From 40c2545f74d46d6928a8a64aed2926c7d7785bfe Mon Sep 17 00:00:00 2001
From: Christian Kellner <christian@kellner.me>
Date: Wed, 8 Apr 2020 17:27:40 +0200
Subject: [PATCH] util/selinux: add simple setfiles wrapper

Add a small wrapper around the setfiles(8) utility that can be used
to set the security context fields on one or multiple provided paths,
given a specification. The root of the file system tree can be given
via `root` and all elements of `paths` will be interpreted as
relative to that root.
---
 osbuild/util/selinux.py | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/osbuild/util/selinux.py b/osbuild/util/selinux.py
index 925bd9bb..20a763d2 100644
--- a/osbuild/util/selinux.py
+++ b/osbuild/util/selinux.py
@@ -1,5 +1,7 @@
 """SELinux utility functions"""
 
+import subprocess
+
 from typing import Dict, TextIO
 
 
@@ -27,3 +29,20 @@ def config_get_policy(config: Dict[str, str]):
     if enabled not in ['enforcing', 'permissive']:
         return None
     return config.get('SELINUXTYPE', None)
+
+
+def setfiles(spec_file: str, root: str, *paths):
+    """Initialize the security context fields for `paths`
+
+    Initialize the security context fields (extended attributes)
+    on `paths` using the given specification in `spec_file`. The
+    `root` argument determines the root path of the file system
+    and the entries in `path` are interpreted as relative to it.
+    Uses the setfiles(8) tool to actually set the contexts.
+    """
+    for path in paths:
+        subprocess.run(["setfiles", "-F",
+                        "-r", root,
+                        spec_file,
+                        f"{root}{path}"],
+                       check=True)