harald/VerityBook
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

prepare-root.sh: use setfiles to set selinux labels

Browse source 
remove all host tainting selinux quirks
This commit is contained in:
Harald Hoyer 2018-11-19 15:29:30 +01:00
parent 09a12bc63f
commit 5b74a15295
1 changed files with 5 additions and 18 deletions
Download patch file Download diff file Expand all files Collapse all files

23
prepare-root.sh
View file

@ -151,8 +151,6 @@ REPOSD=${REPOSD:-/etc/yum.repos.d}
STATEDIR=${STATEDIR:-"${BASEDIR}/${NAME}"} STATEDIR=${STATEDIR:-"${BASEDIR}/${NAME}"}
export SOURCE_DATE_EPOCH=${SOURCE_DATE_EPOCH:-$(date -u +'%s')} export SOURCE_DATE_EPOCH=${SOURCE_DATE_EPOCH:-$(date -u +'%s')}
readonly OLD_SELINUX=$(getenforce)
[[ $TMPDIR ]] || TMPDIR=/var/tmp [[ $TMPDIR ]] || TMPDIR=/var/tmp
readonly TMPDIR="$(realpath -e "$TMPDIR")" readonly TMPDIR="$(realpath -e "$TMPDIR")"
[ -d "$TMPDIR" ] || { [ -d "$TMPDIR" ] || {
@ -169,20 +167,17 @@ readonly MY_TMPDIR="$(mktemp -p "$TMPDIR/" -d -t ${PROGNAME}.XXXXXX)"
# clean up after ourselves no matter how we die. # clean up after ourselves no matter how we die.
trap ' trap '
ret=$?; ret=$?;
for i in "$sysroot"/{dev,sys/fs/selinux,sys,proc,run,var/lib/rpm,var/cache/dnf}; do for i in "$sysroot"/{dev,sys,proc,run,var/lib/rpm,var/cache/dnf}; do
[[ -d "$i" ]] && mountpoint -q "$i" && umount "$i" [[ -d "$i" ]] && mountpoint -q "$i" && umount "$i"
done done
[[ $MY_TMPDIR ]] && rm -rf --one-file-system -- "$MY_TMPDIR" [[ $MY_TMPDIR ]] && rm -rf --one-file-system -- "$MY_TMPDIR"
(( $ret != 0 )) && [[ "$OUTNAME" ]] && rm -rf --one-file-system -- "$OUTNAME" (( $ret != 0 )) && [[ "$OUTNAME" ]] && rm -rf --one-file-system -- "$OUTNAME"
setenforce $OLD_SELINUX
exit $ret; exit $ret;
' EXIT ' EXIT
# clean up after ourselves no matter how we die. # clean up after ourselves no matter how we die.
trap 'exit 1;' SIGINT trap 'exit 1;' SIGINT
setenforce 0
readonly sysroot="${MY_TMPDIR}/sysroot" readonly sysroot="${MY_TMPDIR}/sysroot"
# We need to preserve old uid/gid # We need to preserve old uid/gid
@ -336,18 +331,13 @@ for i in passwd shadow group gshadow subuid subgid; do
chmod u+r "${STATEDIR}/$i" chmod u+r "${STATEDIR}/$i"
done done
# ------------------------------------------------------------------------------
# selinux
#sed -i -e 's#^SELINUX=.*#SELINUX=permissive#g' "$sysroot"/etc/selinux/config
mount -t selinuxfs none "$sysroot/sys/fs/selinux"
chroot "$sysroot" semanage fcontext --noreload -a -e /etc /cfg
cp "$CURDIR"/FedoraBook.te "$CURDIR"/FedoraBook.fc "$sysroot"/var/tmp cp "$CURDIR"/FedoraBook.te "$CURDIR"/FedoraBook.fc "$sysroot"/var/tmp
chroot "$sysroot" bash -c ' chroot "$sysroot" bash -c '
cd /var/tmp cd /var/tmp
make -f /usr/share/selinux/devel/Makefile make -f /usr/share/selinux/devel/Makefile
semodule --noreload -i FedoraBook.pp semodule --noreload -i FedoraBook.pp
' '
umount "$sysroot/sys/fs/selinux" chroot "$sysroot" semanage fcontext --noreload -a -e /etc /cfg
cp "$CURDIR/clonedisk.sh" "$sysroot"/usr/bin/fedorabook-clonedisk cp "$CURDIR/clonedisk.sh" "$sysroot"/usr/bin/fedorabook-clonedisk
cp "$CURDIR/update.sh" "$sysroot"/usr/bin/fedorabook-update cp "$CURDIR/update.sh" "$sysroot"/usr/bin/fedorabook-update
@ -839,14 +829,12 @@ mkdir -p "$sysroot"/{var,home,cfg,net,efi}
# ------------------------------------------------------------------------------ # ------------------------------------------------------------------------------
# SELinux relabel all the files # SELinux relabel all the files
mount -t selinuxfs none "$sysroot/sys/fs/selinux" chroot "$sysroot" setfiles -v -F \
chroot "$sysroot" restorecon -m -v -F -R /usr /etc /etc/selinux/targeted/contexts/files/file_contexts /
chroot "$sysroot" restorecon -m -v -F /cfg /efi /home /var /net /root
umount "$sysroot/sys/fs/selinux"
# ------------------------------------------------------------------------------ # ------------------------------------------------------------------------------
# umount everything # umount everything
for i in "$sysroot"/{dev,sys/fs/selinux,sys,proc,run}; do for i in "$sysroot"/{dev,sys,proc,run}; do
[[ -d "$i" ]] && mountpoint -q "$i" && umount "$i" [[ -d "$i" ]] && mountpoint -q "$i" && umount "$i"
done done
@ -937,4 +925,3 @@ chown "${SUDO_USER:-$USER}" \
"${BASEOUTDIR}/${NAME}-${ROOT_HASH}-efi.tgz" \ "${BASEOUTDIR}/${NAME}-${ROOT_HASH}-efi.tgz" \
"${BASEOUTDIR}/${NAME}-latest.json" "${BASEOUTDIR}/${NAME}-latest.json"
setenforce $OLD_SELINUX