Skip to content

Commit

Permalink
fix(dracut-initramfs-restore.sh): do not set selinux labels if disabled
Browse files Browse the repository at this point in the history
Also, it's not enough to check if `SELINUX=disabled` in /etc/selinux/config,
because it can be disabled via kernel command line options.
  • Loading branch information
aafeijoo-suse committed Sep 12, 2023
1 parent 6acfeca commit 2302ddd
Showing 1 changed file with 5 additions and 2 deletions.
7 changes: 5 additions & 2 deletions dracut-initramfs-restore.sh
Original file line number Diff line number Diff line change
Expand Up @@ -75,9 +75,12 @@ if [[ -d squash ]]; then
fi
fi

if [ -e /etc/selinux/config -a -x /usr/sbin/setfiles ]; then
if grep -q -w selinux /sys/kernel/security/lsm 2> /dev/null \
&& [ -e /etc/selinux/config -a -x /usr/sbin/setfiles ]; then
. /etc/selinux/config
[ -n "${SELINUXTYPE}" ] && /usr/sbin/setfiles -v -r /run/initramfs /etc/selinux/"${SELINUXTYPE}"/contexts/files/file_contexts /run/initramfs > /dev/null
if [[ $SELINUX != "disabled" && -n $SELINUXTYPE ]]; then
/usr/sbin/setfiles -v -r /run/initramfs /etc/selinux/"${SELINUXTYPE}"/contexts/files/file_contexts /run/initramfs > /dev/null
fi
fi

exit 0

0 comments on commit 2302ddd

Please sign in to comment.