fix: Add SELinux context restoration for Fedora/RHEL systems. Related to #996

On SELinux-enforcing systems (Fedora, RHEL, CentOS), binaries installed to non-standard locations need proper security contexts for systemd to execute them. Without this, systemd fails with 'Permission denied' even when the binary has correct Unix permissions. Changes: - Add restore_selinux_contexts() function to both install scripts - Uses restorecon (preferred) or chcon (fallback) to set bin_t context - Only runs when SELinux is detected and enforcing - Called after binary installation, before systemd service start
2026-04-28 03:20:11 +00:00 · 2025-12-31 23:12:53 +00:00 · 2025-12-31 23:12:53 +00:00 · 724362504e
commit 724362504e
parent c1f4b8f40b
2 changed files with 62 additions and 0 deletions
--- a/install.sh
+++ b/install.sh
@ -623,6 +623,35 @@ detect_os() {
    fi
 }

+# Restore SELinux contexts for installed binaries
+# On SELinux-enforcing systems (Fedora, RHEL, CentOS), binaries in non-standard
+# locations need proper security contexts for systemd to execute them.
+restore_selinux_contexts() {
+    # Check if SELinux is available and enforcing
+    if ! command -v getenforce >/dev/null 2>&1; then
+        return 0  # SELinux not installed
+    fi
+
+    if [[ "$(getenforce 2>/dev/null)" != "Enforcing" ]]; then
+        return 0  # SELinux not enforcing
+    fi
+
+    # restorecon is the proper way to fix SELinux contexts
+    if command -v restorecon >/dev/null 2>&1; then
+        print_info "Restoring SELinux contexts for installed binaries..."
+        restorecon -Rv "$INSTALL_DIR/bin/" >/dev/null 2>&1 || true
+        restorecon -v /usr/local/bin/pulse* >/dev/null 2>&1 || true
+        print_success "SELinux contexts restored"
+    else
+        # Fallback to chcon if restorecon isn't available
+        if command -v chcon >/dev/null 2>&1; then
+            print_info "Setting SELinux contexts for installed binaries..."
+            find "$INSTALL_DIR/bin/" -type f -executable -exec chcon -t bin_t {} \; 2>/dev/null || true
+            find /usr/local/bin/ -name 'pulse*' -exec chcon -h -t bin_t {} \; 2>/dev/null || true
+        fi
+    fi
+}
+
 check_proxmox_host() {
    # Check if this is a Proxmox VE host
    if command -v pvesh &> /dev/null && [[ -d /etc/pve ]]; then
@ -2637,6 +2666,9 @@ download_pulse() {
            print_success "Version verified: $INSTALLED_VERSION"
        fi
    
+        # Restore SELinux contexts for installed binaries (Fedora, RHEL, etc.)
+        restore_selinux_contexts
+
        # Cleanup
        rm -rf "$TEMP_EXTRACT" "$ARCHIVE_PATH"
    fi  # End of SKIP_DOWNLOAD check