From c96ea14e822d224dfeaa2fbf5e5363e1383f9e26 Mon Sep 17 00:00:00 2001 From: Clark Boylan Date: Tue, 19 Apr 2016 18:40:13 -0700 Subject: [PATCH] Use setfiles to restore unbound selinux policy We finalise the unbound install at run parts level 99, but the dib built in selinux restore runs at level 11 so we need to handle this directly for unbound. We switch from restorecon to setfiles becaues restorecon does not do the right thing in a chroot (it is chroot aware and essentially noops for us because we are in a chroot). Change-Id: I7af6a4925e191a7d1bc78fb2d66d9ce74b944a39 --- nodepool/elements/nodepool-base/finalise.d/99-unbound | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/nodepool/elements/nodepool-base/finalise.d/99-unbound b/nodepool/elements/nodepool-base/finalise.d/99-unbound index e1c34c266e..659972a77c 100755 --- a/nodepool/elements/nodepool-base/finalise.d/99-unbound +++ b/nodepool/elements/nodepool-base/finalise.d/99-unbound @@ -35,8 +35,12 @@ chmod a+r /etc/unbound/forwarding.conf # If we have selinux install, restore default SELinux contents when ever # possible. Currently this only seems relevant for RHEL based DIBs. -if [ -x /sbin/restorecon ] ; then - restorecon -v /etc/unbound/forwarding.conf +SETFILES=$(which setfiles || true) +if [ -e /etc/selinux/targeted/contexts/files/file_contexts -a -x "${SETFILES}" ]; then + # Without fixing selinux file labels, sshd will run in the kernel_t domain + # instead of the sshd_t domain, making ssh connections fail with + # "Unable to get valid context for " error message + setfiles /etc/selinux/targeted/contexts/files/file_contexts /etc/unbound fi # Overwrite /etc/resolv.conf at boot