From e92398a31821b137704aa817343f7d723724d3b5 Mon Sep 17 00:00:00 2001 From: Victor Lowther Date: Mon, 21 Jul 2014 08:31:55 -0500 Subject: [PATCH] Relabel filesystem if SELinux is available Relabel the filesystem during image builds if SELinux is supported in the kernel of the build machine and userspace tools are available. Otherwise touch /.autorelabel to schedule a relabel the first time the image boots. We relabel when possible because it decreases first boot time. Change-Id: I0bec885d6e5d4f4e1106f3bd2a90ba5f86395b07 Partial-Bug: 1347845 --- .../finalise.d/11-selinux-fixfiles-restore | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/elements/rpm-distro/finalise.d/11-selinux-fixfiles-restore b/elements/rpm-distro/finalise.d/11-selinux-fixfiles-restore index d4cc74453..db5b6695a 100755 --- a/elements/rpm-distro/finalise.d/11-selinux-fixfiles-restore +++ b/elements/rpm-distro/finalise.d/11-selinux-fixfiles-restore @@ -3,16 +3,14 @@ set -eux set -o pipefail -CONFIGURED_SELINUX=$(grep ^SELINUX= /etc/selinux/config | awk -F = '{print $2}') - -if [ "$CONFIGURED_SELINUX" == "enforcing" ]; then +if [ -d /sys/fs/selinux -a /etc/selinux/targeted/contexts/files/file_context\ +s -a -x /usr/sbin/setfiles ]; then # Without fixing selinux file labels, sshd will run in the kernel_t domain # instead of the sshd_t domain, making ssh connections fail with # "Unable to get valid context for " error message setfiles /etc/selinux/targeted/contexts/files/file_contexts / else - echo "Skipping SELinux relabel, since it is not Enforcing." - echo "To relabel once the image is running, use:" - echo "setfiles /etc/selinux/targeted/contexts/files/file_contexts /" - echo "fixfiles restore" + echo "Skipping SELinux relabel, since setfiles is not available." + echo "Touching /.autorelabel to schedule a relabel when the image boots." + touch /.autorelabel fi