fix: Apply SELinux security context after moving to mail-state (#3890)

* fix: Apply SELinux security context after moving to mail-state * fix: Ignore failing chcon on non-SELinux systems
docker-mailserver · Feb 16, 2024 · a815bf5 · a815bf5
1 parent 79a9656
commit a815bf5
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 0 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -82,6 +82,7 @@ The most noteworthy change of this release is the update of the container's base
   - `RELAY_HOST` ENV no longer enforces configuring outbound SMTP to require credentials. Like `DEFAULT_RELAY_HOST` it can now configure a relay where credentials are optional.
   - Restarting DMS should not be required when configuring relay hosts without these ENV, but solely via `setup relay ...`, as change detection events now apply relevant Postfix setting changes for supporting credentials too.
 - Rspamd configuration: Add a missing comma in `local_networks` so that all internal IP addresses are actually considered as internal ([#3862](https://github.com/docker-mailserver/docker-mailserver/pull/3862))
+- Ensure correct SELinux security context labels for files and directories moved to the mail-state volume during setup ([#3890](https://github.com/docker-mailserver/docker-mailserver/pull/3890))
 
 ## [v13.3.1](https://github.com/docker-mailserver/docker-mailserver/releases/tag/v13.3.1)
 

diff --git a/target/scripts/startup/setup.d/mail_state.sh b/target/scripts/startup/setup.d/mail_state.sh
@@ -48,6 +48,9 @@ function _setup_save_states() {
         _log 'trace' "Moving ${SERVICEFILE} to ${DEST}"
         # Empty volume was mounted, or new content from enabling a feature ENV:
         mv "${SERVICEFILE}" "${DEST}"
+        # Apply SELinux security context to match the state directory, so access
+        # is not restricted to the current running container:
+        chcon -R --reference="${STATEDIR}" "${DEST}" 2>/dev/null || true
       fi
 
       # Symlink the original file in the container ($SERVICEFILE) to be
@@ -69,6 +72,9 @@ function _setup_save_states() {
         _log 'trace' "Moving contents of ${SERVICEDIR} to ${DEST}"
         # Empty volume was mounted, or new content from enabling a feature ENV:
         mv "${SERVICEDIR}" "${DEST}"
+        # Apply SELinux security context to match the state directory, so access
+        # is not restricted to the current running container:
+        chcon -R --reference="${STATEDIR}" "${DEST}" 2>/dev/null || true
       fi
 
       # Symlink the original path in the container ($SERVICEDIR) to be