From da6e5361e7ecf466a11ae176a96b2b11264a1428 Mon Sep 17 00:00:00 2001 From: Giuseppe Scrivano Date: Wed, 6 Dec 2017 19:09:18 +0100 Subject: [PATCH 1/2] syscontainers: set selinux label for files copied to the host Signed-off-by: Giuseppe Scrivano --- Atomic/rpm_host_install.py | 38 ++++++++++++++++++++++++++++++++++---- 1 file changed, 34 insertions(+), 4 deletions(-) diff --git a/Atomic/rpm_host_install.py b/Atomic/rpm_host_install.py index 0a83a011..c4799c8c 100644 --- a/Atomic/rpm_host_install.py +++ b/Atomic/rpm_host_install.py @@ -5,13 +5,25 @@ import tempfile import shutil import hashlib +import selinux RPM_NAME_PREFIX = "atomic-container" class RPMHostInstall(object): @staticmethod - def copyfile(src, dest): + def _copyfile(selinux_hnd, src, dest): + + if selinux_hnd is not None: + mode = 0o755 + try: + mode = os.stat(src).st_mode + except OSError: + pass + + ctx = selinux.selabel_lookup_raw(selinux_hnd, dest, mode) + selinux.setfscreatecon_raw(ctx[1]) + if os.path.isdir(src): # add the directory only if it is empty, so we don't delete directories that # weren't added by us. Anyway a non empty directory would be created by @@ -24,7 +36,10 @@ def copyfile(src, dest): os.symlink(linkto, dest) return True else: - shutil.copy2(src, dest) + # we cannot use shutil.copy2() or shutil.copystat() here as it would override the + # security.selinux xattr. + shutil.copy(src, dest) + shutil.copymode(src, dest) return True return False @@ -74,7 +89,14 @@ def rm_add_files_to_host(old_installed_files_checksum, exports, prefix="/", file # if there is a directory hostfs/ under exports, copy these files to the host file system. hostfs = os.path.join(exports, "hostfs") new_installed_files_checksum = {} - if os.path.exists(hostfs): + if not os.path.exists(hostfs): + return new_installed_files_checksum + + selinux_hnd = None + try: + if os.getuid() == 0 and selinux.is_selinux_enabled() != 0: + selinux_hnd = selinux.selabel_open(selinux.SELABEL_CTX_FILE, None, 0) + for root, dirs, files in os.walk(hostfs): rel_root_path = os.path.relpath(root, hostfs) if not os.path.exists(os.path.join(prefix, rel_root_path)): @@ -101,14 +123,22 @@ def rm_add_files_to_host(old_installed_files_checksum, exports, prefix="/", file if rel_dest_path in templates_set: with open(src_file, 'r') as src_file_obj: data = src_file_obj.read() + + if selinux_hnd is not None: + ctx = selinux.selabel_lookup_raw(selinux_hnd, dest_path, os.stat(src_file).st_mode) + selinux.setfscreatecon_raw(ctx[1]) + util.write_template(src_file, data, values or {}, dest_path) shutil.copystat(src_file, dest_path) created = True else: - created = RPMHostInstall.copyfile(src_file, dest_path) + created = RPMHostInstall._copyfile(selinux_hnd, src_file, dest_path) if created: new_installed_files_checksum[rel_dest_path] = RPMHostInstall.file_checksum(dest_path) + finally: + if selinux_hnd is not None: + selinux.setfscreatecon_raw(None) return new_installed_files_checksum From 4f9e96495c39ea146ede130c35486d1e6444a2c3 Mon Sep 17 00:00:00 2001 From: Giuseppe Scrivano Date: Mon, 11 Dec 2017 11:30:31 +0100 Subject: [PATCH 2/2] tests: check copied files have the correct SELinux label Signed-off-by: Giuseppe Scrivano --- tests/integration/test_system_containers_rpm.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/tests/integration/test_system_containers_rpm.sh b/tests/integration/test_system_containers_rpm.sh index d2d3a153..5ac1e8d4 100755 --- a/tests/integration/test_system_containers_rpm.sh +++ b/tests/integration/test_system_containers_rpm.sh @@ -96,6 +96,7 @@ for i in /usr/local/lib/renamed-atomic-test-system-hostfs /usr/local/lib/secret- do assert_matches $i rpm_file_list test -e $i + matchpathcon -V $i done # This is not a template file, the $RECEIVER is not replaced