[virt-bootstrap PATCH 3/3] Set SElinux file context on destination folder

Radostin Stoyanov <rstoyanov1@xxxxxxxxx> · Tue, 4 Jun 2019 11:26:31 +0100

Set file context to 'container_file_t' on the destination folder when
SElinux mode is set to enforcing.

Signed-off-by: Radostin Stoyanov <rstoyanov1@xxxxxxxxx>
---
 src/virtBootstrap/utils.py          | 28 ++++++++++++++++++++++++++++
 src/virtBootstrap/virt_bootstrap.py |  7 +++++++
 2 files changed, 35 insertions(+)

diff --git a/src/virtBootstrap/utils.py b/src/virtBootstrap/utils.py
index b0f695d..3083c3c 100644
--- a/src/virtBootstrap/utils.py
+++ b/src/virtBootstrap/utils.py
@@ -522,6 +522,34 @@ def write_progress(prog):
     sys.stdout.flush()
 
 
+def is_selinux_enforcing():
+    """
+    Check if SElinux mode is set to enforcing.
+    """
+    try:
+        status = subprocess.Popen(
+            ['getenforce'],
+            stdout=subprocess.PIPE).stdout.read()
+        status = status.decode('utf-8').strip().lower()
+    except Exception:
+        return False
+
+    if "enforcing" in status:
+        return True
+    return False
+
+
+def chcon(path, context, flags="-Rt"):
+    """
+    Change file SELinux security context
+    """
+    try:
+        subprocess.check_call(['chcon', flags, context, path])
+    except Exception:
+        return False
+    return True
+
+
 # The implementation for remapping ownership of all files inside a
 # container's rootfs is inspired by the tool uidmapshift:
 #
diff --git a/src/virtBootstrap/virt_bootstrap.py b/src/virtBootstrap/virt_bootstrap.py
index cfe7aab..7b5a9d0 100755
--- a/src/virtBootstrap/virt_bootstrap.py
+++ b/src/virtBootstrap/virt_bootstrap.py
@@ -135,6 +135,13 @@ def bootstrap(uri, dest,
         logger.error("No write permissions on destination path '%s'", dest)
         sys.exit(1)
 
+    if utils.is_selinux_enforcing():
+        logger.debug("SElinux is set to enforcing")
+        if not utils.chcon(dest, "container_file_t"):
+            logger.error("Can't set SElinux context on destination path '%s'",
+                         dest)
+            sys.exit(1)
+
     if uid_map is None:
         uid_map = []
 
-- 
2.21.0

_______________________________________________
virt-tools-list mailing list
virt-tools-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/virt-tools-list






