Set file context to 'container_file_t' on the destination folder when
SElinux is enabled.
Signed-off-by: Radostin Stoyanov <rstoyanov1@xxxxxxxxx>
---
src/virtBootstrap/utils.py | 22 ++++++++++++++++++++++
src/virtBootstrap/virt_bootstrap.py | 7 +++++++
2 files changed, 29 insertions(+)
diff --git a/src/virtBootstrap/utils.py b/src/virtBootstrap/utils.py
index 792b4d2..d6031f1 100644
--- a/src/virtBootstrap/utils.py
+++ b/src/virtBootstrap/utils.py
@@ -522,6 +522,28 @@ def write_progress(prog):
sys.stdout.flush()
+def is_selinux_enabled():
+ """
+ Returns True if SElinux is enabled, False otherwise.
+ """
+ try:
+ subprocess.check_call(['selinuxenabled'])
+ except Exception:
+ return False
+ return True
+
+
+def chcon(path, context, flags="-Rt"):
+ """
+ Change file SELinux security context
+ """
+ try:
+ subprocess.check_call(['chcon', flags, context, path])
+ except Exception:
+ return False
+ return True
+
+
# The implementation for remapping ownership of all files inside a
# container's rootfs is inspired by the tool uidmapshift:
#
diff --git a/src/virtBootstrap/virt_bootstrap.py b/src/virtBootstrap/virt_bootstrap.py
index cfe7aab..61d6cab 100755
--- a/src/virtBootstrap/virt_bootstrap.py
+++ b/src/virtBootstrap/virt_bootstrap.py
@@ -135,6 +135,13 @@ def bootstrap(uri, dest,
logger.error("No write permissions on destination path '%s'", dest)
sys.exit(1)
+ if utils.is_selinux_enabled():
+ logger.debug("Setting file SELinux security context")
+ if not utils.chcon(dest, "container_file_t"):
+ logger.error("Can't set SElinux context on destination path '%s'",
+ dest)
+ sys.exit(1)
+
if uid_map is None:
uid_map = []
--
2.21.0
_______________________________________________
virt-tools-list mailing list
virt-tools-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/virt-tools-list
