Explicitly label .origin files as configuration

subscription-manager has a daemon that runs in a confined domain,
and it doesn't have permission to write usr_t, which is the default
label of /ostree/deploy/$osname/deploy.

A better long term fix is probably to move the origin file into the
deployment root as /etc/ostree/origin.conf or so.

In the meantime, let's ensure the .origin files are labeled as
configuration.

src/libostree/ostree-sepolicy.c

@@ -45,6 +45,8 @@ struct OstreeSePolicy {
 
   GFile *path;
 
+  gboolean runtime_enabled;
+
 #ifdef HAVE_SELINUX
   GFile *selinux_policy_root;
   struct selabel_handle *selinux_hnd;
@@ -221,6 +223,8 @@ initable_init (GInitable     *initable,
 
   if (enabled)
     {
+      self->runtime_enabled = is_selinux_enabled () == 1;
+
       g_setenv ("LIBSELINUX_DISABLE_PCRE_PRECOMPILED", "1", FALSE);
       if (selinux_set_policy_root (gs_file_get_path_cached (policy_root)) != 0)
         {
@@ -454,3 +458,60 @@ ostree_sepolicy_restorecon (OstreeSePolicy    *self,
   return TRUE;
 #endif
 }
+
+/**
+ * ostree_sepolicy_setfscreatecon:
+ * @self: Policy
+ * @path: Use this path to determine a label
+ * @mode: Used along with @path
+ * @error: Error
+ *
+ */
+gboolean
+ostree_sepolicy_setfscreatecon (OstreeSePolicy   *self,
+                                const char       *path,
+                                guint32           mode,
+                                GError          **error)
+{
+#ifdef HAVE_SELINUX
+  gboolean ret = FALSE;
+  gs_free char *label = NULL;
+
+  /* setfscreatecon() will bomb out if the host has SELinux disabled,
+   * but we're enabled for the target system.  This is kind of a
+   * broken scenario...for now, we'll silently ignore the label
+   * request.  To correctly handle the case of disabled host but
+   * enabled target will require nontrivial work.
+   */
+  if (!self->runtime_enabled)
+    return TRUE;
+
+  if (!ostree_sepolicy_get_label (self, path, mode, &label, NULL, error))
+    goto out;
+
+  if (setfscreatecon_raw (label) != 0)
+    {
+      gs_set_error_from_errno (error, errno);
+      return FALSE;
+    }
+
+  ret = TRUE;
+ out:
+  return ret;
+#else
+  return TRUE;
+#endif
+}
+
+/**
+ * ostree_sepolicy_fscreatecon_cleanup:
+ *
+ * Cleanup function for ostree_sepolicy_setfscreatecon().
+ */
+void
+ostree_sepolicy_fscreatecon_cleanup (void **unused)
+{
+#ifdef HAVE_SELINUX
+  setfscreatecon (NULL);
+#endif
+}

src/libostree/ostree-sepolicy.h

@@ -62,5 +62,14 @@ gboolean ostree_sepolicy_restorecon (OstreeSePolicy   *self,
                                      GCancellable     *cancellable,
                                      GError          **error);
 
+gboolean ostree_sepolicy_setfscreatecon (OstreeSePolicy   *self,
+                                         const char       *path,
+                                         guint32           mode,
+                                         GError          **error);
+
+void ostree_sepolicy_fscreatecon_cleanup (void **unused);
+
+#define ostree_cleanup_sepolicy_fscreatecon __attribute__ ((cleanup(ostree_sepolicy_fscreatecon_cleanup)))
+
 G_END_DECLS
 

src/libostree/ostree-sysroot-deploy.c

@@ -1893,13 +1893,6 @@ ostree_sysroot_deploy_tree (OstreeSysroot     *self,
       goto out;
     }
 
-  if (!ostree_sysroot_write_origin_file (self, new_deployment, NULL,
-                                         cancellable, error))
-    {
-      g_prefix_error (error, "Writing out origin file: ");
-      goto out;
-    }
-
   /* Create an empty boot configuration; we will merge things into
    * it as we go.
    */
@@ -1915,6 +1908,9 @@ ostree_sysroot_deploy_tree (OstreeSysroot     *self,
       goto out;
     }
 
+  g_clear_object (&self->sepolicy);
+  self->sepolicy = g_object_ref (sepolicy);
+
   deployment_etc = g_file_get_child (new_deployment_path, "etc");
 
   if (!selinux_relabel_var_if_needed (self, sepolicy, deployment_var,
@@ -1925,6 +1921,29 @@ ostree_sysroot_deploy_tree (OstreeSysroot     *self,
                                              cancellable, error))
     goto out;
 
+  { ostree_cleanup_sepolicy_fscreatecon gpointer dummy = NULL;
+
+    /* Explicitly override the label for the origin file to ensure
+     * it's system_conf_t.
+     */
+    if (self->sepolicy != NULL
+        && ostree_sepolicy_get_name (self->sepolicy) != NULL)
+      {
+        if (!ostree_sepolicy_setfscreatecon (self->sepolicy,
+                                             "/etc/ostree/remotes.d/dummy.conf",
+                                             0644,
+                                             error))
+          goto out;
+      }
+
+    if (!ostree_sysroot_write_origin_file (self, new_deployment, NULL,
+                                           cancellable, error))
+      {
+        g_prefix_error (error, "Writing out origin file: ");
+        goto out;
+      }
+  }
+
   /* After this, install_deployment_kernel() will set the other boot
    * options and write it out to disk.
    */

src/libostree/ostree-sysroot-private.h

@@ -34,6 +34,8 @@ struct OstreeSysroot {
 
   gboolean loaded;
   
+  OstreeSePolicy *sepolicy;
+  
   GPtrArray *deployments;
   int bootversion;
   int subbootversion;

src/libostree/ostree-sysroot.c

@@ -63,6 +63,7 @@ ostree_sysroot_finalize (GObject *object)
   OstreeSysroot *self = OSTREE_SYSROOT (object);
 
   g_clear_object (&self->path);
+  g_clear_object (&self->sepolicy);
 
   G_OBJECT_CLASS (ostree_sysroot_parent_class)->finalize (object);
 }