[PATCH 1/2] mount-copybind: add SELinux support

[PATCH 1/2] mount-copybind: add SELinux support

[tobias.kaufmann]

From: Tobias Kaufmann <Tobias.KA.Kaufmann@bmw.de>

bind mounts don't use the SELinux label of the target, but the SELinux
label of the source.

This patch restores the SELinux context of the bind mount recursively using
restorecon.

Signed-off-by: Tobias Kaufmann <Tobias.KA.Kaufmann@bmw.de>
---
Hi guys,

currently mount-copybind does not support SELinux.
This patchset adds the necessary functionality.

The SELinux related commands are only executed, when SELinux is enabled and
SELinux tools are installed.

Would be great to get this merged. Questions/Suggestions are welcomed anytime. :)

Kind regards
Tobias

 .../recipes-core/volatile-binds/files/mount-copybind | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/meta/recipes-core/volatile-binds/files/mount-copybind b/meta/recipes-core/volatile-binds/files/mount-copybind
index e32e675308..57a5ce5f21 100755
--- a/meta/recipes-core/volatile-binds/files/mount-copybind
+++ b/meta/recipes-core/volatile-binds/files/mount-copybind
@@ -46,6 +46,12 @@ if [ -d "$mountpoint" ]; then
         fi
 
         mount -o "bind$options" "$spec" "$mountpoint"
+        # restore the selinux context.
+        if command -v selinuxenabled > /dev/null 2>&1; then
+            if selinuxenabled; then
+                restorecon -R "$mountpoint"
+            fi
+        fi
     fi
 elif [ -f "$mountpoint" ]; then
     if [ ! -f "$spec" ]; then
@@ -53,4 +59,10 @@ elif [ -f "$mountpoint" ]; then
     fi
 
     mount -o "bind$options" "$spec" "$mountpoint"
+    # restore the selinux context.
+    if command -v selinuxenabled > /dev/null 2>&1; then
+        if selinuxenabled; then
+            restorecon -R "$mountpoint"
+        fi
+    fi
 fi
-- 
2.33.0

[PATCH 2/2] mount-copybind: add rootcontext mountoption for overlayfs

[tobias.kaufmann]

From: Maximilian Blenk <Maximilian.Blenk@bmw.de>

If selinux is enabled, the context of the mountpoint for overlayfs
needs to be specified manually via the rootcontext option. To this
end, the required context is determined using matchpathcon(1) and
passed via the rootcontext mount option.

Additionally, if the mount source directory is created by mount-copybind
it also needs to take care that the context of the directory is correct

Signed-off-by: Tobias Kaufmann <Tobias.KA.Kaufmann@bmw.de>
---
 .../volatile-binds/files/mount-copybind            | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/meta/recipes-core/volatile-binds/files/mount-copybind b/meta/recipes-core/volatile-binds/files/mount-copybind
index 57a5ce5f21..aad022c6e4 100755
--- a/meta/recipes-core/volatile-binds/files/mount-copybind
+++ b/meta/recipes-core/volatile-binds/files/mount-copybind
@@ -31,6 +31,13 @@ if [ -d "$mountpoint" ]; then
     else
         specdir_existed=no
         mkdir "$spec"
+        # If the $spec directory is created we need to take care that
+        # the selinux context is correct
+        if command -v selinuxenabled > /dev/null 2>&1; then
+            if selinuxenabled; then
+                restorecon "$spec"
+            fi
+        fi
     fi
 
     # Fast version of calculating `dirname ${spec}`/.`basename ${spec}`-work
@@ -39,7 +46,12 @@ if [ -d "$mountpoint" ]; then
 
     # Try to mount using overlay, which is must faster than copying files.
     # If that fails, fall back to slower copy.
-    if ! mount -t overlay overlay -olowerdir="$mountpoint",upperdir="$spec",workdir="$overlay_workdir" "$mountpoint" > /dev/null 2>&1; then
+    if command -v selinuxenabled > /dev/null 2>&1; then
+        if selinuxenabled; then
+            mountcontext=",rootcontext=$(matchpathcon -n $mountpoint)"
+        fi
+    fi
+    if ! mount -t overlay overlay -olowerdir="$mountpoint",upperdir="$spec",workdir="$overlay_workdir""$mountcontext" "$mountpoint" > /dev/null 2>&1; then
 
         if [ "$specdir_existed" != "yes" ]; then
             cp -aPR "$mountpoint"/. "$spec/"
-- 
2.33.0