stages/selinux: ability to force an auto-relabel
This should not be needed in any case but can be a sledgehammer for situations where we cannot properly label a file; it turns out such a scenario is if a label, lets call it `a1`, is is an alias to another label, lets call it `l1`. Setting `a1` will lead to `l1` being read back, and thus copying the label `a1` will result on the label `l1` being copied instead. Now if the target distribution does not have `l1` but only has `a1` we cannot set it and thus will end up with an unlabeled file.
This commit is contained in:
Christian Kellner
Tom Gundersen
parent
9da89de8b5
commit
52cb27631b
1 changed files with 10 additions and 0 deletions
|
|
@ -21,6 +21,7 @@ may not match the tree's policy.
|
||||||
|
|
||||||
|
|
||||||
import os
|
import os
|
||||||
|
import pathlib
|
||||||
import subprocess
|
import subprocess
|
||||||
import sys
|
import sys
|
||||||
|
|
||||||
|
|
@ -41,6 +42,11 @@ SCHEMA = """
|
||||||
"items": {
|
"items": {
|
||||||
"type": "object"
|
"type": "object"
|
||||||
}
|
}
|
||||||
|
},
|
||||||
|
"force_autorelabel": {
|
||||||
|
"type": "boolean",
|
||||||
|
"description": "Do not use. Forces auto-relabelling on first boot.",
|
||||||
|
"default": false
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
"""
|
"""
|
||||||
|
|
@ -56,6 +62,10 @@ def main(tree, options):
|
||||||
fullpath = os.path.join(tree, path.lstrip("/"))
|
fullpath = os.path.join(tree, path.lstrip("/"))
|
||||||
subprocess.run(["chcon", "-v", label, fullpath], check=True)
|
subprocess.run(["chcon", "-v", label, fullpath], check=True)
|
||||||
|
|
||||||
|
if options.get("force_autorelabel", False):
|
||||||
|
stamp = pathlib.Path(tree, ".autorelabel")
|
||||||
|
stamp.touch()
|
||||||
|
|
||||||
|
|
||||||
if __name__ == '__main__':
|
if __name__ == '__main__':
|
||||||
args = osbuild.api.arguments()
|
args = osbuild.api.arguments()
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue