packaging
/
ostree
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

sysroot/unlock: Ensure overlay label on /usr is `usr_t` 

Otherwise, we get `tmp_t` by default which can break a lot of things; we noticed
this with `atomic scan`.

Closes: https://github.com/ostreedev/ostree/issues/762

Closes: #763
Approved by: rhatdan
This commit is contained in:
Daniel J Walsh 2017-03-27 17:31:06 -04:00 committed by Atomic Bot
parent 79c3eb63be
commit a88881039e
1 changed files with 16 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
src/libostree/ostree-sysroot.c
View File

@ -26,6 +26,7 @@
#include <sys/wait.h> #include <sys/wait.h>
#include "ostree-core-private.h" #include "ostree-core-private.h"
#include "ostree-sepolicy-private.h"
#include "ostree-sysroot-private.h" #include "ostree-sysroot-private.h"
#include "ostree-deployment-private.h" #include "ostree-deployment-private.h"
#include "ostree-bootloader-uboot.h" #include "ostree-bootloader-uboot.h"
@ -1691,6 +1692,7 @@ ostree_sysroot_deployment_unlock (OstreeSysroot *self,
GError **error) GError **error)
{ {
gboolean ret = FALSE; gboolean ret = FALSE;
glnx_unref_object OstreeSePolicy *sepolicy = NULL;
OstreeDeploymentUnlockedState current_unlocked = OstreeDeploymentUnlockedState current_unlocked =
ostree_deployment_get_unlocked (deployment); ostree_deployment_get_unlocked (deployment);
glnx_unref_object OstreeDeployment *deployment_clone = glnx_unref_object OstreeDeployment *deployment_clone =
@ -1738,6 +1740,10 @@ ostree_sysroot_deployment_unlock (OstreeSysroot *self,
if (!glnx_opendirat (self->sysroot_fd, deployment_path, TRUE, &deployment_dfd, error)) if (!glnx_opendirat (self->sysroot_fd, deployment_path, TRUE, &deployment_dfd, error))
goto out; goto out;
sepolicy = ostree_sepolicy_new_at (deployment_dfd, cancellable, error);
if (!sepolicy)
goto out;
switch (unlocked_state) switch (unlocked_state)
{ {
case OSTREE_DEPLOYMENT_UNLOCKED_NONE: case OSTREE_DEPLOYMENT_UNLOCKED_NONE:
@ -1765,8 +1771,16 @@ ostree_sysroot_deployment_unlock (OstreeSysroot *self,
const char *development_ovl_upper; const char *development_ovl_upper;
const char *development_ovl_work; const char *development_ovl_work;
if (!glnx_mkdtempat (AT_FDCWD, development_ovldir, 0700, error)) /* Ensure that the directory is created with the same label as `/usr` */
goto out; { g_auto(OstreeSepolicyFsCreatecon) con = { 0, };
if (!_ostree_sepolicy_preparefscreatecon (&con, sepolicy,
"/usr", 0755, error))
goto out;
if (!glnx_mkdtempat (AT_FDCWD, development_ovldir, 0755, error))
goto out;
}
development_ovl_upper = glnx_strjoina (development_ovldir, "/upper"); development_ovl_upper = glnx_strjoina (development_ovldir, "/upper");
if (!glnx_shutil_mkdir_p_at (AT_FDCWD, development_ovl_upper, 0755, cancellable, error)) if (!glnx_shutil_mkdir_p_at (AT_FDCWD, development_ovl_upper, 0755, cancellable, error))