fix: Add SELinux context restoration for Fedora/RHEL systems. Related to #996

On SELinux-enforcing systems (Fedora, RHEL, CentOS), binaries installed to non-standard locations need proper security contexts for systemd to execute them. Without this, systemd fails with 'Permission denied' even when the binary has correct Unix permissions. Changes: - Add restore_selinux_contexts() function to both install scripts - Uses restorecon (preferred) or chcon (fallback) to set bin_t context - Only runs when SELinux is detected and enforcing - Called after binary installation, before systemd service start
2026-05-01 21:10:13 +00:00 · 2025-12-31 23:12:53 +00:00 · 2025-12-31 23:12:53 +00:00 · 724362504e
commit 724362504e
parent c1f4b8f40b
2 changed files with 62 additions and 0 deletions
--- a/scripts/install.sh
+++ b/scripts/install.sh
@ -98,6 +98,33 @@ fail() {
    exit 1
 }

+# --- SELinux Context Restoration ---
+# On SELinux-enforcing systems (Fedora, RHEL, CentOS), binaries in non-standard
+# locations need proper security contexts for systemd to execute them.
+restore_selinux_contexts() {
+    # Check if SELinux is available and enforcing
+    if ! command -v getenforce >/dev/null 2>&1; then
+        return 0  # SELinux not installed
+    fi
+
+    if [[ "$(getenforce 2>/dev/null)" != "Enforcing" ]]; then
+        return 0  # SELinux not enforcing
+    fi
+
+    # restorecon is the proper way to fix SELinux contexts
+    if command -v restorecon >/dev/null 2>&1; then
+        log_info "Restoring SELinux contexts for installed binaries..."
+        restorecon -v "${INSTALL_DIR}/${BINARY_NAME}" >/dev/null 2>&1 || true
+        log_info "SELinux context restored"
+    else
+        # Fallback to chcon if restorecon isn't available
+        if command -v chcon >/dev/null 2>&1; then
+            log_info "Setting SELinux context for installed binary..."
+            chcon -t bin_t "${INSTALL_DIR}/${BINARY_NAME}" 2>/dev/null || true
+        fi
+    fi
+}
+
 # --- Auto-Detection Functions ---
 detect_docker() {
    # Check if Docker is available and accessible
@ -1275,6 +1302,9 @@ EOF
    # Restrict service file permissions (contains no secrets now, but good practice)
    chmod 644 "$UNIT"

+    # Restore SELinux contexts (required for Fedora, RHEL, CentOS)
+    restore_selinux_contexts
+
    systemctl daemon-reload
    systemctl enable "${AGENT_NAME}"
    systemctl restart "${AGENT_NAME}"