From a815bf5ab44388baecb597a0b83f71872a2d34bc Mon Sep 17 00:00:00 2001
From: Robbert Klarenbeek <robbertkl@renbeek.nl>
Date: Fri, 16 Feb 2024 08:24:39 +0100
Subject: [PATCH] fix: Apply SELinux security context after moving to
 mail-state (#3890)

* fix: Apply SELinux security context after moving to mail-state
* fix: Ignore failing chcon on non-SELinux systems
---
 CHANGELOG.md                                 | 1 +
 target/scripts/startup/setup.d/mail_state.sh | 6 ++++++
 2 files changed, 7 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index c8030f43..2faf36f7 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -82,6 +82,7 @@ The most noteworthy change of this release is the update of the container's base
   - `RELAY_HOST` ENV no longer enforces configuring outbound SMTP to require credentials. Like `DEFAULT_RELAY_HOST` it can now configure a relay where credentials are optional.
   - Restarting DMS should not be required when configuring relay hosts without these ENV, but solely via `setup relay ...`, as change detection events now apply relevant Postfix setting changes for supporting credentials too.
 - Rspamd configuration: Add a missing comma in `local_networks` so that all internal IP addresses are actually considered as internal ([#3862](https://github.com/docker-mailserver/docker-mailserver/pull/3862))
+- Ensure correct SELinux security context labels for files and directories moved to the mail-state volume during setup ([#3890](https://github.com/docker-mailserver/docker-mailserver/pull/3890))
 
 ## [v13.3.1](https://github.com/docker-mailserver/docker-mailserver/releases/tag/v13.3.1)
 
diff --git a/target/scripts/startup/setup.d/mail_state.sh b/target/scripts/startup/setup.d/mail_state.sh
index 9c43fea4..5acf6762 100644
--- a/target/scripts/startup/setup.d/mail_state.sh
+++ b/target/scripts/startup/setup.d/mail_state.sh
@@ -48,6 +48,9 @@ function _setup_save_states() {
         _log 'trace' "Moving ${SERVICEFILE} to ${DEST}"
         # Empty volume was mounted, or new content from enabling a feature ENV:
         mv "${SERVICEFILE}" "${DEST}"
+        # Apply SELinux security context to match the state directory, so access
+        # is not restricted to the current running container:
+        chcon -R --reference="${STATEDIR}" "${DEST}" 2>/dev/null || true
       fi
 
       # Symlink the original file in the container ($SERVICEFILE) to be
@@ -69,6 +72,9 @@ function _setup_save_states() {
         _log 'trace' "Moving contents of ${SERVICEDIR} to ${DEST}"
         # Empty volume was mounted, or new content from enabling a feature ENV:
         mv "${SERVICEDIR}" "${DEST}"
+        # Apply SELinux security context to match the state directory, so access
+        # is not restricted to the current running container:
+        chcon -R --reference="${STATEDIR}" "${DEST}" 2>/dev/null || true
       fi
 
       # Symlink the original path in the container ($SERVICEDIR) to be