stages/selinux: support label overwrites
Add a new `labels` option that can contain `path`: `label` pairs to overwrite the default labels for `path`. NB: These manually set labels will not survive a relabeling and are most useful to adjust policy in the buildroot, e.g. for `cp` to be able to copy labels unknown to the host, by labeling it as `system_u:object_r:install_exec_t:s0`.
This commit is contained in:
Christian Kellner
parent
15986d9297
commit
d70c5a7334
1 changed files with 12 additions and 0 deletions
|
|
@ -33,6 +33,13 @@ SCHEMA = """
|
|||
"file_contexts": {
|
||||
"type": "string",
|
||||
"description": "Path to the active SELinux policy's `file_contexts`"
|
||||
},
|
||||
"labels": {
|
||||
"type": "object",
|
||||
"description": "Labels to set of the specified files or folders",
|
||||
"items": {
|
||||
"type": "object"
|
||||
}
|
||||
}
|
||||
}
|
||||
"""
|
||||
|
|
@ -40,9 +47,14 @@ SCHEMA = """
|
|||
|
||||
def main(tree, options):
|
||||
file_contexts = os.path.join(f"{tree}", options["file_contexts"])
|
||||
labels = options.get("labels", {})
|
||||
|
||||
subprocess.run(["setfiles", "-F", "-r", f"{tree}", f"{file_contexts}", f"{tree}"], check=True)
|
||||
|
||||
for path, label in labels.items():
|
||||
fullpath = os.path.join(tree, path.lstrip("/"))
|
||||
subprocess.run(["chcon", "-v", label, fullpath], check=True)
|
||||
|
||||
|
||||
if __name__ == '__main__':
|
||||
args = json.load(sys.stdin)
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue