packaging
/
ostree
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

deploy: SELinux-relabel installed kernel/initramfs data 

When we changed around the kernel location in rpm-ostree, we
started installing the kernel into `/boot` as `modules_object_t`,
and the current policy didn't permit that.  For maximum compatibility,
relabel installed kernel/initramfs/dtb as `boot_t`.

https://bugzilla.redhat.com/show_bug.cgi?id=1536991

Closes: #1444
Approved by: jlebon
This commit is contained in:
Colin Walters 2018-02-02 13:46:15 -05:00 committed by Atomic Bot
parent 6bf4b3e1d8
commit 4a98a86b72
2 changed files with 69 additions and 23 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
src/libostree/ostree-sysroot-deploy.c
View File

@ -99,7 +99,8 @@ sysroot_flags_to_copy_flags (GLnxFileCopyFlags defaults,
* hardlink if we're on the same partition. * hardlink if we're on the same partition.
*/ */
static gboolean static gboolean
hardlink_or_copy_at (int src_dfd, install_into_boot (OstreeSePolicy *sepolicy,
int src_dfd,
const char *src_subpath, const char *src_subpath,
int dest_dfd, int dest_dfd,
const char *dest_subpath, const char *dest_subpath,
@ -110,9 +111,26 @@ hardlink_or_copy_at (int src_dfd,
if (linkat (src_dfd, src_subpath, dest_dfd, dest_subpath, 0) != 0) if (linkat (src_dfd, src_subpath, dest_dfd, dest_subpath, 0) != 0)
{ {
if (G_IN_SET (errno, EMLINK, EXDEV)) if (G_IN_SET (errno, EMLINK, EXDEV))
{
/* Be sure we relabel when copying the kernel, as in current
* e.g. Fedora it might be labeled module_object_t or usr_t,
* but policy may not allow other processes to read from that
* like kdump.
* See also https://github.com/fedora-selinux/selinux-policy/commit/747f4e6775d773ab74efae5aa37f3e5e7f0d4aca
* This means we also drop xattrs but...I doubt anyone uses
* non-SELinux xattrs for the kernel anyways aside from perhaps
* IMA but that's its own story.
*/
g_auto(OstreeSepolicyFsCreatecon) fscreatecon = { 0, };
const char *boot_path = glnx_strjoina ("/boot/", glnx_basename (dest_subpath));
if (!_ostree_sepolicy_preparefscreatecon (&fscreatecon, sepolicy,
boot_path, S_IFREG | 0644,
error))
return FALSE;
return glnx_file_copy_at (src_dfd, src_subpath, NULL, dest_dfd, dest_subpath, return glnx_file_copy_at (src_dfd, src_subpath, NULL, dest_dfd, dest_subpath,
sysroot_flags_to_copy_flags (0, flags), GLNX_FILE_COPY_NOXATTRS,
cancellable, error); cancellable, error);
}
else else
return glnx_throw_errno_prefix (error, "linkat(%s)", dest_subpath); return glnx_throw_errno_prefix (error, "linkat(%s)", dest_subpath);
} }
@ -1617,6 +1635,11 @@ install_deployment_kernel (OstreeSysroot *sysroot,
&deployment_dfd, error)) &deployment_dfd, error))
return FALSE; return FALSE;
/* We need to label the kernels */
g_autoptr(OstreeSePolicy) sepolicy = ostree_sepolicy_new_at (deployment_dfd, cancellable, error);
if (!sepolicy)
return FALSE;
/* Find the kernel/initramfs/devicetree in the tree */ /* Find the kernel/initramfs/devicetree in the tree */
g_autoptr(OstreeKernelLayout) kernel_layout = NULL; g_autoptr(OstreeKernelLayout) kernel_layout = NULL;
if (!get_kernel_from_tree (deployment_dfd, &kernel_layout, if (!get_kernel_from_tree (deployment_dfd, &kernel_layout,
@ -1652,8 +1675,7 @@ install_deployment_kernel (OstreeSysroot *sysroot,
return FALSE; return FALSE;
if (errno == ENOENT) if (errno == ENOENT)
{ {
if (!hardlink_or_copy_at (kernel_layout->boot_dfd, if (!install_into_boot (sepolicy, kernel_layout->boot_dfd, kernel_layout->kernel_srcpath,
kernel_layout->kernel_srcpath,
bootcsum_dfd, kernel_layout->kernel_namever, bootcsum_dfd, kernel_layout->kernel_namever,
sysroot->debug_flags, sysroot->debug_flags,
cancellable, error)) cancellable, error))
@ -1670,7 +1692,7 @@ install_deployment_kernel (OstreeSysroot *sysroot,
return FALSE; return FALSE;
if (errno == ENOENT) if (errno == ENOENT)
{ {
if (!hardlink_or_copy_at (kernel_layout->boot_dfd, kernel_layout->initramfs_srcpath, if (!install_into_boot (sepolicy, kernel_layout->boot_dfd, kernel_layout->initramfs_srcpath,
bootcsum_dfd, kernel_layout->initramfs_namever, bootcsum_dfd, kernel_layout->initramfs_namever,
sysroot->debug_flags, sysroot->debug_flags,
cancellable, error)) cancellable, error))
@ -1685,7 +1707,7 @@ install_deployment_kernel (OstreeSysroot *sysroot,
return FALSE; return FALSE;
if (errno == ENOENT) if (errno == ENOENT)
{ {
if (!hardlink_or_copy_at (kernel_layout->boot_dfd, kernel_layout->devicetree_srcpath, if (!install_into_boot (sepolicy, kernel_layout->boot_dfd, kernel_layout->devicetree_srcpath,
bootcsum_dfd, kernel_layout->devicetree_namever, bootcsum_dfd, kernel_layout->devicetree_namever,
sysroot->debug_flags, sysroot->debug_flags,
cancellable, error)) cancellable, error))

24
tests/installed/itest-deploy-selinux.sh
View File

@ -29,4 +29,28 @@ for file in fstab passwd exports hostname sysctl.conf yum.repos.d \
assert_streq "${current}" "${new}" assert_streq "${current}" "${new}"
done done
# Cleanup
ostree admin undeploy 0 ostree admin undeploy 0
cd /ostree/repo/tmp
ostree checkout --fsync=0 -H ${host_commit} test-label
rm test-label/usr/lib/ostree-boot/vmlinuz*
rm test-label/usr/lib/ostree-boot/initramfs*
cd test-label/usr/lib/modules/*
rm initramfs.img
echo new initramfs > initramfs.img
cd -
ostree commit --link-checkout-speedup --selinux-policy=test-label -b test-label --consume --tree=dir=test-label
ostree admin deploy --karg-proc-cmdline test-label
# This captures all of the boot entries; it'd be slightly annoying
# to try to figure out the accurate one, so let's just ensure that at least
# one entry is boot_t.
# https://bugzilla.redhat.com/show_bug.cgi?id=1536991
ls -Z /boot/ostree/*/ > bootlsz.txt
assert_file_has_content_literal bootlsz.txt 'system_u:object_r:boot_t:s0 vmlinuz-'
assert_file_has_content_literal bootlsz.txt 'system_u:object_r:boot_t:s0 initramfs-'
ostree admin undeploy 0
ostree refs --delete test-label