From 0335db645b950087b0ec83530f7f2eb82dc8ed56 Mon Sep 17 00:00:00 2001
From: Sanne Raymaekers <sanne.raymaekers@gmail.com>
Date: Thu, 11 May 2023 20:39:31 +0200
Subject: [PATCH] internal/manifest: restorecon after registering

When the first boot service runs insights-client, /root/.gnupg gets
created with the wrong selinux context.
---
 internal/manifest/os.go      | 4 ++++
 internal/manifest/os_test.go | 2 ++
 2 files changed, 6 insertions(+)

diff --git a/internal/manifest/os.go b/internal/manifest/os.go
index 953ae3c3b..c1e9ffbb5 100644
--- a/internal/manifest/os.go
+++ b/internal/manifest/os.go
@@ -499,12 +499,16 @@ func (p *OS) serialize() osbuild.Pipeline {
 		if p.Subscription.Rhc {
 			// Use rhc for registration instead of subscription manager
 			commands = []string{fmt.Sprintf("/usr/bin/rhc connect -o=%s -a=%s --server %s", p.Subscription.Organization, p.Subscription.ActivationKey, p.Subscription.ServerUrl)}
+			// insights-client creates the .gnupg directory during boot process, and is labeled incorrectly
+			commands = append(commands, "restorecon -R /root/.gnupg")
 		} else {
 			commands = []string{fmt.Sprintf("/usr/sbin/subscription-manager register --org=%s --activationkey=%s --serverurl %s --baseurl %s", p.Subscription.Organization, p.Subscription.ActivationKey, p.Subscription.ServerUrl, p.Subscription.BaseUrl)}
 
 			// Insights is optional when using subscription-manager
 			if p.Subscription.Insights {
 				commands = append(commands, "/usr/bin/insights-client --register")
+				// insights-client creates the .gnupg directory during boot process, and is labeled incorrectly
+				commands = append(commands, "restorecon -R /root/.gnupg")
 			}
 		}
 
diff --git a/internal/manifest/os_test.go b/internal/manifest/os_test.go
index f2843c795..08ab24853 100644
--- a/internal/manifest/os_test.go
+++ b/internal/manifest/os_test.go
@@ -94,6 +94,7 @@ func TestSubscriptionManagerInsightsCommands(t *testing.T) {
 	CheckFirstBootStageOptions(t, pipeline.Stages, []string{
 		"/usr/sbin/subscription-manager register --org=2040324 --activationkey=my-secret-key --serverurl subscription.rhsm.redhat.com --baseurl http://cdn.redhat.com/",
 		"/usr/bin/insights-client --register",
+		"restorecon -R /root/.gnupg",
 	})
 }
 
@@ -110,6 +111,7 @@ func TestRhcInsightsCommands(t *testing.T) {
 	pipeline := os.serialize()
 	CheckFirstBootStageOptions(t, pipeline.Stages, []string{
 		"/usr/bin/rhc connect -o=2040324 -a=my-secret-key --server subscription.rhsm.redhat.com",
+		"restorecon -R /root/.gnupg",
 	})
 }