ra SPLIT_MOUNTS <<< "$DIB_MOUNTPOINTS"
# "Unable to get valid context for <user>" error message for MOUNTPOINT in "${SPLIT_MOUNTS[@]}"; do
setfiles /etc/selinux/targeted/contexts/files/file_contexts / # Without fixing selinux file labels, sshd will run in the kernel_t domain
# instead of the sshd_t domain, making ssh connections fail with
# "Unable to get valid context for <user>" error message
if [ "${MOUNTPOINT}" != "/tmp/in_target.d" ] && [ "${MOUNTPOINT}" != "/dev" ]; then
$SETFILES /etc/selinux/targeted/contexts/files/file_contexts ${MOUNTPOINT}
fi
done
else else
echo "Skipping SELinux relabel, since setfiles is not available." echo "Skipping SELinux relabel, since setfiles is not available."
echo "Touching /.autorelabel to schedule a relabel when the image boots." echo "Touching /.autorelabel to schedule a relabel when the image boots."
touch /.autorelabel touch /.autorelabel
fi fi

View File

@ -290,6 +290,10 @@ export DIB_ROOT_LABEL
DIB_ROOT_FSTYPE=$(dib-block-device getval root-fstype) DIB_ROOT_FSTYPE=$(dib-block-device getval root-fstype)
export DIB_ROOT_FSTYPE export DIB_ROOT_FSTYPE
# retrieve mount points so we can reuse in elements
DIB_MOUNTPOINTS=$(dib-block-device getval mount-points)
export DIB_MOUNTPOINTS
create_base create_base
# This variable needs to be propagated into the chroot # This variable needs to be propagated into the chroot
mkdir -p $TMP_HOOKS_PATH/environment.d mkdir -p $TMP_HOOKS_PATH/environment.d