Add flag to make SELinux label failure fatal, add hack for /proc

I was working on `rpm-ostree livefs` which does some ostree-based filesystem diffs, and noticed that we were ending up with `/proc` not being labeled in our base trees. Reading the selinux-policy source, indeed we have: ``` /proc -d <<none>> /proc/.* <<none>> ``` This dates pretty far back. We really don't want unlabeled content in ostree. In this case it's mostly OK since the kernel will assign a label, but again *everything* should be labeled via OSTree so that it's all consistent, which will fix `ostree diff`. Notably, `/proc` is the *only* file path that isn't covered when composing a Fedora Atomic Host. So I added a hack here to hardcode it (although I'm a bit uncertain about whether it should really be `proc_t` on disk before systemd mounts or not). Out of conservatism, I made this a flag, so if we hit issues down the line, we could easily change rpm-ostree to stumble on as it did before. Closes: #768 Approved by: jlebon
2017-03-29 16:51:39 -04:00 · 2017-03-29 16:51:39 -04:00 · 9016e9e8be
parent 8d4dec1b53
commit 9016e9e8be
3 changed files with 29 additions and 24 deletions
--- a/src/libostree/ostree-repo-commit.c
+++ b/src/libostree/ostree-repo-commit.c
@ -2309,7 +2309,11 @@ get_modified_xattrs (OstreeRepo                       *self,
                                      &label, cancellable, error))
        return FALSE;
-      if (label)
+      if (!label && (modifier->flags & OSTREE_REPO_COMMIT_MODIFIER_FLAGS_ERROR_ON_UNLABELED) > 0)
        {
          return glnx_throw (error, "Failed to look up SELinux label for '%s'", relpath);
        }
      else if (label)
        {
          g_autoptr(GVariantBuilder) builder = NULL;
--- a/src/libostree/ostree-repo.h
+++ b/src/libostree/ostree-repo.h
@ -537,12 +537,14 @@ typedef OstreeRepoCommitFilterResult (*OstreeRepoCommitFilter) (OstreeRepo    *r
 * @OSTREE_REPO_COMMIT_MODIFIER_FLAGS_SKIP_XATTRS: Do not process extended attributes
 * @OSTREE_REPO_COMMIT_MODIFIER_FLAGS_GENERATE_SIZES: Generate size information.
 * @OSTREE_REPO_COMMIT_MODIFIER_FLAGS_CANONICAL_PERMISSIONS: Canonicalize permissions for bare-user-only mode.
 * @OSTREE_REPO_COMMIT_MODIFIER_FLAGS_ERROR_ON_UNLABELED: Emit an error if configured SELinux policy does not provide a label
 */
 typedef enum {
  OSTREE_REPO_COMMIT_MODIFIER_FLAGS_NONE = 0,
  OSTREE_REPO_COMMIT_MODIFIER_FLAGS_SKIP_XATTRS = (1 << 0),
  OSTREE_REPO_COMMIT_MODIFIER_FLAGS_GENERATE_SIZES = (1 << 1),
  OSTREE_REPO_COMMIT_MODIFIER_FLAGS_CANONICAL_PERMISSIONS = (1 << 2),
  OSTREE_REPO_COMMIT_MODIFIER_FLAGS_ERROR_ON_UNLABELED = (1 << 3),
 } OstreeRepoCommitModifierFlags;
 /**
--- a/src/libostree/ostree-sepolicy.c
+++ b/src/libostree/ostree-sepolicy.c
@ -526,20 +526,24 @@ ostree_sepolicy_get_label (OstreeSePolicy    *self,
                           GError          **error)
 {
 #ifdef HAVE_SELINUX
-  gboolean ret = FALSE;
+  /* Early return if no policy */
-  int res;
+  if (!self->selinux_hnd)
-  char *con = NULL;
+    return TRUE;
-  if (self->selinux_hnd)
+  /* http://marc.info/?l=selinux&m=149082134430052&w=2
-    {
+   * https://github.com/ostreedev/ostree/pull/768
-      res = selabel_lookup_raw (self->selinux_hnd, &con, relpath, unix_mode);
+   */
  if (strcmp (relpath, "/proc") == 0)
    relpath = "/mnt";
  char *con = NULL;
  int res = selabel_lookup_raw (self->selinux_hnd, &con, relpath, unix_mode);
  if (res != 0)
    {
-          if (errno != ENOENT)
+      if (errno == ENOENT)
-            {
+        *out_label = NULL;
-              glnx_set_error_from_errno (error);
+      else
-              goto out;
+        return glnx_throw_errno (error);
            }
    }
  else
    {
@ -547,14 +551,9 @@ ostree_sepolicy_get_label (OstreeSePolicy    *self,
      *out_label = g_strdup (con);
      freecon (con);
    }
    }
  ret = TRUE;
 out:
  return ret;
 #else
  return TRUE;
 #endif
  return TRUE;
 }
 /**