From e1d658ef1153ecb16acda19e3f6fe2edea7cf4e4 Mon Sep 17 00:00:00 2001
From: Tobias Kaufmann <Tobias.KA.Kaufmann@bmw.de>
Date: Thu, 9 Sep 2021 10:05:04 +0200
Subject: mount-copybind: add SELinux support

bind mounts don't use the SELinux label of the target, but the SELinux
label of the source.

This patch restores the SELinux context of the bind mount recursively using
restorecon.

(From OE-Core rev: 6f3e231dc9bc11772573bf9683de9804460362d1)

Signed-off-by: Tobias Kaufmann <Tobias.KA.Kaufmann@bmw.de>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
---
 meta/recipes-core/volatile-binds/files/mount-copybind | 12 ++++++++++++
 1 file changed, 12 insertions(+)

(limited to 'meta/recipes-core/volatile-binds')

diff --git a/meta/recipes-core/volatile-binds/files/mount-copybind b/meta/recipes-core/volatile-binds/files/mount-copybind
index e32e675308..57a5ce5f21 100755
--- a/meta/recipes-core/volatile-binds/files/mount-copybind
+++ b/meta/recipes-core/volatile-binds/files/mount-copybind
@@ -46,6 +46,12 @@ if [ -d "$mountpoint" ]; then
         fi
 
         mount -o "bind$options" "$spec" "$mountpoint"
+        # restore the selinux context.
+        if command -v selinuxenabled > /dev/null 2>&1; then
+            if selinuxenabled; then
+                restorecon -R "$mountpoint"
+            fi
+        fi
     fi
 elif [ -f "$mountpoint" ]; then
     if [ ! -f "$spec" ]; then
@@ -53,4 +59,10 @@ elif [ -f "$mountpoint" ]; then
     fi
 
     mount -o "bind$options" "$spec" "$mountpoint"
+    # restore the selinux context.
+    if command -v selinuxenabled > /dev/null 2>&1; then
+        if selinuxenabled; then
+            restorecon -R "$mountpoint"
+        fi
+    fi
 fi
-- 
cgit v1.2.3-54-g00ecf