stages/selinux: directly call setfilecon
Instead of using `chcon`, directly call `selinux.setfilecon`. On systems without SELinux support, i.e. coreutils was built without `<selinux.h>` present, `chcon` will return `ENOTSUP` for all calls to SElinux functions like `setfilecon` even if the selinux libraries are later installed. Therefore we directly call the new osbuild helper function, which really is just a wrapper around setting extended file attributes and thus will work even if SELinux support is not compiled into coreutils. The only other thing `chcon` is doing besides a cal to the `setfilecon` method is to convert the context string to a new `contex_t` and back to validate it. This should not be needed since the kernel will do this for us. On system without SELinux support `context_new` will also not validate the context.
This commit is contained in:
Christian Kellner
Achilleas Koutsou
parent
75df59bace
commit
d38cdb6425
1 changed files with 2 additions and 1 deletions
|
|
@ -26,6 +26,7 @@ import subprocess
|
|||
import sys
|
||||
|
||||
import osbuild.api
|
||||
from osbuild.util import selinux
|
||||
|
||||
|
||||
SCHEMA = """
|
||||
|
|
@ -60,7 +61,7 @@ def main(tree, options):
|
|||
|
||||
for path, label in labels.items():
|
||||
fullpath = os.path.join(tree, path.lstrip("/"))
|
||||
subprocess.run(["chcon", "-v", label, fullpath], check=True)
|
||||
selinux.setfilecon(fullpath, label)
|
||||
|
||||
if options.get("force_autorelabel", False):
|
||||
stamp = pathlib.Path(tree, ".autorelabel")
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue