[ostree/wip/selinux2] More SELinux rework



commit 5f308f7b35dd3806134e318981f4b3904bc36870
Author: Colin Walters <walters verbum org>
Date:   Fri Feb 14 12:39:39 2014 -0500

    More SELinux rework
    
    Right now, selinux/ just adds some overrides for the Fedora base.  But
    in the future we'll have a real ostree_t domain.
    
    Also, add a public OstreeSePolicy API so that rpm-ostree can consume
    the logic inside of here.

 Makefile-libostree-defines.am         |    1 +
 Makefile-libostree.am                 |    1 +
 Makefile.am                           |    4 +
 configure.ac                          |    1 +
 packaging/ostree.spec.in              |   24 ++
 selinux/.gitignore                    |    2 +
 selinux/Makefile.am                   |   22 ++
 selinux/ostree.fc                     |    9 +
 selinux/ostree.if                     |    1 +
 selinux/ostree.te                     |   33 +++
 src/libostree/ostree-repo-commit.c    |  121 +++++++--
 src/libostree/ostree-repo.h           |    4 +
 src/libostree/ostree-sepolicy.c       |  456 +++++++++++++++++++++++++++++++++
 src/libostree/ostree-sepolicy.h       |   66 +++++
 src/libostree/ostree-sysroot-deploy.c |  363 +++++++--------------------
 src/libostree/ostree-types.h          |    1 +
 16 files changed, 814 insertions(+), 295 deletions(-)
---
diff --git a/Makefile-libostree-defines.am b/Makefile-libostree-defines.am
index 6b07d0e..02037ed 100644
--- a/Makefile-libostree-defines.am
+++ b/Makefile-libostree-defines.am
@@ -27,6 +27,7 @@ libostree_public_headers = \
        src/libostree/ostree-types.h \
        src/libostree/ostree-repo-file.h \
        src/libostree/ostree-diff.h \
+       src/libostree/ostree-sepolicy.h \
        src/libostree/ostree-sysroot.h \
        src/libostree/ostree-deployment.h \
        src/libostree/ostree-bootconfig-parser.h \
diff --git a/Makefile-libostree.am b/Makefile-libostree.am
index 8e9aaca..04d03be 100644
--- a/Makefile-libostree.am
+++ b/Makefile-libostree.am
@@ -56,6 +56,7 @@ libostree_1_la_SOURCES = \
        src/libostree/ostree-repo-file.c \
        src/libostree/ostree-repo-file-enumerator.c \
        src/libostree/ostree-repo-file-enumerator.h \
+       src/libostree/ostree-sepolicy.c \
        src/libostree/ostree-sysroot-private.h \
        src/libostree/ostree-sysroot.c \
        src/libostree/ostree-sysroot-cleanup.c \
diff --git a/Makefile.am b/Makefile.am
index b20738a..803ce0a 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -31,6 +31,10 @@ endif
 
 SUBDIRS += .
 
+if USE_SELINUX
+SUBDIRS += selinux
+endif
+
 if ENABLE_GTK_DOC
 SUBDIRS += doc
 endif
diff --git a/configure.ac b/configure.ac
index 542c9ff..d3c72d7 100644
--- a/configure.ac
+++ b/configure.ac
@@ -203,6 +203,7 @@ AC_CONFIG_FILES([
 Makefile
 embedded-dependencies/Makefile
 doc/Makefile
+selinux/Makefile
 src/libostree/ostree-1.pc
 ])
 AC_OUTPUT
diff --git a/packaging/ostree.spec.in b/packaging/ostree.spec.in
index c2596d2..105b0ae 100644
--- a/packaging/ostree.spec.in
+++ b/packaging/ostree.spec.in
@@ -44,6 +44,19 @@ Requires: %{name} = %{version}-%{release}
 %description devel
 The %{name}-devel package includes the header files for the %{name} library.
 
+%package        selinux
+Summary:        SELinux policy module for %{name}
+Group:          System Environment/Base
+Requires:       %{name} = %{version}-%{release}
+Requires:       policycoreutils, libselinux-utils
+Requires(post): selinux-policy-base, policycoreutils
+Requires(postun): policycoreutils
+BuildRequires:  selinux-policy-devel
+BuildArch:      noarch
+
+%description    selinux
+This package installs and sets up the SELinux policy security module for %{name}.
+
 %prep
 %setup -q -n ostree-%{version}
 
@@ -69,6 +82,14 @@ rm -rf $RPM_BUILD_ROOT
 %preun
 %systemd_preun ostree-remount.service
 
+%post selinux
+semodule -n -i %{_datadir}/selinux/packages/%{name}.pp
+
+%postun selinux
+if [ $1 -eq 0 ]; then
+    semodule -n -r %{name}
+fi
+
 %files
 %doc COPYING README.md
 %{_bindir}/ostree
@@ -91,3 +112,6 @@ rm -rf $RPM_BUILD_ROOT
 %dir %{_datadir}/gtk-doc/html/ostree
 %{_datadir}/gtk-doc/html/ostree
 %{_datadir}/gir-1.0/OSTree-1.0.gir
+
+%files selinux
+%attr(0600,root,root) %{_datadir}/selinux/packages/%{name}.pp
diff --git a/selinux/.gitignore b/selinux/.gitignore
new file mode 100644
index 0000000..cbefb9d
--- /dev/null
+++ b/selinux/.gitignore
@@ -0,0 +1,2 @@
+ostree.pp
+tmp
diff --git a/selinux/Makefile.am b/selinux/Makefile.am
new file mode 100644
index 0000000..1d69949
--- /dev/null
+++ b/selinux/Makefile.am
@@ -0,0 +1,22 @@
+# Copyright (C) 2014 Colin Walters <walters verbum org>
+#
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2 of the License, or (at your option) any later version.
+#
+# This library is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public
+# License along with this library; if not, write to the
+# Free Software Foundation, Inc., 59 Temple Place - Suite 330,
+# Boston, MA 02111-1307, USA.
+
+ostree.pp: ostree.fc ostree.if ostree.te
+       make -f /usr/share/selinux/devel/Makefile
+
+selinuxpkgdir = $(datadir)/selinux/packages
+selinuxpkg_DATA = ostree.pp
diff --git a/selinux/ostree.fc b/selinux/ostree.fc
new file mode 100644
index 0000000..56b9c4f
--- /dev/null
+++ b/selinux/ostree.fc
@@ -0,0 +1,9 @@
+# Core definitions
+
+/sysroot       -d      gen_context(system_u:object_r:usr_t,s0)
+/ostree                -d      gen_context(system_u:object_r:usr_t,s0)
+/ostree                -l      gen_context(system_u:object_r:usr_t,s0)
+/media         -l      gen_context(system_u:object_r:mnt_t,s0)
+/mnt           -l      gen_context(system_u:object_r:mnt_t,s0)
+/var/roothome  -d      gen_context(system_u:object_r:admin_home_t,s0)
+/var/home      -d      gen_context(system_u:object_r:home_root_t,s0)
diff --git a/selinux/ostree.if b/selinux/ostree.if
new file mode 100644
index 0000000..996cee9
--- /dev/null
+++ b/selinux/ostree.if
@@ -0,0 +1 @@
+# Empty.
diff --git a/selinux/ostree.te b/selinux/ostree.te
new file mode 100644
index 0000000..8d34940
--- /dev/null
+++ b/selinux/ostree.te
@@ -0,0 +1,33 @@
+policy_module(ostree, 1.3.0)
+
+require {
+        type init_t;
+        type root_t;
+        type var_log_t;
+        type games_data_t;
+        type var_yp_t;
+        type systemd_tmpfiles_t;
+        type local_login_t;
+        type admin_home_t;
+        type ldconfig_cache_t;
+        type var_t;
+        type var_run_t;
+        class lnk_file { relabelfrom relabelto read getattr };
+        class dir { relabelfrom relabelto create setattr write };
+}
+
+# init_t
+allow init_t admin_home_t:lnk_file { read getattr };
+allow init_t root_t:dir { write };
+
+#============= systemd_tmpfiles_t ==============
+allow systemd_tmpfiles_t games_data_t:dir relabelto;
+allow systemd_tmpfiles_t var_log_t:dir create;
+allow systemd_tmpfiles_t var_run_t:lnk_file { relabelfrom relabelto };
+allow systemd_tmpfiles_t var_t:dir { create relabelfrom relabelto setattr };
+allow systemd_tmpfiles_t var_yp_t:dir relabelto;
+allow systemd_tmpfiles_t ldconfig_cache_t:dir { relabelfrom relabelto setattr };
+allow systemd_tmpfiles_t var_t:dir { relabelfrom relabelto setattr };
+
+#============= local_login_t ==============
+allow local_login_t admin_home_t:lnk_file read;
diff --git a/src/libostree/ostree-repo-commit.c b/src/libostree/ostree-repo-commit.c
index 10d3971..1b3136d 100644
--- a/src/libostree/ostree-repo-commit.c
+++ b/src/libostree/ostree-repo-commit.c
@@ -1618,6 +1618,8 @@ struct OstreeRepoCommitModifier {
   OstreeRepoCommitModifierXattrCallback xattr_callback;
   GDestroyNotify xattr_destroy;
   gpointer xattr_user_data;
+
+  OstreeSePolicy *sepolicy;
 };
 
 OstreeRepoCommitFilterResult
@@ -1684,6 +1686,67 @@ apply_commit_filter (OstreeRepo               *self,
 }
 
 static gboolean
+get_modified_xattrs (OstreeRepo                       *self,
+                     OstreeRepoCommitModifier         *modifier,
+                     const char                       *relpath,
+                     GFileInfo                        *file_info,
+                     GFile                            *path,
+                     GVariant                        **out_xattrs,
+                     GCancellable                     *cancellable,
+                     GError                          **error)
+{
+  gboolean ret = FALSE;
+  gs_unref_variant GVariant *ret_xattrs = NULL;
+
+  if (modifier && modifier->xattr_callback)
+    {
+      ret_xattrs = modifier->xattr_callback (self, relpath, file_info,
+                                             modifier->xattr_user_data);
+    }
+  else if (!(modifier && (modifier->flags & OSTREE_REPO_COMMIT_MODIFIER_FLAGS_SKIP_XATTRS) > 0))
+    {
+      if (!gs_file_get_all_xattrs (path, &ret_xattrs, cancellable, error))
+        goto out;
+    }
+
+  if (modifier->sepolicy)
+    {
+      gs_free char *label = NULL;
+
+      if (!ostree_sepolicy_get_label (modifier->sepolicy, relpath,
+                                      g_file_info_get_attribute_uint32 (file_info, "unix::mode"),
+                                      &label, cancellable, error))
+        goto out;
+
+      if (label)
+        {
+          GVariantBuilder *builder;
+
+          if (ret_xattrs)
+            builder = ot_util_variant_builder_from_variant (ret_xattrs,
+                                                            G_VARIANT_TYPE ("a(ayay)"));
+          else
+            builder = g_variant_builder_new (G_VARIANT_TYPE ("a(ayay)"));
+
+          g_variant_builder_add_value (builder,
+                                       g_variant_new ("(@ay ay)",
+                                                      g_variant_new_bytestring ("security.selinux"),
+                                                      g_variant_new_bytestring (label)));
+          if (ret_xattrs)
+            g_variant_unref (ret_xattrs);
+
+          ret_xattrs = g_variant_builder_end (builder);
+          g_variant_ref_sink (ret_xattrs);
+        }
+    }
+  
+  ret = TRUE;
+  gs_transfer_out_value (out_xattrs, &ret_xattrs);
+ out:
+  return ret;
+}
+
+static gboolean
 write_directory_to_mtree_internal (OstreeRepo                  *self,
                                    GFile                       *dir,
                                    OstreeMutableTree           *mtree,
@@ -1751,16 +1814,10 @@ write_directory_to_mtree_internal (OstreeRepo                  *self,
       if (filter_result == OSTREE_REPO_COMMIT_FILTER_ALLOW)
         {
           g_debug ("Adding: %s", gs_file_get_path_cached (dir));
-          if (modifier && modifier->xattr_callback)
-            {
-              xattrs = modifier->xattr_callback (self, relpath, child_info,
-                                                 modifier->xattr_user_data);
-            }
-          else if (!(modifier && (modifier->flags & OSTREE_REPO_COMMIT_MODIFIER_FLAGS_SKIP_XATTRS) > 0))
-            {
-              if (!gs_file_get_all_xattrs (dir, &xattrs, cancellable, error))
-                goto out;
-            }
+          if (!get_modified_xattrs (self, modifier, relpath, child_info, dir,
+                                    &xattrs,
+                                    cancellable, error))
+            goto out;
 
           if (!_ostree_repo_write_directory_meta (self, modified_info, xattrs, &child_file_csum,
                                                   cancellable, error))
@@ -1872,17 +1929,11 @@ write_directory_to_mtree_internal (OstreeRepo                  *self,
                             goto out;
                         }
 
-                      if (modifier && modifier->xattr_callback)
-                        {
-                          xattrs = modifier->xattr_callback (self, child_relpath, child_info,
-                                                             modifier->xattr_user_data);
-                        }
-                      else if (!(modifier && (modifier->flags & 
OSTREE_REPO_COMMIT_MODIFIER_FLAGS_SKIP_XATTRS) > 0))
-                        {
-                          g_clear_pointer (&xattrs, (GDestroyNotify) g_variant_unref);
-                          if (!gs_file_get_all_xattrs (child, &xattrs, cancellable, error))
-                            goto out;
-                        }
+                      if (!get_modified_xattrs (self, modifier,
+                                                child_relpath, child_info, child,
+                                                &xattrs,
+                                                cancellable, error))
+                        goto out;
 
                       if (!ostree_raw_file_to_content_stream (file_input,
                                                               modified_info, xattrs,
@@ -2082,6 +2133,8 @@ ostree_repo_commit_modifier_unref (OstreeRepoCommitModifier *modifier)
   if (modifier->xattr_destroy)
     modifier->xattr_destroy (modifier->xattr_user_data);
 
+  g_clear_object (&modifier->sepolicy);
+
   g_free (modifier);
   return;
 }
@@ -2094,8 +2147,9 @@ ostree_repo_commit_modifier_unref (OstreeRepoCommitModifier *modifier)
  * @user_data: Data for @callback:
  *
  * If set, this function should return extended attributes to use for
- * the given path.  This is useful for things like SELinux, where a build
- * system can label the files as it's committing to the repository.
+ * the given path.  This is useful for things like ACLs and SELinux,
+ * where a build system can label the files as it's committing to the
+ * repository.
  */
 void
 ostree_repo_commit_modifier_set_xattr_callback (OstreeRepoCommitModifier  *modifier,
@@ -2108,6 +2162,27 @@ ostree_repo_commit_modifier_set_xattr_callback (OstreeRepoCommitModifier  *modif
   modifier->xattr_user_data = user_data;
 }
 
+/**
+ * ostree_repo_commit_modifier_set_sepolicy:
+ * @modifier: An #OstreeRepoCommitModifier
+ * @sepolicy: (allow-none): Policy to use for labeling
+ *
+ * If @policy is non-%NULL, use it to look up labels to use for
+ * "security.selinux" extended attributes.
+ *
+ * Note that any policy specified this way operates in addition to any
+ * extended attributes provided via
+ * ostree_repo_commit_modifier_set_xattr_callback().  However if both
+ * specify a value for "security.selinux", then the one from the
+ * policy wins.
+ */
+void
+ostree_repo_commit_modifier_set_sepolicy (OstreeRepoCommitModifier              *modifier,
+                                          OstreeSePolicy                        *sepolicy)
+{
+  g_clear_object (&modifier->sepolicy);
+  modifier->sepolicy = sepolicy ? g_object_ref (sepolicy) : NULL;
+}
 
 G_DEFINE_BOXED_TYPE(OstreeRepoCommitModifier, ostree_repo_commit_modifier,
                     ostree_repo_commit_modifier_ref,
diff --git a/src/libostree/ostree-repo.h b/src/libostree/ostree-repo.h
index df7f3e0..ad6533a 100644
--- a/src/libostree/ostree-repo.h
+++ b/src/libostree/ostree-repo.h
@@ -25,6 +25,7 @@
 #include "ostree-core.h"
 #include "ostree-types.h"
 #include "ostree-async-progress.h"
+#include "ostree-sepolicy.h"
 
 G_BEGIN_DECLS
 
@@ -313,6 +314,9 @@ void ostree_repo_commit_modifier_set_xattr_callback (OstreeRepoCommitModifier
                                                      GDestroyNotify                         destroy,
                                                      gpointer                               user_data);
 
+void ostree_repo_commit_modifier_set_sepolicy (OstreeRepoCommitModifier              *modifier,
+                                               OstreeSePolicy                        *sepolicy);
+
 OstreeRepoCommitModifier *ostree_repo_commit_modifier_ref (OstreeRepoCommitModifier *modifier);
 void ostree_repo_commit_modifier_unref (OstreeRepoCommitModifier *modifier);
 
diff --git a/src/libostree/ostree-sepolicy.c b/src/libostree/ostree-sepolicy.c
new file mode 100644
index 0000000..8a0457a
--- /dev/null
+++ b/src/libostree/ostree-sepolicy.c
@@ -0,0 +1,456 @@
+/* -*- mode: C; c-file-style: "gnu"; indent-tabs-mode: nil; -*-
+ *
+ * Copyright (C) 2014 Colin Walters <walters verbum org>
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the
+ * Free Software Foundation, Inc., 59 Temple Place - Suite 330,
+ * Boston, MA 02111-1307, USA.
+ */
+
+#include "config.h"
+
+#ifdef HAVE_SELINUX
+#include <selinux/selinux.h>
+#include <selinux/label.h>
+#endif
+
+#include "otutil.h"
+#include "libgsystem.h"
+
+#include "ostree-sepolicy.h"
+#include "ostree-bootloader-uboot.h"
+#include "ostree-bootloader-syslinux.h"
+
+/**
+ * SECTION:libostree-sepolicy
+ * @title: SELinux policy management
+ * @short_description: Read SELinux policy and manage filesystem labels
+ *
+ * A #OstreeSePolicy object can load the SELinux policy from a given
+ * root and perform labeling.
+ */
+struct OstreeSePolicy {
+  GObject parent;
+
+  GFile *path;
+
+#ifdef HAVE_SELINUX
+  GFile *selinux_policy_root;
+  struct selabel_handle *selinux_hnd;
+  char *selinux_policy_name;
+#endif
+};
+
+typedef struct {
+  GObjectClass parent_class;
+} OstreeSePolicyClass;
+
+static void initable_iface_init       (GInitableIface      *initable_iface);
+
+enum {
+  PROP_0,
+
+  PROP_PATH
+};
+
+G_DEFINE_TYPE_WITH_CODE (OstreeSePolicy, ostree_sepolicy, G_TYPE_OBJECT,
+                         G_IMPLEMENT_INTERFACE (G_TYPE_INITABLE, initable_iface_init))
+
+static void
+ostree_sepolicy_finalize (GObject *object)
+{
+  OstreeSePolicy *self = OSTREE_SEPOLICY (object);
+
+  g_clear_object (&self->path);
+  g_clear_object (&self->selinux_policy_root);
+  g_clear_pointer (&self->selinux_policy_name, g_free);
+#ifdef HAVE_SELINUX
+  if (self->selinux_hnd)
+    {
+      selabel_close (self->selinux_hnd);
+      self->selinux_hnd = NULL;
+    }
+#endif
+
+  G_OBJECT_CLASS (ostree_sepolicy_parent_class)->finalize (object);
+}
+
+static void
+ostree_sepolicy_set_property(GObject         *object,
+                            guint            prop_id,
+                            const GValue    *value,
+                            GParamSpec      *pspec)
+{
+  OstreeSePolicy *self = OSTREE_SEPOLICY (object);
+
+  switch (prop_id)
+    {
+    case PROP_PATH:
+      /* Canonicalize */
+      self->path = g_file_new_for_path (gs_file_get_path_cached (g_value_get_object (value)));
+      break;
+    default:
+      G_OBJECT_WARN_INVALID_PROPERTY_ID (object, prop_id, pspec);
+      break;
+    }
+}
+
+static void
+ostree_sepolicy_get_property(GObject         *object,
+                            guint            prop_id,
+                            GValue          *value,
+                            GParamSpec      *pspec)
+{
+  OstreeSePolicy *self = OSTREE_SEPOLICY (object);
+
+  switch (prop_id)
+    {
+    case PROP_PATH:
+      g_value_set_object (value, self->path);
+      break;
+    default:
+      G_OBJECT_WARN_INVALID_PROPERTY_ID (object, prop_id, pspec);
+      break;
+    }
+}
+
+static void
+ostree_sepolicy_constructed (GObject *object)
+{
+  OstreeSePolicy *self = OSTREE_SEPOLICY (object);
+
+  g_assert (self->path != NULL);
+
+  G_OBJECT_CLASS (ostree_sepolicy_parent_class)->constructed (object);
+}
+
+static void
+ostree_sepolicy_class_init (OstreeSePolicyClass *klass)
+{
+  GObjectClass *object_class = G_OBJECT_CLASS (klass);
+
+  object_class->constructed = ostree_sepolicy_constructed;
+  object_class->get_property = ostree_sepolicy_get_property;
+  object_class->set_property = ostree_sepolicy_set_property;
+  object_class->finalize = ostree_sepolicy_finalize;
+
+  g_object_class_install_property (object_class,
+                                   PROP_PATH,
+                                   g_param_spec_object ("path",
+                                                        "",
+                                                        "",
+                                                        G_TYPE_FILE,
+                                                        G_PARAM_READWRITE | G_PARAM_CONSTRUCT_ONLY));
+}
+
+static gboolean
+initable_init (GInitable     *initable,
+               GCancellable  *cancellable,
+               GError       **error)
+{
+#ifdef HAVE_SELINUX
+  gboolean ret = FALSE;
+  OstreeSePolicy *self = OSTREE_SEPOLICY (initable);
+  gs_unref_object GFile *etc_selinux_dir = NULL;
+  gs_unref_object GFile *policy_config_path = NULL;
+  gs_unref_object GFile *policy_root = NULL;
+  gs_unref_object GFileInputStream *filein = NULL;
+  gs_unref_object GDataInputStream *datain = NULL;
+  gboolean enabled = FALSE;
+  char *policytype = NULL;
+  const char *selinux_prefix = "SELINUX=";
+  const char *selinuxtype_prefix = "SELINUXTYPE=";
+
+  etc_selinux_dir = g_file_resolve_relative_path (self->path, "etc/selinux");
+  if (!g_file_query_exists (etc_selinux_dir, NULL))
+    {
+      g_object_unref (etc_selinux_dir);
+      etc_selinux_dir = g_file_resolve_relative_path (self->path, "usr/etc/selinux");
+    }
+  policy_config_path = g_file_get_child (etc_selinux_dir, "config");
+
+  if (g_file_query_exists (policy_config_path, NULL))
+    {
+      filein = g_file_read (policy_config_path, cancellable, error);
+      if (!filein)
+        goto out;
+
+      datain = g_data_input_stream_new ((GInputStream*)filein);
+
+      while (TRUE)
+        {
+          gsize len;
+          GError *temp_error = NULL;
+          gs_free char *line = g_data_input_stream_read_line_utf8 (datain, &len,
+                                                                   cancellable, &temp_error);
+      
+          if (temp_error)
+            {
+              g_propagate_error (error, temp_error);
+              goto out;
+            }
+
+          if (!line)
+            break;
+      
+          if (g_str_has_prefix (line, selinuxtype_prefix))
+            {
+              policytype = g_strstrip (g_strdup (line + strlen (selinuxtype_prefix))); 
+              policy_root = g_file_get_child (etc_selinux_dir, policytype);
+            }
+          else if (g_str_has_prefix (line, selinux_prefix))
+            {
+              const char *enabled_str = line + strlen (selinux_prefix);
+              if (g_ascii_strncasecmp (enabled_str, "enforcing", strlen ("enforcing")) == 0 ||
+                  g_ascii_strncasecmp (enabled_str, "permissive", strlen ("permissive")) == 0)
+                enabled = TRUE;
+            }
+        }
+    }
+
+  if (enabled)
+    {
+      g_setenv ("LIBSELINUX_DISABLE_PCRE_PRECOMPILED", "1", FALSE);
+      if (selinux_set_policy_root (gs_file_get_path_cached (policy_root)) != 0)
+        {
+          g_set_error (error, G_IO_ERROR, G_IO_ERROR_FAILED,
+                       "selinux_set_policy_root(%s): %s",
+                       gs_file_get_path_cached (etc_selinux_dir),
+                       strerror (errno));
+          goto out;
+        }
+
+      self->selinux_hnd = selabel_open (SELABEL_CTX_FILE, NULL, 0);
+      if (!self->selinux_hnd)
+        {
+          g_set_error (error, G_IO_ERROR, G_IO_ERROR_FAILED,
+                       "With policy root '%s': selabel_open(SELABEL_CTX_FILE): %s",
+                       gs_file_get_path_cached (etc_selinux_dir),
+                       strerror (errno));
+          goto out;
+        }
+
+      {
+        char *con = NULL;
+        if (selabel_lookup_raw (self->selinux_hnd, &con, "/", 0755) != 0)
+          {
+            g_set_error (error, G_IO_ERROR, G_IO_ERROR_FAILED,
+                         "With policy root '%s': Failed to look up context of /: %s",
+                         gs_file_get_path_cached (etc_selinux_dir),
+                         strerror (errno));
+            goto out;
+          }
+        freecon (con);
+      }
+
+      self->selinux_policy_name = g_strdup (policytype);
+      self->selinux_policy_root = g_object_ref (etc_selinux_dir);
+    }
+
+  ret = TRUE;
+ out:
+  return ret;
+#else
+  return TRUE;
+#endif
+}
+
+static void
+ostree_sepolicy_init (OstreeSePolicy *self)
+{
+}
+
+static void
+initable_iface_init (GInitableIface *initable_iface)
+{
+  initable_iface->init = initable_init;
+}
+
+/**
+ * ostree_sepolicy_new:
+ * @path: Path to a root directory
+ *
+ * Returns: (transfer full): An accessor object for SELinux policy in root located at @path
+ */
+OstreeSePolicy*
+ostree_sepolicy_new (GFile         *path,
+                     GCancellable  *cancellable,
+                     GError       **error)
+{
+  return g_initable_new (OSTREE_TYPE_SEPOLICY, cancellable, error, "path", path, NULL);
+}
+
+/**
+ * ostree_sepolicy_get_path:
+ * @self:
+ *
+ * Returns: (transfer none): Path to rootfs
+ */
+GFile *
+ostree_sepolicy_get_path (OstreeSePolicy  *self)
+{
+  return self->path;
+}
+
+const char *
+ostree_sepolicy_get_name (OstreeSePolicy *self)
+{
+#ifdef HAVE_SELINUX
+  return self->selinux_policy_name;
+#else
+  return NULL;
+#endif
+}
+
+/**
+ * ostree_sepolicy_get_label:
+ * @self: Self
+ * @relpath: Path
+ * @unix_mode: Unix mode
+ * @out_label: (allow-none) (out) (transfer full): Return location for security context
+ * @cancellable: Cancellable
+ * @error: Error
+ *
+ * Store in @out_label the security context for the given @relpath and
+ * mode @unix_mode.  If the policy does not specify a label, %NULL
+ * will be returned.
+ */
+gboolean
+ostree_sepolicy_get_label (OstreeSePolicy    *self,
+                           const char       *relpath,
+                           guint32           unix_mode,
+                           char            **out_label,
+                           GCancellable     *cancellable,
+                           GError          **error)
+{
+#ifdef HAVE_SELINUX
+  gboolean ret = FALSE;
+  int res;
+  char *con = NULL;
+
+  if (self->selinux_hnd)
+    {
+      res = selabel_lookup_raw (self->selinux_hnd, &con, relpath, unix_mode);
+      if (res != 0)
+        {
+          int errsv = errno;
+          if (errsv != ENOENT)
+            {
+              ot_util_set_error_from_errno (error, errsv);
+              goto out;
+            }
+        }
+      else
+        {
+          /* Ensure we consistently allocate with g_malloc */
+          *out_label = g_strdup (con);
+          freecon (con);
+        }
+    }
+
+  ret = TRUE;
+ out:
+  return ret;
+#else
+  return TRUE;
+#endif
+}
+
+/**
+ * ostree_sepolicy_restorecon:
+ * @self: Self
+ * @path: Path string to use for policy lookup
+ * @info: (allow-none): File attributes
+ * @target: Physical path to target file
+ * @flags: Flags controlling behavior
+ * @out_new_label: (allow-none) (out): New label, or %NULL if unchanged
+ * @cancellable: Cancellable
+ * @error: Error
+ *
+ * Reset the security context of @target based on the SELinux policy.
+ */
+gboolean
+ostree_sepolicy_restorecon (OstreeSePolicy    *self,
+                            const char       *path,
+                            GFileInfo        *info,
+                            GFile            *target,
+                            OstreeSePolicyRestoreconFlags flags,
+                            char            **out_new_label,
+                            GCancellable     *cancellable,
+                            GError          **error)
+{
+#ifdef HAVE_SELINUX
+  gboolean ret = FALSE;
+  gs_unref_object GFileInfo *src_info = NULL;
+  gs_free char *label = NULL;
+  gboolean do_relabel = TRUE;
+
+  if (info != NULL)
+    src_info = g_object_ref (info);
+  else
+    {
+      src_info = g_file_query_info (target, "unix::mode",
+                                    G_FILE_QUERY_INFO_NOFOLLOW_SYMLINKS,
+                                    cancellable, error);
+      if (!src_info)
+        goto out;
+    }
+
+  if (flags & OSTREE_SEPOLICY_RESTORECON_FLAGS_KEEP_EXISTING)
+    {
+      char *existing_con = NULL;
+      if (lgetfilecon_raw (gs_file_get_path_cached (target), &existing_con) > 0
+          && existing_con)
+        {
+          do_relabel = FALSE;
+          freecon (existing_con);
+        }
+    }
+
+  if (do_relabel)
+    {
+      if (!ostree_sepolicy_get_label (self, path, 
+                                      g_file_info_get_attribute_uint32 (src_info, "unix::mode"),
+                                      &label,
+                                      cancellable, error))
+        goto out;
+
+      if (!label)
+        {
+          if (!(flags & OSTREE_SEPOLICY_RESTORECON_FLAGS_ALLOW_NOLABEL))
+            {
+              g_set_error (error, G_IO_ERROR, G_IO_ERROR_FAILED,
+                           "No label found for '%s'", path);
+              goto out;
+            }
+        }
+      else
+        {
+          int res = lsetfilecon (gs_file_get_path_cached (target), label);
+          if (res != 0)
+            {
+              ot_util_set_error_from_errno (error, errno);
+              goto out;
+            }
+        }
+    }
+
+  ret = TRUE;
+  gs_transfer_out_value (out_new_label, &label);
+ out:
+  return ret;
+#else
+  return TRUE;
+#endif
+}
diff --git a/src/libostree/ostree-sepolicy.h b/src/libostree/ostree-sepolicy.h
new file mode 100644
index 0000000..19a067e
--- /dev/null
+++ b/src/libostree/ostree-sepolicy.h
@@ -0,0 +1,66 @@
+/* -*- mode: C; c-file-style: "gnu"; indent-tabs-mode: nil; -*-
+ *
+ * Copyright (C) 2014 Colin Walters <walters verbum org>
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the
+ * Free Software Foundation, Inc., 59 Temple Place - Suite 330,
+ * Boston, MA 02111-1307, USA.
+ */
+
+#pragma once
+
+#include "ostree-types.h"
+
+G_BEGIN_DECLS
+
+#define OSTREE_TYPE_SEPOLICY ostree_sepolicy_get_type()
+#define OSTREE_SEPOLICY(obj) \
+  (G_TYPE_CHECK_INSTANCE_CAST ((obj), OSTREE_TYPE_SEPOLICY, OstreeSePolicy))
+#define OSTREE_IS_SEPOLICY(obj) \
+  (G_TYPE_CHECK_INSTANCE_TYPE ((obj), OSTREE_TYPE_SEPOLICY))
+
+GType ostree_sepolicy_get_type (void);
+
+OstreeSePolicy* ostree_sepolicy_new (GFile         *path,
+                                     GCancellable  *cancellable,
+                                     GError       **error);
+
+GFile * ostree_sepolicy_get_path (OstreeSePolicy  *self);
+
+const char *ostree_sepolicy_get_name (OstreeSePolicy *self);
+
+gboolean ostree_sepolicy_get_label (OstreeSePolicy    *self,
+                                    const char       *relpath,
+                                    guint32           unix_mode,
+                                    char            **out_label,
+                                    GCancellable     *cancellable,
+                                    GError          **error);
+
+typedef enum {
+  OSTREE_SEPOLICY_RESTORECON_FLAGS_NONE,
+  OSTREE_SEPOLICY_RESTORECON_FLAGS_ALLOW_NOLABEL = (1 << 0),
+  OSTREE_SEPOLICY_RESTORECON_FLAGS_KEEP_EXISTING = (1 << 1)
+} OstreeSePolicyRestoreconFlags;
+
+gboolean ostree_sepolicy_restorecon (OstreeSePolicy   *self,
+                                     const char       *path,
+                                     GFileInfo        *info,
+                                     GFile            *target,
+                                     OstreeSePolicyRestoreconFlags  flags,
+                                     char            **out_new_label,
+                                     GCancellable     *cancellable,
+                                     GError          **error);
+
+G_END_DECLS
+
diff --git a/src/libostree/ostree-sysroot-deploy.c b/src/libostree/ostree-sysroot-deploy.c
index aa55db2..f5ee56f 100644
--- a/src/libostree/ostree-sysroot-deploy.c
+++ b/src/libostree/ostree-sysroot-deploy.c
@@ -1,6 +1,6 @@
 /* -*- mode: C; c-file-style: "gnu"; indent-tabs-mode: nil; -*-
  *
- * Copyright (C) 2012 Colin Walters <walters verbum org>
+ * Copyright (C) 2012,2014 Colin Walters <walters verbum org>
  *
  * This library is free software; you can redistribute it and/or
  * modify it under the terms of the GNU Lesser General Public
@@ -16,17 +16,10 @@
  * License along with this library; if not, write to the
  * Free Software Foundation, Inc., 59 Temple Place - Suite 330,
  * Boston, MA 02111-1307, USA.
- *
- * Author: Colin Walters <walters verbum org>
  */
 
 #include "config.h"
 
-#ifdef HAVE_SELINUX
-#include <selinux/selinux.h>
-#include <selinux/label.h>
-#endif
-
 #include "ostree-sysroot-private.h"
 #include "ostree-core-private.h"
 #include "otutil.h"
@@ -243,74 +236,6 @@ checkout_deployment_tree (OstreeSysroot     *sysroot,
   return ret;
 }
 
-#ifdef HAVE_SELINUX
-static gboolean
-get_selinux_policy_root (GFile          *deployment_etc,
-                         GFile         **out_policy_root,
-                         GCancellable   *cancellable,
-                         GError        **error)
-{
-  gboolean ret = FALSE;
-  gs_unref_object GFile *etc_selinux_dir = NULL;
-  gs_unref_object GFile *policy_config_path = NULL;
-  gs_unref_object GFile *ret_policy_root = NULL;
-  gs_unref_object GFileInputStream *filein = NULL;
-  gs_unref_object GDataInputStream *datain = NULL;
-  gboolean enabled = FALSE;
-  char *policytype = NULL;
-  const char *selinux_prefix = "SELINUX=";
-  const char *selinuxtype_prefix = "SELINUXTYPE=";
-
-  etc_selinux_dir = g_file_get_child (deployment_etc, "selinux");
-  policy_config_path = g_file_get_child (etc_selinux_dir, "config");
-
-  if (g_file_query_exists (policy_config_path, NULL))
-    {
-      filein = g_file_read (policy_config_path, cancellable, error);
-      if (!filein)
-        goto out;
-
-      datain = g_data_input_stream_new ((GInputStream*)filein);
-
-      while (TRUE)
-        {
-          gsize len;
-          GError *temp_error = NULL;
-          gs_free char *line = g_data_input_stream_read_line_utf8 (datain, &len,
-                                                                   cancellable, &temp_error);
-      
-          if (temp_error)
-            {
-              g_propagate_error (error, temp_error);
-              goto out;
-            }
-
-          if (!line)
-            break;
-      
-          if (g_str_has_prefix (line, selinuxtype_prefix))
-            {
-              policytype = g_strstrip (g_strdup (line + strlen (selinuxtype_prefix))); 
-            }
-          else if (g_str_has_prefix (line, selinux_prefix))
-            {
-              const char *enabled_str = line + strlen (selinux_prefix);
-              if (g_ascii_strncasecmp (enabled_str, "enforcing", strlen ("enforcing")) == 0 ||
-                  g_ascii_strncasecmp (enabled_str, "permissive", strlen ("permissive")) == 0)
-                enabled = TRUE;
-            }
-        }
-    }
-
-  if (enabled)
-    ret_policy_root = g_file_get_child (etc_selinux_dir, policytype);
-    
-  ret = TRUE;
-  gs_transfer_out_value (out_policy_root, &ret_policy_root);
- out:
-  return ret;
-}
-
 static char *
 ptrarray_path_join (GPtrArray  *path)
 {
@@ -336,69 +261,43 @@ ptrarray_path_join (GPtrArray  *path)
 }
 
 static gboolean
-relabel_one_path (GFile         *path,
+relabel_one_path (OstreeSysroot  *sysroot,
+                  OstreeSePolicy *sepolicy,
+                  GFile         *path,
                   GFileInfo     *info,
                   GPtrArray     *path_parts,
-                  struct selabel_handle *hnd,
                   GCancellable   *cancellable,
                   GError        **error)
 {
   gboolean ret = FALSE;
-  guint32 mode;
   gs_free char *relpath = NULL;
-  char *con = NULL;
-
-  mode = g_file_info_get_attribute_uint32 (info, "unix::mode");
 
   relpath = ptrarray_path_join (path_parts);
-
-  if (selabel_lookup_raw (hnd, &con, relpath, mode) != 0)
-    {
-      g_set_error (error, G_IO_ERROR, G_IO_ERROR_FAILED,
-                   "selabel_lookup_raw(%s, %u): %s",
-                   relpath, mode, strerror (errno));
-      goto out;
-    }
-
-  if (S_ISLNK (mode))
-    {
-      if (lsetfilecon (gs_file_get_path_cached (path), con) != 0)
-        {
-          g_set_error (error, G_IO_ERROR, G_IO_ERROR_FAILED,
-                       "lsetfilecon(%s): %s",
-                       gs_file_get_path_cached (path), strerror (errno));
-          goto out;
-        }
-    }
-  else
-    {
-      if (setfilecon (gs_file_get_path_cached (path), con) != 0)
-        {
-          g_set_error (error, G_IO_ERROR, G_IO_ERROR_FAILED,
-                       "setfilecon(%s): %s",
-                       gs_file_get_path_cached (path), strerror (errno));
-          goto out;
-        }
-    }
+  if (!ostree_sepolicy_restorecon (sepolicy, relpath,
+                                   info, path,
+                                   OSTREE_SEPOLICY_RESTORECON_FLAGS_ALLOW_NOLABEL,
+                                   NULL,
+                                   cancellable, error))
+    goto out;
 
   ret = TRUE;
  out:
-  if (con) freecon (con);
   return ret;
 }
 
 static gboolean
-relabel_recursively (GFile          *dir,
+relabel_recursively (OstreeSysroot  *sysroot,
+                     OstreeSePolicy *sepolicy,
+                     GFile          *dir,
                      GFileInfo      *dir_info,
                      GPtrArray      *path_parts,
-                     struct selabel_handle *hnd,
                      GCancellable   *cancellable,
                      GError        **error)
 {
   gboolean ret = FALSE;
   gs_unref_object GFileEnumerator *direnum = NULL;
 
-  if (!relabel_one_path (dir, dir_info, path_parts, hnd,
+  if (!relabel_one_path (sysroot, sepolicy, dir, dir_info, path_parts,
                          cancellable, error))
     goto out;
 
@@ -425,13 +324,13 @@ relabel_recursively (GFile          *dir,
       ftype = g_file_info_get_file_type (file_info);
       if (ftype == G_FILE_TYPE_DIRECTORY)
         {
-          if (!relabel_recursively (child, file_info, path_parts, hnd,
+          if (!relabel_recursively (sysroot, sepolicy, child, file_info, path_parts,
                                     cancellable, error))
             goto out;
         }
       else
         {
-          if (!relabel_one_path (child, file_info, path_parts, hnd,
+          if (!relabel_one_path (sysroot, sepolicy, child, file_info, path_parts,
                                  cancellable, error))
             goto out;
         }
@@ -444,202 +343,116 @@ relabel_recursively (GFile          *dir,
   return ret;
 }
 
-#endif
-
-typedef struct {
-  gboolean have_policy;
-#ifdef HAVE_SELINUX
-  struct selabel_handle *hnd;
-#endif
-} OstreeLabelingContext;
-
-static gboolean
-init_labeling_context (GFile                         *deployment_etc,
-                       OstreeLabelingContext         *secontext,
-                       GCancellable                  *cancellable,
-                       GError                       **error)
-{
-#ifdef HAVE_SELINUX
-  gboolean ret = FALSE;
-  gs_unref_object GFile *policy_root = NULL;
-
-  if (!get_selinux_policy_root (deployment_etc, &policy_root,
-                                cancellable, error))
-    goto out;
-
-  if (policy_root)
-    {
-      secontext->have_policy = TRUE;
-
-      g_print ("ostadmin: Using SELinux policy '%s'\n", gs_file_get_basename_cached (policy_root));
-
-      if (selinux_set_policy_root (gs_file_get_path_cached (policy_root)) != 0)
-        {
-          g_set_error (error, G_IO_ERROR, G_IO_ERROR_FAILED,
-                       "selinux_set_policy_root(%s): %s",
-                       gs_file_get_path_cached (policy_root),
-                       strerror (errno));
-          goto out;
-        }
-      secontext->hnd = selabel_open (SELABEL_CTX_FILE, NULL, 0);
-      if (!secontext->hnd)
-        {
-          g_set_error (error, G_IO_ERROR, G_IO_ERROR_FAILED,
-                       "selabel_open(SELABEL_CTX_FILE): %s",
-                       strerror (errno));
-          goto out;
-        }
-    }
-  else
-    secontext->have_policy = FALSE;
-
-  ret = TRUE;
- out:
-  return ret;
-#else
-  secontext->have_policy = FALSE;
-  return TRUE;
-#endif
-}
-
-static void
-ostree_labeling_context_cleanup (OstreeLabelingContext *secontext)
-{
-#ifdef HAVE_SELINUX
-  if (secontext->hnd)
-    selabel_close (secontext->hnd);
-#endif
-}
-
 static gboolean
 selinux_relabel_dir (OstreeSysroot                 *sysroot,
-                     OstreeLabelingContext  *secontext,
+                     OstreeSePolicy                *sepolicy,
                      GFile                         *dir,
                      const char                    *prefix,
                      GCancellable                  *cancellable,
                      GError                       **error)
 {
-#ifdef HAVE_SELINUX
   gboolean ret = FALSE;
   gs_unref_ptrarray GPtrArray *path_parts = g_ptr_array_new ();
   gs_unref_object GFileInfo *root_info = NULL;
 
-  if (secontext->have_policy)
+  root_info = g_file_query_info (dir, OSTREE_GIO_FAST_QUERYINFO,
+                                 G_FILE_QUERY_INFO_NOFOLLOW_SYMLINKS,
+                                 cancellable, error);
+  if (!root_info)
+    goto out;
+  
+  g_ptr_array_add (path_parts, (char*)prefix);
+  if (!relabel_recursively (sysroot, sepolicy, dir, root_info, path_parts,
+                            cancellable, error))
     {
-      root_info = g_file_query_info (dir, OSTREE_GIO_FAST_QUERYINFO,
-                                     G_FILE_QUERY_INFO_NOFOLLOW_SYMLINKS,
-                                     cancellable, error);
-      if (!root_info)
-        goto out;
-
-      g_ptr_array_add (path_parts, (char*)prefix);
-      if (!relabel_recursively (dir, root_info, path_parts, secontext->hnd,
-                                cancellable, error))
-        {
-          g_prefix_error (error, "Relabeling /%s: ", prefix);
-          goto out;
-        }
+      g_prefix_error (error, "Relabeling /%s: ", prefix);
+      goto out;
     }
 
   ret = TRUE;
  out:
   return ret;
-#else
-  return TRUE;
-#endif
 }
 
-#ifdef HAVE_SELINUX
 static gboolean
-selinux_relabel_file (OstreeLabelingContext         *secontext,
+selinux_relabel_file (OstreeSysroot                 *sysroot,
+                      OstreeSePolicy                *sepolicy,
                       GFile                         *path,
                       const char                    *prefix,
                       GCancellable                  *cancellable,
                       GError                       **error)
 {
   gboolean ret = FALSE;
+  gs_unref_ptrarray GPtrArray *path_parts = g_ptr_array_new ();
+  gs_unref_object GFileInfo *file_info = g_file_query_info (path, OSTREE_GIO_FAST_QUERYINFO,
+                                                            G_FILE_QUERY_INFO_NOFOLLOW_SYMLINKS,
+                                                            cancellable, error);
+  if (!file_info)
+    goto out;
 
-  if (secontext->have_policy)
+  g_ptr_array_add (path_parts, (char*)prefix);
+  g_ptr_array_add (path_parts, (char*)gs_file_get_basename_cached (path));
+  if (!relabel_one_path (sysroot, sepolicy, path, file_info, path_parts,
+                         cancellable, error))
     {
-      gs_unref_ptrarray GPtrArray *path_parts = g_ptr_array_new ();
-      gs_unref_object GFileInfo *file_info = g_file_query_info (path, OSTREE_GIO_FAST_QUERYINFO,
-                                                                G_FILE_QUERY_INFO_NOFOLLOW_SYMLINKS,
-                                                                cancellable, error);
-      if (!file_info)
-        goto out;
-
-      g_ptr_array_add (path_parts, (char*)prefix);
-      g_ptr_array_add (path_parts, (char*)gs_file_get_basename_cached (path));
-      if (!relabel_one_path (path, file_info, path_parts, secontext->hnd,
-                             cancellable, error))
-        {
-          g_prefix_error (error, "Relabeling /%s/%s: ", prefix,
-                          gs_file_get_basename_cached (path));
-          goto out;
-        }
+      g_prefix_error (error, "Relabeling /%s/%s: ", prefix,
+                      gs_file_get_basename_cached (path));
+      goto out;
     }
 
   ret = TRUE;
  out:
   return ret;
 }
-#endif
 
 static gboolean
 selinux_relabel_var_if_needed (OstreeSysroot                 *sysroot,
-                               OstreeLabelingContext  *secontext,
+                               OstreeSePolicy                *sepolicy,
                                GFile                         *deployment_var_path,
                                GCancellable                  *cancellable,
                                GError                       **error)
 {
-#ifdef HAVE_SELINUX
   gboolean ret = FALSE;
-
-  if (secontext->have_policy)
-    {
-      /* This is a bit of a hack; we should change the code at some
-       * point in the distant future to only create (and label) /var
-       * when doing a deployment.
-       */
-      gs_unref_object GFile *deployment_var_labeled = 
-        g_file_get_child (deployment_var_path, ".ostree-selabeled");
-      gs_unref_object GFile *deployment_var_labeled_tmp = 
-        g_file_get_child (deployment_var_path, ".ostree-selabeled.tmp");
+  /* This is a bit of a hack; we should change the code at some
+   * point in the distant future to only create (and label) /var
+   * when doing a deployment.
+   */
+  gs_unref_object GFile *deployment_var_labeled = 
+    g_file_get_child (deployment_var_path, ".ostree-selabeled");
+  gs_unref_object GFile *deployment_var_labeled_tmp = 
+    g_file_get_child (deployment_var_path, ".ostree-selabeled.tmp");
       
-      if (!g_file_query_exists (deployment_var_labeled, NULL))
+  if (!g_file_query_exists (deployment_var_labeled, NULL))
+    {
+      g_print ("ostadmin: Didn't find '%s', relabeling /var\n",
+               gs_file_get_path_cached (deployment_var_labeled));
+
+      if (!selinux_relabel_dir (sysroot, sepolicy,
+                                deployment_var_path, "var",
+                                cancellable, error))
         {
-          g_print ("ostadmin: Didn't find '%s', relabeling /var\n",
-                   gs_file_get_path_cached (deployment_var_labeled));
+          g_prefix_error (error, "Relabeling /var: ");
+          goto out;
+        }
 
-          if (!selinux_relabel_dir (sysroot, secontext,
-                                    deployment_var_path, "var",
+      if (!g_file_replace_contents (deployment_var_labeled_tmp, "", 0, NULL, FALSE,
+                                    G_FILE_CREATE_REPLACE_DESTINATION, NULL,
                                     cancellable, error))
-            {
-              g_prefix_error (error, "Relabeling /var: ");
-              goto out;
-            }
-
-          if (!g_file_replace_contents (deployment_var_labeled_tmp, "", 0, NULL, FALSE,
-                                        G_FILE_CREATE_REPLACE_DESTINATION, NULL,
-                                        cancellable, error))
-            goto out;
+        goto out;
           
-          if (!selinux_relabel_file (secontext, deployment_var_labeled_tmp, "var",
-                                     cancellable, error))
-            goto out;
+      if (!selinux_relabel_file (sysroot, sepolicy,
+                                 deployment_var_labeled_tmp, "var",
+                                 cancellable, error))
+        goto out;
 
-          if (!gs_file_rename (deployment_var_labeled_tmp, deployment_var_labeled,
-                               cancellable, error))
-            goto out;
-        }
+      if (!gs_file_rename (deployment_var_labeled_tmp, deployment_var_labeled,
+                           cancellable, error))
+        goto out;
     }
 
   ret = TRUE;
  out:
   return ret;
-#else
-  return TRUE;
-#endif
 }
 
 static gboolean
@@ -647,6 +460,7 @@ merge_configuration (OstreeSysroot         *sysroot,
                      OstreeDeployment      *previous_deployment,
                      OstreeDeployment      *deployment,
                      GFile                 *deployment_path,
+                     OstreeSePolicy       **out_sepolicy,
                      GCancellable          *cancellable,
                      GError               **error)
 {
@@ -655,6 +469,7 @@ merge_configuration (OstreeSysroot         *sysroot,
   gs_unref_object GFile *source_etc_pristine_path = NULL;
   gs_unref_object GFile *deployment_usretc_path = NULL;
   gs_unref_object GFile *deployment_etc_path = NULL;
+  gs_unref_object OstreeSePolicy *sepolicy = NULL;
   gboolean etc_exists;
   gboolean usretc_exists;
 
@@ -703,21 +518,26 @@ merge_configuration (OstreeSysroot         *sysroot,
   
   if (usretc_exists)
     {
-      __attribute__((cleanup(ostree_labeling_context_cleanup))) OstreeLabelingContext new_default_secontext 
= { 0, };
-
       /* TODO - set out labels as we copy files */
       g_assert (!etc_exists);
       if (!gs_shutil_cp_a (deployment_usretc_path, deployment_etc_path,
                            cancellable, error))
         goto out;
 
-      if (!init_labeling_context (deployment_etc_path, &new_default_secontext,
-                                  cancellable, error))
+      /* Here, we initialize SELinux policy from the /usr/etc inside
+       * the root - this is before we've finalized the configuration
+       * merge into /etc. */
+      sepolicy = ostree_sepolicy_new (deployment_path, cancellable, error);
+      if (!sepolicy)
         goto out;
 
-      if (!selinux_relabel_dir (sysroot, &new_default_secontext, deployment_etc_path, "etc",
-                                cancellable, error))
-        goto out;
+      if (ostree_sepolicy_get_name (sepolicy) != NULL)
+        {
+          g_print ("ostadmin: Using SELinux policy '%s'\n", ostree_sepolicy_get_name (sepolicy));
+          if (!selinux_relabel_dir (sysroot, sepolicy, deployment_etc_path, "etc",
+                                    cancellable, error))
+            goto out;
+        }
       g_print ("ostadmin: Created %s\n", gs_file_get_path_cached (deployment_etc_path));
     }
 
@@ -733,6 +553,7 @@ merge_configuration (OstreeSysroot         *sysroot,
     }
 
   ret = TRUE;
+  gs_transfer_out_value (out_sepolicy, &sepolicy);
  out:
   return ret;
 }
@@ -1507,7 +1328,6 @@ ostree_sysroot_deploy_tree (OstreeSysroot     *self,
 {
   gboolean ret = FALSE;
   gint new_deployserial;
-  __attribute__((cleanup(ostree_labeling_context_cleanup))) OstreeLabelingContext secontext = { 0, };
   gs_unref_object OstreeDeployment *new_deployment = NULL;
   gs_unref_object OstreeDeployment *merge_deployment = NULL;
   gs_unref_object OstreeRepo *repo = NULL;
@@ -1518,6 +1338,7 @@ ostree_sysroot_deploy_tree (OstreeSysroot     *self,
   gs_unref_object GFile *tree_kernel_path = NULL;
   gs_unref_object GFile *tree_initramfs_path = NULL;
   gs_unref_object GFile *new_deployment_path = NULL;
+  gs_unref_object OstreeSePolicy *sepolicy = NULL;
   gs_free char *new_bootcsum = NULL;
   gs_unref_object OstreeBootconfigParser *bootconfig = NULL;
 
@@ -1590,6 +1411,7 @@ ostree_sysroot_deploy_tree (OstreeSysroot     *self,
 
   if (!merge_configuration (self, merge_deployment, new_deployment,
                             new_deployment_path,
+                            &sepolicy,
                             cancellable, error))
     {
       g_prefix_error (error, "During /etc merge: ");
@@ -1598,10 +1420,7 @@ ostree_sysroot_deploy_tree (OstreeSysroot     *self,
 
   deployment_etc = g_file_get_child (new_deployment_path, "etc");
 
-  if (!init_labeling_context (deployment_etc, &secontext, cancellable, error))
-    goto out;
-  
-  if (!selinux_relabel_var_if_needed (self, &secontext, deployment_var,
+  if (!selinux_relabel_var_if_needed (self, sepolicy, deployment_var,
                                       cancellable, error))
     goto out;
 
diff --git a/src/libostree/ostree-types.h b/src/libostree/ostree-types.h
index b15cbbc..8be1258 100644
--- a/src/libostree/ostree-types.h
+++ b/src/libostree/ostree-types.h
@@ -27,6 +27,7 @@
 G_BEGIN_DECLS
 
 typedef struct OstreeRepo OstreeRepo;
+typedef struct OstreeSePolicy OstreeSePolicy;
 typedef struct OstreeSysroot OstreeSysroot;
 typedef struct OstreeMutableTree OstreeMutableTree;
 typedef struct OstreeRepoFile OstreeRepoFile;


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]