NSS: Force restore of SELinux context

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>

ipaplatform/base/tasks.py

@@ -34,13 +34,11 @@ logger = logging.getLogger(__name__)
 
 class BaseTaskNamespace(object):
 
-    def restore_context(self, filepath):
-        """
-        Restore SELinux security context on the given filepath.
+    def restore_context(self, filepath, force=False):
+        """Restore SELinux security context on the given filepath.
 
         No return value expected.
         """
-
         raise NotImplementedError()
 
     def backup_hostname(self, fstore, statestore):

ipaplatform/redhat/tasks.py

@@ -103,21 +103,27 @@ class IPAVersion(object):
 
 class RedHatTaskNamespace(BaseTaskNamespace):
 
-    def restore_context(self, filepath, restorecon=paths.SBIN_RESTORECON):
-        """
-        restore security context on the file path
+    def restore_context(self, filepath, force=False):
+        """Restore SELinux security context on the given filepath.
+
         SELinux equivalent is /path/to/restorecon <filepath>
         restorecon's return values are not reliable so we have to
         ignore them (BZ #739604).
 
         ipautil.run() will do the logging.
         """
-
-        if not selinux_enabled():
+        restorecon = paths.SBIN_RESTORECON
+        if not selinux_enabled() or not os.path.exists(restorecon):
             return
 
-        if (os.path.exists(restorecon)):
-            ipautil.run([restorecon, filepath], raiseonerr=False)
+        # Force reset of context to match file_context for customizable
+        # files, and the default file context, changing the user, role,
+        # range portion as well as the type.
+        args = [restorecon]
+        if force:
+            args.append('-F')
+        args.append(filepath)
+        ipautil.run(args, raiseonerr=False)
 
     def check_selinux_status(self, restorecon=paths.RESTORECON):
         """

ipapython/certdb.py

@@ -32,7 +32,6 @@ import shutil
 
 import cryptography.x509
 
-from ipaplatform.constants import constants
 from ipaplatform.paths import paths
 from ipaplatform.tasks import tasks
 from ipapython.dn import DN
@@ -388,15 +387,16 @@ class NSSDatabase(object):
         # Finally fix up perms
         os.chown(self.secdir, uid, gid)
         os.chmod(self.secdir, dirmode)
+        tasks.restore_context(self.secdir, force=True)
         for filename in self.filenames:
-            path = os.path.join(self.secdir, filename)
-            if os.path.exists(path):
-                os.chown(path, uid, gid)
-                if path == self.pwd_file:
+            if os.path.exists(filename):
+                os.chown(filename, uid, gid)
+                if filename == self.pwd_file:
                     new_mode = pwdfilemode
                 else:
                     new_mode = filemode
-                os.chmod(path, new_mode)
+                os.chmod(filename, new_mode)
+                tasks.restore_context(filename, force=True)
 
     def convert_db(self, rename_old=True):
         """Convert DBM database format to SQL database format
@@ -438,7 +438,7 @@ class NSSDatabase(object):
             oldstat = os.stat(oldname)
             os.chmod(newname, stat.S_IMODE(oldstat.st_mode))
             os.chown(newname, oldstat.st_uid, oldstat.st_gid)
-            tasks.restore_context(newname)
+            tasks.restore_context(newname, force=True)
 
         self._set_filenames('sql')
         self.list_certs()  # self-test