Replace libselinux restorecon API with CLI

The restorecon API in libselinux has a problem fixing the context if it is update from the same script. The bug is present in several RHEL releases and it is documented here: https://issues.redhat.com/browse/RHEL-73348 Following the advice in the issue, the API call has been temporarily replaced with the equivalent CLI. Fix: 2338454
dogtagpki · Jan 20, 2025 · 8a89fe5 · 8a89fe5
1 parent 88b030d
commit 8a89fe5
Showing 1 changed file with 24 additions and 4 deletions.
diff --git a/base/server/python/pki/server/deployment/scriptlets/selinux_setup.py b/base/server/python/pki/server/deployment/scriptlets/selinux_setup.py
@@ -21,6 +21,7 @@
 from __future__ import absolute_import
 import logging
 import selinux
+import subprocess
 import sys
 import time
 
@@ -48,10 +49,29 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
     suffix = "(/.*)?"
 
     def restore_context(self, mdict):
-        selinux.restorecon(mdict['pki_instance_path'], True)
-        selinux.restorecon(config.PKI_DEPLOYMENT_LOG_ROOT, True)
-        selinux.restorecon(mdict['pki_instance_log_path'], True)
-        selinux.restorecon(mdict['pki_instance_configuration_path'], True)
+        # The restocon API is not working in RHEL
+        # (see https://issues.redhat.com/browse/RHEL-73348).
+        #
+        #selinux.restorecon(mdict['pki_instance_path'], True)
+        #selinux.restorecon(config.PKI_DEPLOYMENT_LOG_ROOT, True)
+        #selinux.restorecon(mdict['pki_instance_log_path'], True)
+        #selinux.restorecon(mdict['pki_instance_configuration_path'], True)
+        folders = [
+            mdict['pki_instance_path'],
+            config.PKI_DEPLOYMENT_LOG_ROOT,
+            mdict['pki_instance_log_path'],
+            mdict['pki_instance_configuration_path']
+        ]
+        for folder in folders:
+            cmd = [
+                '/usr/sbin/restorecon',
+                '-R'
+            ]
+            if logger.isEnabledFor(logging.DEBUG):
+                cmd.append('-v')
+            cmd.append(folder)
+            logger.debug('Command: %s', ' '.join(cmd))
+            subprocess.run(cmd, check=True)
 
     # Helper function to check if a given `context_value` exists in the given
     # set of `records`. This method can process both port contexts and file contexts