From 6d0b9abc0f100ebd5cd5b83836697e2d0fc3430b Mon Sep 17 00:00:00 2001
From: Yolanda Robla <yroblamo@redhat.com>
Date: Fri, 17 Mar 2017 18:22:17 +0100
Subject: [PATCH] Apply setfiles on all mountpoints

With new block device definition, where content of the image
can be mounted on different partitions, is not enough with
executing setfiles on root directory. Instead of that, expose
all the mountpoints on the image, and apply setfiles on them.

Change-Id: I153f979722eaec49eab93d7cd398c5589b9bfc44
---
 diskimage_builder/block_device/blockdevice.py    |  5 ++++-
 .../finalise.d/90-selinux-fixfiles-restore       | 16 ++++++++++++----
 diskimage_builder/lib/disk-image-create          |  4 ++++
 3 files changed, 20 insertions(+), 5 deletions(-)

diff --git a/diskimage_builder/block_device/blockdevice.py b/diskimage_builder/block_device/blockdevice.py
index 9ff491825..4d10bb92b 100644
--- a/diskimage_builder/block_device/blockdevice.py
+++ b/diskimage_builder/block_device/blockdevice.py
@@ -298,7 +298,10 @@ class BlockDevice(object):
             return 0
         if symbol == 'mount-points':
             mount_points = self._config_get_all_mount_points()
-            print("%s" % " ".join(mount_points))
+            # we return the mountpoints joined by a pipe, because it is not
+            # a valid char in directories, so it is a safe separator for the
+            # mountpoints list
+            print("%s" % "|".join(mount_points))
             return 0
         if symbol == 'image-block-partition':
             # If there is no partition needed, pass back directly the
diff --git a/diskimage_builder/elements/rpm-distro/finalise.d/90-selinux-fixfiles-restore b/diskimage_builder/elements/rpm-distro/finalise.d/90-selinux-fixfiles-restore
index 84ff7e582..0598d63ee 100755
--- a/diskimage_builder/elements/rpm-distro/finalise.d/90-selinux-fixfiles-restore
+++ b/diskimage_builder/elements/rpm-distro/finalise.d/90-selinux-fixfiles-restore
@@ -5,14 +5,22 @@ if [ ${DIB_DEBUG_TRACE:-1} -gt 0 ]; then
 fi
 set -eu
 set -o pipefail
+
 SETFILES=$(which setfiles || true)
 if [ -e /etc/selinux/targeted/contexts/files/file_contexts -a -x "${SETFILES}" ]; then
-    # Without fixing selinux file labels, sshd will run in the kernel_t domain
-    # instead of the sshd_t domain, making ssh connections fail with
-    # "Unable to get valid context for <user>" error message
-    setfiles /etc/selinux/targeted/contexts/files/file_contexts /
+    # get all mounpoints in the system
+    IFS='|' read -ra SPLIT_MOUNTS <<< "$DIB_MOUNTPOINTS"
+    for MOUNTPOINT in "${SPLIT_MOUNTS[@]}"; do
+        # Without fixing selinux file labels, sshd will run in the kernel_t domain
+        # instead of the sshd_t domain, making ssh connections fail with
+        # "Unable to get valid context for <user>" error message
+        if [ "${MOUNTPOINT}" != "/tmp/in_target.d" ] && [ "${MOUNTPOINT}" != "/dev" ]; then
+            $SETFILES /etc/selinux/targeted/contexts/files/file_contexts ${MOUNTPOINT}
+        fi
+    done
 else
     echo "Skipping SELinux relabel, since setfiles is not available."
     echo "Touching /.autorelabel to schedule a relabel when the image boots."
     touch /.autorelabel
 fi
+
diff --git a/diskimage_builder/lib/disk-image-create b/diskimage_builder/lib/disk-image-create
index 3b76af668..88c64ed32 100644
--- a/diskimage_builder/lib/disk-image-create
+++ b/diskimage_builder/lib/disk-image-create
@@ -290,6 +290,10 @@ export DIB_ROOT_LABEL
 DIB_ROOT_FSTYPE=$(dib-block-device getval root-fstype)
 export DIB_ROOT_FSTYPE
 
+# retrieve mount points so we can reuse in elements
+DIB_MOUNTPOINTS=$(dib-block-device getval mount-points)
+export DIB_MOUNTPOINTS
+
 create_base
 # This variable needs to be propagated into the chroot
 mkdir -p $TMP_HOOKS_PATH/environment.d