packaging
/
ostree
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

commit: filter out selinux label before commit 

The new --selinux-policy added in [0] exposed a subtle issue in the way
we handle labeling during commit. The CI system in rpm-ostree hit this
when trying to make use of it[1].

Basically, because of the way we use a GVariant to represent xattrs, if
a file to be committed already has an SELinux label, the xattr object
ends up with *two* label entries. This of course throws off fsck later
on, since the checksum will have gone over both entries, even though the
on-disk file will only have a single label (in which the second entry
wins).

I confirmed that the `fsck` added in the installed test fails without
the rest of this patch.

[0] https://github.com/ostreedev/ostree/pull/1114
[1] https://github.com/projectatomic/rpm-ostree/pull/953

Closes: #1121
Approved by: cgwalters
This commit is contained in:
Jonathan Lebon 2017-08-30 15:20:31 -04:00 committed by Atomic Bot
parent 93d2590c35
commit 12114ce382
2 changed files with 12 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
src/libostree/ostree-repo-commit.c
View File

@ -34,6 +34,7 @@
#include "ostree.h" #include "ostree.h"
#include "ostree-core-private.h" #include "ostree-core-private.h"
#include "ostree-repo-private.h" #include "ostree-repo-private.h"
#include "ostree-sepolicy-private.h"
#include "ostree-repo-file-enumerator.h" #include "ostree-repo-file-enumerator.h"
#include "ostree-checksum-input-stream.h" #include "ostree-checksum-input-stream.h"
#include "ostree-varint.h" #include "ostree-varint.h"
@ -2484,6 +2485,16 @@ get_modified_xattrs (OstreeRepo *self,
{ {
g_autoptr(GVariantBuilder) builder = NULL; g_autoptr(GVariantBuilder) builder = NULL;
if (ret_xattrs)
{
/* drop out any existing SELinux policy from the set, so we don't end up
* counting it twice in the checksum */
g_autoptr(GVariant) new_ret_xattrs = NULL;
new_ret_xattrs = _ostree_filter_selinux_xattr (ret_xattrs);
g_variant_unref (ret_xattrs);
ret_xattrs = g_steal_pointer (&new_ret_xattrs);
}
/* ret_xattrs may be NULL */ /* ret_xattrs may be NULL */
builder = ot_util_variant_builder_from_variant (ret_xattrs, builder = ot_util_variant_builder_from_variant (ret_xattrs,
G_VARIANT_TYPE ("a(ayay)")); G_VARIANT_TYPE ("a(ayay)"));

1
tests/installed/itest-label-selinux.sh
View File

@ -24,6 +24,7 @@ ostree --repo=/ostree/repo commit -b testbranch --link-checkout-speedup \
--selinux-policy co --tree=dir=co --selinux-policy co --tree=dir=co
ostree --repo=/ostree/repo ls -X testbranch /usr/bin/foo-a-generic-binary > ls.txt ostree --repo=/ostree/repo ls -X testbranch /usr/bin/foo-a-generic-binary > ls.txt
assert_file_has_content ls.txt ${oldcon} assert_file_has_content ls.txt ${oldcon}
ostree --repo=/ostree/repo fsck
ostree --repo=/ostree/repo refs --delete testbranch ostree --repo=/ostree/repo refs --delete testbranch
rm co -rf rm co -rf