Merge pull request #20767 from bluca/portable_extract_selinux

portable: copy SELinux label when extracting units from images

2 files changed, 16 insertions, 0 deletions

diff --git a/src/shared/selinux-util.c b/src/shared/selinux-util.c
index 34e78e6792..ca92a65efc 100644
--- a/src/shared/selinux-util.c
+++ b/src/shared/selinux-util.c
@@ -562,6 +562,21 @@ int mac_selinux_create_file_prepare(const char *path, mode_t mode) {
 #endif
 }
 
+int mac_selinux_create_file_prepare_label(const char *path, const char *label) {
+#if HAVE_SELINUX
+
+        if (!label)
+                return 0;
+
+        if (!mac_selinux_use())
+                return 0;
+
+        if (setfscreatecon_raw(label) < 0)
+                return log_enforcing_errno(errno, "Failed to set specified SELinux security context '%s' for '%s': %m", label, strna(path));
+#endif
+        return 0;
+}
+
 void mac_selinux_create_file_clear(void) {
 
 #if HAVE_SELINUX
diff --git a/src/shared/selinux-util.h b/src/shared/selinux-util.h
index 1095bdef0e..4147a3ad50 100644
--- a/src/shared/selinux-util.h
+++ b/src/shared/selinux-util.h
@@ -43,6 +43,7 @@ char* mac_selinux_free(char *label);
 
 int mac_selinux_create_file_prepare(const char *path, mode_t mode);
 int mac_selinux_create_file_prepare_at(int dirfd, const char *path, mode_t mode);
+int mac_selinux_create_file_prepare_label(const char *path, const char *label);
 void mac_selinux_create_file_clear(void);
 
 int mac_selinux_create_socket_prepare(const char *label);