syscontainers: set selinux label for files copied to the host

Signed-off-by: Giuseppe Scrivano <[email protected]>
projectatomic · Dec 11, 2017 · cfe0163 · cfe0163
1 parent 50b0df1
commit cfe0163
Showing 1 changed file with 28 additions and 4 deletions.
diff --git a/Atomic/rpm_host_install.py b/Atomic/rpm_host_install.py
@@ -5,13 +5,19 @@
 import tempfile
 import shutil
 import hashlib
+import selinux
 
 RPM_NAME_PREFIX = "atomic-container"
 
 class RPMHostInstall(object):
 
     @staticmethod
-    def copyfile(src, dest):
+    def _copyfile(selinux_hnd, src, dest):
+
+        if selinux_hnd is not None:
+            ctx = selinux.selabel_lookup_raw(selinux_hnd, dest, os.stat(src).st_mode)
+            selinux.setfscreatecon_raw(ctx[1])
+
         if os.path.isdir(src):
             # add the directory only if it is empty, so we don't delete directories that
             # weren't added by us.  Anyway a non empty directory would be created by
@@ -24,7 +30,10 @@ def copyfile(src, dest):
             os.symlink(linkto, dest)
             return True
         else:
-            shutil.copy2(src, dest)
+            # we cannot use shutil.copy2() or shutil.copystat() here as it would override the
+            # security.selinux xattr.
+            shutil.copy(src, dest)
+            shutil.copymode(src, dest)
             return True
         return False
 
@@ -74,7 +83,14 @@ def rm_add_files_to_host(old_installed_files_checksum, exports, prefix="/", file
         # if there is a directory hostfs/ under exports, copy these files to the host file system.
         hostfs = os.path.join(exports, "hostfs")
         new_installed_files_checksum = {}
-        if os.path.exists(hostfs):
+        if not os.path.exists(hostfs):
+            return new_installed_files_checksum
+
+        selinux_hnd = None
+        try:
+            if os.getuid() == 0 and selinux.is_selinux_enabled() != 0:
+                selinux_hnd = selinux.selabel_open(selinux.SELABEL_CTX_FILE, None, 0)
+
             for root, dirs, files in os.walk(hostfs):
                 rel_root_path = os.path.relpath(root, hostfs)
                 if not os.path.exists(os.path.join(prefix, rel_root_path)):
@@ -101,14 +117,22 @@ def rm_add_files_to_host(old_installed_files_checksum, exports, prefix="/", file
                     if rel_dest_path in templates_set:
                         with open(src_file, 'r') as src_file_obj:
                             data = src_file_obj.read()
+
+                        if selinux_hnd is not None:
+                            ctx = selinux.selabel_lookup_raw(selinux_hnd, dest_path, os.stat(src_file).st_mode)
+                            selinux.setfscreatecon_raw(ctx[1])
+
                         util.write_template(src_file, data, values or {}, dest_path)
                         shutil.copystat(src_file, dest_path)
                         created = True
                     else:
-                        created = RPMHostInstall.copyfile(src_file, dest_path)
+                        created = RPMHostInstall._copyfile(selinux_hnd, src_file, dest_path)
 
                     if created:
                         new_installed_files_checksum[rel_dest_path] = RPMHostInstall.file_checksum(dest_path)
+        finally:
+            if selinux_hnd is not None:
+                selinux.setfscreatecon_raw(None)
 
         return new_installed_files_checksum