From ea257c96d9087e4a9007ce06a60f615e7f9fe66d Mon Sep 17 00:00:00 2001 From: James Slagle Date: Thu, 23 Jan 2014 07:21:58 -0500 Subject: [PATCH] Skip relabel unless SELinux is enforcing The SELinux relabel of the filesystem is taking almost 2 minutes and isn't needed unless you actually plan to run with SELinux enforcing. Plus, it appears to "leak" out of the chroot, referencing filesystems on partitions that aren't even mounted in the chroot. Note you just can't use getenforce or selinuxenabled here to get the state of SELinux because those commands are not accurate inside a chroot. TBH, a downside of this is that if someone goes to try to enable SELinux in an image where it was built with it not enabled, the file contexts are going to be wrong. So they'd need to relabel themselves at that point. However, this saves me quite a bit of time during image builds, so I thought I'd submit to get other folks opinion on it. Change-Id: I2132060d573fc93cf974f3560fdc651ff8ba38b4 --- .../finalise.d/11-selinux-fixfiles-restore | 25 +++++++++++++------ 1 file changed, 17 insertions(+), 8 deletions(-) diff --git a/elements/rpm-distro/finalise.d/11-selinux-fixfiles-restore b/elements/rpm-distro/finalise.d/11-selinux-fixfiles-restore index c14ccdf48..6247f166b 100755 --- a/elements/rpm-distro/finalise.d/11-selinux-fixfiles-restore +++ b/elements/rpm-distro/finalise.d/11-selinux-fixfiles-restore @@ -2,11 +2,20 @@ set -x -# Without fixing selinux file labels, sshd will run in the kernel_t domain -# instead of the sshd_t domain, making ssh connections fail with -# "Unable to get valid context for " error message -setfiles /etc/selinux/targeted/contexts/files/file_contexts / -FIXFILES_LOG=$(mktemp) -fixfiles -l $FIXFILES_LOG restore -cat $FIXFILES_LOG -rm $FIXFILES_LOG \ No newline at end of file +CONFIGURED_SELINUX=$(grep ^SELINUX= /etc/selinux/config | awk -F = '{print $2}') + +if [ "$CONFIGURED_SELINUX" == "enforcing" ]; then + # Without fixing selinux file labels, sshd will run in the kernel_t domain + # instead of the sshd_t domain, making ssh connections fail with + # "Unable to get valid context for " error message + setfiles /etc/selinux/targeted/contexts/files/file_contexts / + FIXFILES_LOG=$(mktemp) + fixfiles -l $FIXFILES_LOG restore + cat $FIXFILES_LOG + rm $FIXFILES_LOG +else + echo "Skipping SELinux relabel, since it is not Enforcing." + echo "To relabel once the image is running, use:" + echo "setfiles /etc/selinux/targeted/contexts/files/file_contexts /" + echo "fixfiles restore" +fi