dispatch-conf: copy SELinux labels to merged files

Signed-off-by: Kenton Groombridge <concord@gentoo.org> Closes: https://github.com/gentoo/portage/pull/1099 Signed-off-by: Sam James <sam@gentoo.org>
author: Kenton Groombridge <concord@gentoo.org> 2023-09-21 16:28:02 -0400
committer: Sam James <sam@gentoo.org> 2023-09-26 21:54:12 +0100
commit: 0c324425b7c6151a59fe85577b74c895c3c85aed (patch)
tree: 07e7765dc2ca2bedc8b17377dded90bb57738d33 /bin
parent: etc-update: set SELinux security labels on merged files (diff)
download: portage-0c324425b7c6151a59fe85577b74c895c3c85aed.tar.gz
portage-0c324425b7c6151a59fe85577b74c895c3c85aed.tar.bz2
portage-0c324425b7c6151a59fe85577b74c895c3c85aed.zip
1 files changed, 27 insertions, 0 deletions
diff --git a/bin/dispatch-conf b/bin/dispatch-conf
index 154b26ff5..849be562e 100755
--- a/bin/dispatch-conf
+++ b/bin/dispatch-conf
@@ -12,6 +12,7 @@
 #
 
 import atexit
+import errno
 import re
 import subprocess
 import sys
@@ -398,6 +399,8 @@ class dispatch:
                     mystat = os.lstat(conf["new"])
                     os.chmod(mrgconf, mystat[ST_MODE])
                     os.chown(mrgconf, mystat[ST_UID], mystat[ST_GID])
+                    if "selinux" in portage.settings.features:
+                        self.copy_selinux_label(conf["current"], mrgconf)
                     newconf = mrgconf
                     continue
                 elif c == "l":
@@ -434,6 +437,30 @@ class dispatch:
 
         perform_conf_update_session_hooks("post-session")
 
+    def copy_selinux_label(self, curconf, newconf):
+        """Copy the SELinux security label from the current config file to
+        the new/merged config file."""
+        try:
+            label = os.getxattr(curconf, "security.selinux")
+        except OSError as e:
+            if e.errno == errno.ENOTSUP:
+                # Filesystem does not support xattrs
+                return
+            writemsg(
+                f"dispatch-conf: Failed getting SELinux label on {curconf}; ignoring...\n",
+                noiselevel=-1,
+            )
+            return
+
+        if label:
+            try:
+                os.setxattr(newconf, "security.selinux", label)
+            except OSError:
+                writemsg(
+                    f"dispatch-conf: Failed setting SELinux label on {newconf}; ignoring...\n",
+                    noiselevel=-1,
+                )
+
     def replace(self, newconf, curconf):
         """Replace current config with the new/merged version.  Also logs
         the diff of what changed into the configured log file."""
author	Kenton Groombridge <concord@gentoo.org>	2023-09-21 16:28:02 -0400
committer	Sam James <sam@gentoo.org>	2023-09-26 21:54:12 +0100
commit	0c324425b7c6151a59fe85577b74c895c3c85aed (patch)
tree	07e7765dc2ca2bedc8b17377dded90bb57738d33 /bin
parent	etc-update: set SELinux security labels on merged files (diff)
download	portage-0c324425b7c6151a59fe85577b74c895c3c85aed.tar.gz portage-0c324425b7c6151a59fe85577b74c895c3c85aed.tar.bz2 portage-0c324425b7c6151a59fe85577b74c895c3c85aed.zip