Image building tools for OpenStack
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

99-selinux-fixfiles-restore 4.5KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107
  1. #!/bin/bash
  2. if [ ${DIB_DEBUG_TRACE:-1} -gt 0 ]; then
  3. set -x
  4. fi
  5. set -eu
  6. set -o pipefail
  7. # parser isn't smart enough to figure out \
  8. # dib-lint: disable=safe_sudo
  9. # Here be dragons ... a previous dragon slayer helpfully pointed out in
  10. # http://www.spinics.net/lists/selinux/msg17379.html
  11. #
  12. # Not all of the contexts defined by the offline system's
  13. # file_contexts may be valid under the policy of the host on which
  14. # you are running (e.g. if they run different distributions or even
  15. # different releases of the same distribution), which will normally
  16. # prevent setting those contexts (the kernel won't recognize them).
  17. # If you have this issue, you'll need to run setfiles as root in a
  18. # special domain, setfiles_mac_t, that is allowed to set contexts
  19. # unknown to the host policy, and likely chrooted so that it doesn't
  20. # ask the kernel whether the contexts are valid via
  21. # /sys/fs/selinux/context. That is how livecd-creator supported
  22. # creating images for other releases.
  23. # One issue you might see without fixing selinux file labels is sshd
  24. # will run in the kernel_t domain instead of the sshd_t domain, making
  25. # ssh connections fail with "Unable to get valid context for <user>"
  26. # error message. Other failures will occur too.
  27. # XXX: is it really valid to build rpm-distros without this?
  28. if [[ ! -f ${TARGET_ROOT}/etc/selinux/targeted/contexts/files/file_contexts ]]; then
  29. echo "No selinux policy found in chroot, skipping..."
  30. exit 0
  31. fi
  32. if [[ ! -x ${TARGET_ROOT}/usr/sbin/setfiles ]]; then
  33. echo "Can not find setfiles in chroot!"
  34. exit 1
  35. fi
  36. # If we're on a selinux system, enable permissive mode for
  37. # setfiles_mac_t so we can relabel within the chroot without concern
  38. # for whatever policy is in the host kernel. We will run under
  39. # "runcon" to specifically allow this
  40. _runcon=""
  41. if [[ -d /sys/fs/selinux ]] && selinuxenabled; then
  42. sudo semanage permissive -a setfiles_mac_t
  43. _runcon="runcon -t setfiles_mac_t -- "
  44. fi
  45. # setfiles in > Fedora 26 added this flag:
  46. # do not read /proc/mounts to obtain a list of
  47. # non-seclabel mounts to be excluded from relabeling
  48. # checks. Setting this option is useful where there is
  49. # a non-seclabel fs mounted with a seclabel fs
  50. # this describes our situation of being on a loopback device on
  51. # an ubuntu system, say. See also
  52. # https://bugzilla.redhat.com/show_bug.cgi?id=1472709
  53. _dash_m=""
  54. if [[ $DISTRO_NAME == "fedora" && $DIB_RELEASE -ge 26 ]]; then
  55. _dash_m+="-m"
  56. fi
  57. IFS='|' read -ra SPLIT_MOUNTS <<< "$DIB_MOUNTPOINTS"
  58. for MOUNTPOINT in "${SPLIT_MOUNTS[@]}"; do
  59. if [ "${MOUNTPOINT}" != "/tmp/in_target.d" ] && [ "${MOUNTPOINT}" != "/dev" ] && [ "${MOUNTPOINT}" != "/boot/efi" ]; then
  60. if ! [ -z ${_runcon} ] && ! pgrep kauditd >/dev/null; then
  61. echo "*** SELinux enabled and kauditd not found, suggesting auditing support is disabled in the host kernel. setfiles will fail without this, please enable and rebuild"
  62. exit 1
  63. fi
  64. if [[ ${MOUNTPOINT} == "/" ]]; then
  65. # If you don't label /dev, /proc and /sys (the actual,
  66. # on-disk directory in the image) correctly, it will have
  67. # bad effects when things like systemd try to do things
  68. # like make network or process namespaces. This generally
  69. # leads to obscure and hard-to-debug failures; [1] has
  70. # plenty of examples.
  71. #
  72. # But right now, /{dev,proc,sys} are mounted! With the
  73. # extant block-device code, we do not have a point to
  74. # break in when these are unmounted, but before we've
  75. # unmounted everything. So we do a hack; for the root
  76. # directory, we bind mount the target so we see the
  77. # underlying directories, and then run setfiles on that.
  78. #
  79. # XXX: we might be able to uncondtionally do this for all
  80. # mountpoints? leaving well enough alone for now...
  81. #
  82. # [1] https://bugzilla.redhat.com/show_bug.cgi?id=1663040
  83. TMP_BIND_MOUNT=$(mktemp -d)
  84. sudo mount --bind ${TARGET_ROOT} ${TMP_BIND_MOUNT}
  85. sudo ${_runcon} chroot ${TMP_BIND_MOUNT} \
  86. /usr/sbin/setfiles -F ${_dash_m} \
  87. /etc/selinux/targeted/contexts/files/file_contexts /
  88. sudo umount ${TMP_BIND_MOUNT}
  89. sudo rmdir ${TMP_BIND_MOUNT}
  90. else
  91. sudo ${_runcon} chroot ${TARGET_ROOT} \
  92. /usr/sbin/setfiles -F ${_dash_m} \
  93. /etc/selinux/targeted/contexts/files/file_contexts ${MOUNTPOINT}
  94. fi
  95. fi
  96. done