Bug: Apply SELinux context after binary replacement (#1678)

- Move SELinux context handling to internal/ghupdate for reuse - Make chcon a true fallback (only runs if semanage/restorecon unavailable) - Handle existing semanage rules with -m (modify) after -a (add) fails - Apply SELinux handling to both agent and hub updates - Add tests with proper skip behavior for SELinux systems --------- Co-authored-by: henrygd <hank@henrygd.me>
2026-03-22 05:36:15 +01:00 · 2026-01-27 23:39:17 +01:00
parent afcae025ae
commit 42da1e5a52
4 changed files with 127 additions and 43 deletions
--- a/agent/update.go
+++ b/agent/update.go
@@ -1,12 +1,10 @@
 package agent

 import (
-	"fmt"
 	"log"
 	"os"
 	"os/exec"
 	"runtime"
-	"strings"

 	"github.com/henrygd/beszel/internal/ghupdate"
 )
@@ -108,12 +106,12 @@ func Update(useMirror bool) error {
 		}
 	}

-	// 6) Fix SELinux context if necessary
-	if err := handleSELinuxContext(exePath); err != nil {
+	// Fix SELinux context if necessary
+	if err := ghupdate.HandleSELinuxContext(exePath); err != nil {
 		ghupdate.ColorPrintf(ghupdate.ColorYellow, "Warning: SELinux context handling: %v", err)
 	}

-	// 7) Restart service if running under a recognised init system
+	// Restart service if running under a recognised init system
 	if r := detectRestarter(); r != nil {
 		if err := r.Restart(); err != nil {
 			ghupdate.ColorPrintf(ghupdate.ColorYellow, "Warning: failed to restart service: %v", err)
@@ -128,41 +126,3 @@ func Update(useMirror bool) error {
 	return nil
 }

-// handleSELinuxContext restores or applies the correct SELinux label to the binary.
-func handleSELinuxContext(path string) error {
-	out, err := exec.Command("getenforce").Output()
-	if err != nil {
-		// SELinux not enabled or getenforce not available
-		return nil
-	}
-	state := strings.TrimSpace(string(out))
-	if state == "Disabled" {
-		return nil
-	}
-
-	ghupdate.ColorPrint(ghupdate.ColorYellow, "SELinux is enabled; applying context…")
-	var errs []string
-
-	// Try persistent context via semanage+restorecon
-	if semanagePath, err := exec.LookPath("semanage"); err == nil {
-		if err := exec.Command(semanagePath, "fcontext", "-a", "-t", "bin_t", path).Run(); err != nil {
-			errs = append(errs, "semanage fcontext failed: "+err.Error())
-		} else if restoreconPath, err := exec.LookPath("restorecon"); err == nil {
-			if err := exec.Command(restoreconPath, "-v", path).Run(); err != nil {
-				errs = append(errs, "restorecon failed: "+err.Error())
-			}
-		}
-	}
-
-	// Fallback to temporary context via chcon
-	if chconPath, err := exec.LookPath("chcon"); err == nil {
-		if err := exec.Command(chconPath, "-t", "bin_t", path).Run(); err != nil {
-			errs = append(errs, "chcon failed: "+err.Error())
-		}
-	}
-
-	if len(errs) > 0 {
-		return fmt.Errorf("SELinux context errors: %s", strings.Join(errs, "; "))
-	}
-	return nil
-}