#!/usr/bin/python3
"""
Set SELinux file contexts

Sets correct SELinux labels for every file in the tree, according to the
SELinux policy installed inside the tree.

Uses the host's `setfiles` program and the tree's `file_contexts`, usually
    /etc/selinux/<SELINUXTYPE>/contexts/files/file_contexts
where <SELINUXTYPE> is the value set in /etc/selinux/config (usually "targeted"
but may also be "minimum" or "mls").

This stage may set or modify xattrs for any file inside the tree, but should
not need to create files, modify file contents, or read any files other than
`file_contexts`.

This stage should run after all other stages that create (or move) files, since
labels for newly-created files are determined by the host's SELinux policy and
may not match the tree's policy.
"""


import os
import subprocess
import sys

import osbuild.api


SCHEMA = """
"additionalProperties": false,
"required": ["file_contexts"],
"properties": {
  "file_contexts": {
    "type": "string",
    "description": "Path to the active SELinux policy's `file_contexts`"
  },
  "labels": {
    "type": "object",
    "description": "Labels to set of the specified files or folders",
    "items": {
      "type": "object"
    }
  }
}
"""


def main(tree, options):
    file_contexts = os.path.join(f"{tree}", options["file_contexts"])
    labels = options.get("labels", {})

    subprocess.run(["setfiles", "-F", "-r", f"{tree}", f"{file_contexts}", f"{tree}"], check=True)

    for path, label in labels.items():
        fullpath = os.path.join(tree, path.lstrip("/"))
        subprocess.run(["chcon", "-v", label, fullpath], check=True)


if __name__ == '__main__':
    args = osbuild.api.arguments()
    r = main(args["tree"], args["options"])
    sys.exit(r)