From 34083344a4107307909710a64804542344b42ce9 Mon Sep 17 00:00:00 2001 From: Kevin Kofler Date: Thu, 9 May 2019 13:50:31 +0200 Subject: [PATCH] mount: copy the SELinux context of the host directory to the mountpoint On systems with SELinux enabled, we have to create the directories on top of which we mount another partition or virtual file system (e.g., /dev) with the correct SELinux context, BEFORE we mount the other partition. Otherwise, SELinux will get really confused when systemd tries to recreate the mount tree for a private file system namespace for a service. And unfortunately, even an autorelabel does not fix it because it runs when /dev etc. are already mounted. Without this fix, on Fedora >= 30, the system installed with Calamares would fail to start the dbus-broker system bus, leading to several important pieces of functionality not working (e.g., shutdown as non-root). On systems without SELinux enabled, chcon (which is part of coreutils) will just print a warning and do nothing, so this should always be safe. --- src/modules/mount/main.py | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/src/modules/mount/main.py b/src/modules/mount/main.py index aab3568d1..1b98482f9 100644 --- a/src/modules/mount/main.py +++ b/src/modules/mount/main.py @@ -22,6 +22,7 @@ import tempfile import subprocess +import os import libcalamares @@ -48,7 +49,15 @@ def mount_partitions(root_mount_point, partitions): continue # Create mount point with `+` rather than `os.path.join()` because # `partition["mountPoint"]` starts with a '/'. - mount_point = root_mount_point + partition["mountPoint"] + raw_mount_point = partition["mountPoint"] + mount_point = root_mount_point + raw_mount_point + + # Ensure that the created directory has the correct SELinux context on + # SELinux-enabled systems. + os.makedirs(mount_point, exist_ok=True) + subprocess.call(['chcon', '--reference=' + raw_mount_point, + mount_point]) + fstype = partition.get("fs", "").lower() if fstype == "fat16" or fstype == "fat32":