From afb4a219202b9dbb0a5e79ef5543662878f0e21b Mon Sep 17 00:00:00 2001 From: Colin Walters Date: Tue, 25 Apr 2023 10:20:49 -0400 Subject: [PATCH] install: Only invoke `chcon` if SELinux enabled in the source We shouldn't try to do any SELinux labeling if the source doesn't have it. xref https://github.com/containers/bootc/issues/83 Signed-off-by: Colin Walters --- lib/src/install.rs | 17 ++++++++++++++++- lib/src/install/baseline.rs | 6 +++--- 2 files changed, 19 insertions(+), 4 deletions(-) diff --git a/lib/src/install.rs b/lib/src/install.rs index b53b14320..67f1cf048 100644 --- a/lib/src/install.rs +++ b/lib/src/install.rs @@ -185,6 +185,21 @@ pub(crate) struct State { pub(crate) install_config: config::InstallConfiguration, } +impl State { + // Wraps core lsm labeling functionality, conditionalizing based on source state + pub(crate) fn lsm_label( + &self, + target: &Utf8Path, + as_path: &Utf8Path, + recurse: bool, + ) -> Result<()> { + if !self.source.selinux { + return Ok(()); + } + crate::lsm::lsm_label(target, as_path, recurse) + } +} + /// Path to initially deployed version information const BOOTC_ALEPH_PATH: &str = ".bootc-aleph.json"; @@ -438,7 +453,7 @@ async fn initialize_ostree_root_from_self( .run()?; // Ensure everything in the ostree repo is labeled - lsm_label(&rootfs.join("ostree"), "/usr".into(), true)?; + state.lsm_label(&rootfs.join("ostree"), "/usr".into(), true)?; let sysroot = ostree::Sysroot::new(Some(&gio::File::for_path(rootfs))); sysroot.load(cancellable)?; diff --git a/lib/src/install/baseline.rs b/lib/src/install/baseline.rs index cc547f9fa..f86c58f10 100644 --- a/lib/src/install/baseline.rs +++ b/lib/src/install/baseline.rs @@ -346,15 +346,15 @@ pub(crate) fn install_create_rootfs( .collect::>(); mount::mount(&rootdev, &rootfs)?; - lsm_label(&rootfs, "/".into(), false)?; + state.lsm_label(&rootfs, "/".into(), false)?; let rootfs_fd = Dir::open_ambient_dir(&rootfs, cap_std::ambient_authority())?; let bootfs = rootfs.join("boot"); std::fs::create_dir(&bootfs).context("Creating /boot")?; // The underlying directory on the root should be labeled - lsm_label(&bootfs, "/boot".into(), false)?; + state.lsm_label(&bootfs, "/boot".into(), false)?; mount::mount(bootdev, &bootfs)?; // And we want to label the root mount of /boot - lsm_label(&bootfs, "/boot".into(), false)?; + state.lsm_label(&bootfs, "/boot".into(), false)?; // Create the EFI system partition, if applicable if let Some(espdev) = espdev {