Explicitly label .origin files as configuration

subscription-manager has a daemon that runs in a confined domain, and it doesn't have permission to write usr_t, which is the default label of /ostree/deploy/$osname/deploy. A better long term fix is probably to move the origin file into the deployment root as /etc/ostree/origin.conf or so. In the meantime, let's ensure the .origin files are labeled as configuration.
2015-01-22 17:35:32 -05:00 · 2015-01-22 17:35:32 -05:00 · 6ce80f9685
parent 8f4999c854
commit 6ce80f9685
5 changed files with 99 additions and 7 deletions
--- a/src/libostree/ostree-sepolicy.c
+++ b/src/libostree/ostree-sepolicy.c
@ -45,6 +45,8 @@ struct OstreeSePolicy {

  GFile *path;

+  gboolean runtime_enabled;
+
 #ifdef HAVE_SELINUX
  GFile *selinux_policy_root;
  struct selabel_handle *selinux_hnd;
@ -221,6 +223,8 @@ initable_init (GInitable     *initable,

  if (enabled)
    {
+      self->runtime_enabled = is_selinux_enabled () == 1;
+
      g_setenv ("LIBSELINUX_DISABLE_PCRE_PRECOMPILED", "1", FALSE);
      if (selinux_set_policy_root (gs_file_get_path_cached (policy_root)) != 0)
        {
@ -454,3 +458,60 @@ ostree_sepolicy_restorecon (OstreeSePolicy    *self,
  return TRUE;
 #endif
 }
+
+/**
+ * ostree_sepolicy_setfscreatecon:
+ * @self: Policy
+ * @path: Use this path to determine a label
+ * @mode: Used along with @path
+ * @error: Error
+ *
+ */
+gboolean
+ostree_sepolicy_setfscreatecon (OstreeSePolicy   *self,
+                                const char       *path,
+                                guint32           mode,
+                                GError          **error)
+{
+#ifdef HAVE_SELINUX
+  gboolean ret = FALSE;
+  gs_free char *label = NULL;
+
+  /* setfscreatecon() will bomb out if the host has SELinux disabled,
+   * but we're enabled for the target system.  This is kind of a
+   * broken scenario...for now, we'll silently ignore the label
+   * request.  To correctly handle the case of disabled host but
+   * enabled target will require nontrivial work.
+   */
+  if (!self->runtime_enabled)
+    return TRUE;
+
+  if (!ostree_sepolicy_get_label (self, path, mode, &label, NULL, error))
+    goto out;
+
+  if (setfscreatecon_raw (label) != 0)
+    {
+      gs_set_error_from_errno (error, errno);
+      return FALSE;
+    }
+
+  ret = TRUE;
+ out:
+  return ret;
+#else
+  return TRUE;
+#endif
+}
+
+/**
+ * ostree_sepolicy_fscreatecon_cleanup:
+ *
+ * Cleanup function for ostree_sepolicy_setfscreatecon().
+ */
+void
+ostree_sepolicy_fscreatecon_cleanup (void **unused)
+{
+#ifdef HAVE_SELINUX
+  setfscreatecon (NULL);
+#endif
+}
--- a/src/libostree/ostree-sepolicy.h
+++ b/src/libostree/ostree-sepolicy.h
@ -62,5 +62,14 @@ gboolean ostree_sepolicy_restorecon (OstreeSePolicy   *self,
                                     GCancellable     *cancellable,
                                     GError          **error);

+gboolean ostree_sepolicy_setfscreatecon (OstreeSePolicy   *self,
+                                         const char       *path,
+                                         guint32           mode,
+                                         GError          **error);
+
+void ostree_sepolicy_fscreatecon_cleanup (void **unused);
+
+#define ostree_cleanup_sepolicy_fscreatecon __attribute__ ((cleanup(ostree_sepolicy_fscreatecon_cleanup)))
+
 G_END_DECLS

--- a/src/libostree/ostree-sysroot-deploy.c
+++ b/src/libostree/ostree-sysroot-deploy.c
@ -1893,13 +1893,6 @@ ostree_sysroot_deploy_tree (OstreeSysroot     *self,
      goto out;
    }

-  if (!ostree_sysroot_write_origin_file (self, new_deployment, NULL,
-                                         cancellable, error))
-    {
-      g_prefix_error (error, "Writing out origin file: ");
-      goto out;
-    }
-
  /* Create an empty boot configuration; we will merge things into
   * it as we go.
   */
@ -1915,6 +1908,9 @@ ostree_sysroot_deploy_tree (OstreeSysroot     *self,
      goto out;
    }

+  g_clear_object (&self->sepolicy);
+  self->sepolicy = g_object_ref (sepolicy);
+
  deployment_etc = g_file_get_child (new_deployment_path, "etc");

  if (!selinux_relabel_var_if_needed (self, sepolicy, deployment_var,
@ -1925,6 +1921,29 @@ ostree_sysroot_deploy_tree (OstreeSysroot     *self,
                                             cancellable, error))
    goto out;

+  { ostree_cleanup_sepolicy_fscreatecon gpointer dummy = NULL;
+
+    /* Explicitly override the label for the origin file to ensure
+     * it's system_conf_t.
+     */
+    if (self->sepolicy != NULL
+        && ostree_sepolicy_get_name (self->sepolicy) != NULL)
+      {
+        if (!ostree_sepolicy_setfscreatecon (self->sepolicy,
+                                             "/etc/ostree/remotes.d/dummy.conf",
+                                             0644,
+                                             error))
+          goto out;
+      }
+
+    if (!ostree_sysroot_write_origin_file (self, new_deployment, NULL,
+                                           cancellable, error))
+      {
+        g_prefix_error (error, "Writing out origin file: ");
+        goto out;
+      }
+  }
+
  /* After this, install_deployment_kernel() will set the other boot
   * options and write it out to disk.
   */
--- a/src/libostree/ostree-sysroot-private.h
+++ b/src/libostree/ostree-sysroot-private.h
@ -34,6 +34,8 @@ struct OstreeSysroot {

  gboolean loaded;
  
+  OstreeSePolicy *sepolicy;
+  
  GPtrArray *deployments;
  int bootversion;
  int subbootversion;
--- a/src/libostree/ostree-sysroot.c
+++ b/src/libostree/ostree-sysroot.c
@ -63,6 +63,7 @@ ostree_sysroot_finalize (GObject *object)
  OstreeSysroot *self = OSTREE_SYSROOT (object);

  g_clear_object (&self->path);
+  g_clear_object (&self->sepolicy);

  G_OBJECT_CLASS (ostree_sysroot_parent_class)->finalize (object);
 }