mount: copy the SELinux context of the host directory to the mountpoint

On systems with SELinux enabled, we have to create the directories on
top of which we mount another partition or virtual file system (e.g.,
/dev) with the correct SELinux context, BEFORE we mount the other
partition. Otherwise, SELinux will get really confused when systemd
tries to recreate the mount tree for a private file system namespace for
a service. And unfortunately, even an autorelabel does not fix it
because it runs when /dev etc. are already mounted.

Without this fix, on Fedora >= 30, the system installed with Calamares
would fail to start the dbus-broker system bus, leading to several
important pieces of functionality not working (e.g., shutdown as
non-root).

On systems without SELinux enabled, chcon (which is part of coreutils)
will just print a warning and do nothing, so this should always be safe.

1 files changed, 10 insertions, 1 deletions

diff --git a/src/modules/mount/main.py b/src/modules/mount/main.py
index aab3568d1..1b98482f9 100644
--- a/src/modules/mount/main.py
+++ b/src/modules/mount/main.py
@@ -22,6 +22,7 @@
 
 import tempfile
 import subprocess
+import os
 
 import libcalamares
 
@@ -48,7 +49,15 @@ def mount_partitions(root_mount_point, partitions):
             continue
         # Create mount point with `+` rather than `os.path.join()` because
         # `partition["mountPoint"]` starts with a '/'.
-        mount_point = root_mount_point + partition["mountPoint"]
+        raw_mount_point = partition["mountPoint"]
+        mount_point = root_mount_point + raw_mount_point
+
+        # Ensure that the created directory has the correct SELinux context on
+        # SELinux-enabled systems.
+        os.makedirs(mount_point, exist_ok=True)
+        subprocess.call(['chcon', '--reference=' + raw_mount_point,
+                         mount_point])
+
         fstype = partition.get("fs", "").lower()
 
         if fstype == "fat16" or fstype == "fat32":