From 7d0660bb80b9f70a6420380d91a6afb8cb7f5c0f Mon Sep 17 00:00:00 2001 From: Colin Walters Date: Thu, 24 Oct 2024 08:26:16 -0400 Subject: [PATCH] install: Just check etc/selinux/config if we don't have ostree Pairs with https://github.com/ostreedev/ostree-rs-ext/pull/674 to enable consuming containers that don't have `/ostree`. Signed-off-by: Colin Walters --- lib/src/install.rs | 28 +++++++++++++++++++--------- lib/src/lsm.rs | 7 +++++++ 2 files changed, 26 insertions(+), 9 deletions(-) diff --git a/lib/src/install.rs b/lib/src/install.rs index 29e747081..cdf36a9f0 100644 --- a/lib/src/install.rs +++ b/lib/src/install.rs @@ -45,6 +45,7 @@ use serde::{Deserialize, Serialize}; use self::baseline::InstallBlockDeviceOpts; use crate::containerenv::ContainerExecutionInfo; +use crate::lsm; use crate::mount::Filesystem; use crate::spec::ImageReference; use crate::store::Storage; @@ -525,15 +526,9 @@ impl SourceInfo { Self::new(imageref, None, root, false, false) } - /// Construct a new source information structure - fn new( - imageref: ostree_container::ImageReference, - digest: Option, - root: &Dir, - in_host_mountns: bool, - have_host_container_storage: bool, - ) -> Result { + fn have_selinux_from_repo(root: &Dir) -> Result { let cancellable = ostree::gio::Cancellable::NONE; + let commit = Task::new("Reading ostree commit", "ostree") .args(["--repo=/ostree/repo", "rev-parse", "--single"]) .quiet() @@ -545,7 +540,22 @@ impl SourceInfo { .0; let root = root.downcast_ref::().unwrap(); let xattrs = root.xattrs(cancellable)?; - let selinux = crate::lsm::xattrs_have_selinux(&xattrs); + Ok(crate::lsm::xattrs_have_selinux(&xattrs)) + } + + /// Construct a new source information structure + fn new( + imageref: ostree_container::ImageReference, + digest: Option, + root: &Dir, + in_host_mountns: bool, + have_host_container_storage: bool, + ) -> Result { + let selinux = if Path::new("/ostree/repo").try_exists()? { + Self::have_selinux_from_repo(root)? + } else { + lsm::have_selinux_policy(root)? + }; Ok(Self { imageref, digest, diff --git a/lib/src/lsm.rs b/lib/src/lsm.rs index d801a8f88..c2deaea33 100644 --- a/lib/src/lsm.rs +++ b/lib/src/lsm.rs @@ -98,6 +98,13 @@ pub(crate) fn selinux_ensure_install() -> Result { Err(anyhow::Error::msg(cmd.exec()).context("execve")) } +/// Query whether SELinux is apparently enabled in the target root +#[cfg(feature = "install")] +pub(crate) fn have_selinux_policy(root: &Dir) -> Result { + // TODO use ostree::SePolicy and query policy name + root.try_exists("etc/selinux/config").map_err(Into::into) +} + /// A type which will reset SELinux back to enforcing mode when dropped. /// This is a workaround for the deep difficulties in trying to reliably /// gain the `mac_admin` permission (install_t).