Merge "Apply setfiles on all mountpoints"
This commit is contained in:
commit
1c0a5d995a
@ -298,7 +298,10 @@ class BlockDevice(object):
|
|||||||
return 0
|
return 0
|
||||||
if symbol == 'mount-points':
|
if symbol == 'mount-points':
|
||||||
mount_points = self._config_get_all_mount_points()
|
mount_points = self._config_get_all_mount_points()
|
||||||
print("%s" % " ".join(mount_points))
|
# we return the mountpoints joined by a pipe, because it is not
|
||||||
|
# a valid char in directories, so it is a safe separator for the
|
||||||
|
# mountpoints list
|
||||||
|
print("%s" % "|".join(mount_points))
|
||||||
return 0
|
return 0
|
||||||
if symbol == 'image-block-partition':
|
if symbol == 'image-block-partition':
|
||||||
# If there is no partition needed, pass back directly the
|
# If there is no partition needed, pass back directly the
|
||||||
|
@ -5,14 +5,22 @@ if [ ${DIB_DEBUG_TRACE:-1} -gt 0 ]; then
|
|||||||
fi
|
fi
|
||||||
set -eu
|
set -eu
|
||||||
set -o pipefail
|
set -o pipefail
|
||||||
|
|
||||||
SETFILES=$(which setfiles || true)
|
SETFILES=$(which setfiles || true)
|
||||||
if [ -e /etc/selinux/targeted/contexts/files/file_contexts -a -x "${SETFILES}" ]; then
|
if [ -e /etc/selinux/targeted/contexts/files/file_contexts -a -x "${SETFILES}" ]; then
|
||||||
# Without fixing selinux file labels, sshd will run in the kernel_t domain
|
# get all mounpoints in the system
|
||||||
# instead of the sshd_t domain, making ssh connections fail with
|
IFS='|' read -ra SPLIT_MOUNTS <<< "$DIB_MOUNTPOINTS"
|
||||||
# "Unable to get valid context for <user>" error message
|
for MOUNTPOINT in "${SPLIT_MOUNTS[@]}"; do
|
||||||
setfiles /etc/selinux/targeted/contexts/files/file_contexts /
|
# Without fixing selinux file labels, sshd will run in the kernel_t domain
|
||||||
|
# instead of the sshd_t domain, making ssh connections fail with
|
||||||
|
# "Unable to get valid context for <user>" error message
|
||||||
|
if [ "${MOUNTPOINT}" != "/tmp/in_target.d" ] && [ "${MOUNTPOINT}" != "/dev" ]; then
|
||||||
|
$SETFILES /etc/selinux/targeted/contexts/files/file_contexts ${MOUNTPOINT}
|
||||||
|
fi
|
||||||
|
done
|
||||||
else
|
else
|
||||||
echo "Skipping SELinux relabel, since setfiles is not available."
|
echo "Skipping SELinux relabel, since setfiles is not available."
|
||||||
echo "Touching /.autorelabel to schedule a relabel when the image boots."
|
echo "Touching /.autorelabel to schedule a relabel when the image boots."
|
||||||
touch /.autorelabel
|
touch /.autorelabel
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
@ -290,6 +290,10 @@ export DIB_ROOT_LABEL
|
|||||||
DIB_ROOT_FSTYPE=$(dib-block-device getval root-fstype)
|
DIB_ROOT_FSTYPE=$(dib-block-device getval root-fstype)
|
||||||
export DIB_ROOT_FSTYPE
|
export DIB_ROOT_FSTYPE
|
||||||
|
|
||||||
|
# retrieve mount points so we can reuse in elements
|
||||||
|
DIB_MOUNTPOINTS=$(dib-block-device getval mount-points)
|
||||||
|
export DIB_MOUNTPOINTS
|
||||||
|
|
||||||
create_base
|
create_base
|
||||||
# This variable needs to be propagated into the chroot
|
# This variable needs to be propagated into the chroot
|
||||||
mkdir -p $TMP_HOOKS_PATH/environment.d
|
mkdir -p $TMP_HOOKS_PATH/environment.d
|
||||||
|
Loading…
x
Reference in New Issue
Block a user