set specific bin_t context on bins dir

hedge-sparrow · hedge-sparrow · commit 0cd59ae7e23c · 2025-06-30T14:21:58.000+01:00
diff --git a/pkg-new/hostutils/initialize.go b/pkg-new/hostutils/initialize.go
@@ -40,11 +40,20 @@ func (h *HostUtils) ConfigureHost(ctx context.Context, rc runtimeconfig.RuntimeC
 		}
 	}
 
-	h.logger.Debugln("checking for restorecon binary in $PATH")
-	if _, err := exec.LookPath("restorecon"); err != nil {
-		h.logger.Debugln("restorecon not found")
+	h.logger.Debugln("checking for semanage binary in $PATH")
+	if _, err := exec.LookPath("semanage"); err != nil {
+		h.logger.Debugln("semanage not found")
 	} else {
-		out, err := exec.Command("restorecon", "-RvF", rc.EmbeddedClusterHomeDirectory()).CombinedOutput()
+
+		// Set selinux fcontext for embedded-cluster binary directory to bin_t
+		out, err := exec.Command("semanage", "fcontext", "-a", "-s", "system_u", "-t", "bin_t", rc.EmbeddedClusterBinsSubDir()+"(.*)?").CombinedOutput()
+		if err != nil {
+			h.logger.Debugf("unable to set contexts on binary directory: %v", err)
+			h.logger.Debugln(out)
+		}
+
+		// Relabel whole embedded-cluster data directory since it's created with unconfined_u
+		out, err = exec.Command("restorecon", "-RvF", rc.EmbeddedClusterHomeDirectory()).CombinedOutput()
 		if err != nil {
 			h.logger.Debugf("unable to run restorecon: %v", err)
 			h.logger.Debugln(out)
