From d70c5a73344934674ba854aeb2bca49aede157d3 Mon Sep 17 00:00:00 2001 From: Christian Kellner Date: Fri, 12 Jun 2020 20:04:19 +0200 Subject: [PATCH] stages/selinux: support label overwrites Add a new `labels` option that can contain `path`: `label` pairs to overwrite the default labels for `path`. NB: These manually set labels will not survive a relabeling and are most useful to adjust policy in the buildroot, e.g. for `cp` to be able to copy labels unknown to the host, by labeling it as `system_u:object_r:install_exec_t:s0`. --- stages/org.osbuild.selinux | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/stages/org.osbuild.selinux b/stages/org.osbuild.selinux index 5ec319f6..5aa924f9 100755 --- a/stages/org.osbuild.selinux +++ b/stages/org.osbuild.selinux @@ -33,6 +33,13 @@ SCHEMA = """ "file_contexts": { "type": "string", "description": "Path to the active SELinux policy's `file_contexts`" + }, + "labels": { + "type": "object", + "description": "Labels to set of the specified files or folders", + "items": { + "type": "object" + } } } """ @@ -40,9 +47,14 @@ SCHEMA = """ def main(tree, options): file_contexts = os.path.join(f"{tree}", options["file_contexts"]) + labels = options.get("labels", {}) subprocess.run(["setfiles", "-F", "-r", f"{tree}", f"{file_contexts}", f"{tree}"], check=True) + for path, label in labels.items(): + fullpath = os.path.join(tree, path.lstrip("/")) + subprocess.run(["chcon", "-v", label, fullpath], check=True) + if __name__ == '__main__': args = json.load(sys.stdin)