[ostree] Explicitly label .origin files as configuration
- From: Colin Walters <walters src gnome org>
- To: commits-list gnome org
- Cc:
- Subject: [ostree] Explicitly label .origin files as configuration
- Date: Sun, 25 Jan 2015 14:14:47 +0000 (UTC)
commit 6ce80f9685e6273dbcb4731d6650a10976ea220a
Author: Colin Walters <walters verbum org>
Date: Thu Jan 22 17:35:32 2015 -0500
Explicitly label .origin files as configuration
subscription-manager has a daemon that runs in a confined domain,
and it doesn't have permission to write usr_t, which is the default
label of /ostree/deploy/$osname/deploy.
A better long term fix is probably to move the origin file into the
deployment root as /etc/ostree/origin.conf or so.
In the meantime, let's ensure the .origin files are labeled as
configuration.
src/libostree/ostree-sepolicy.c | 61 ++++++++++++++++++++++++++++++++
src/libostree/ostree-sepolicy.h | 9 +++++
src/libostree/ostree-sysroot-deploy.c | 33 +++++++++++++----
src/libostree/ostree-sysroot-private.h | 2 +
src/libostree/ostree-sysroot.c | 1 +
5 files changed, 99 insertions(+), 7 deletions(-)
---
diff --git a/src/libostree/ostree-sepolicy.c b/src/libostree/ostree-sepolicy.c
index c928ee3..91c78b4 100644
--- a/src/libostree/ostree-sepolicy.c
+++ b/src/libostree/ostree-sepolicy.c
@@ -45,6 +45,8 @@ struct OstreeSePolicy {
GFile *path;
+ gboolean runtime_enabled;
+
#ifdef HAVE_SELINUX
GFile *selinux_policy_root;
struct selabel_handle *selinux_hnd;
@@ -221,6 +223,8 @@ initable_init (GInitable *initable,
if (enabled)
{
+ self->runtime_enabled = is_selinux_enabled () == 1;
+
g_setenv ("LIBSELINUX_DISABLE_PCRE_PRECOMPILED", "1", FALSE);
if (selinux_set_policy_root (gs_file_get_path_cached (policy_root)) != 0)
{
@@ -454,3 +458,60 @@ ostree_sepolicy_restorecon (OstreeSePolicy *self,
return TRUE;
#endif
}
+
+/**
+ * ostree_sepolicy_setfscreatecon:
+ * @self: Policy
+ * @path: Use this path to determine a label
+ * @mode: Used along with @path
+ * @error: Error
+ *
+ */
+gboolean
+ostree_sepolicy_setfscreatecon (OstreeSePolicy *self,
+ const char *path,
+ guint32 mode,
+ GError **error)
+{
+#ifdef HAVE_SELINUX
+ gboolean ret = FALSE;
+ gs_free char *label = NULL;
+
+ /* setfscreatecon() will bomb out if the host has SELinux disabled,
+ * but we're enabled for the target system. This is kind of a
+ * broken scenario...for now, we'll silently ignore the label
+ * request. To correctly handle the case of disabled host but
+ * enabled target will require nontrivial work.
+ */
+ if (!self->runtime_enabled)
+ return TRUE;
+
+ if (!ostree_sepolicy_get_label (self, path, mode, &label, NULL, error))
+ goto out;
+
+ if (setfscreatecon_raw (label) != 0)
+ {
+ gs_set_error_from_errno (error, errno);
+ return FALSE;
+ }
+
+ ret = TRUE;
+ out:
+ return ret;
+#else
+ return TRUE;
+#endif
+}
+
+/**
+ * ostree_sepolicy_fscreatecon_cleanup:
+ *
+ * Cleanup function for ostree_sepolicy_setfscreatecon().
+ */
+void
+ostree_sepolicy_fscreatecon_cleanup (void **unused)
+{
+#ifdef HAVE_SELINUX
+ setfscreatecon (NULL);
+#endif
+}
diff --git a/src/libostree/ostree-sepolicy.h b/src/libostree/ostree-sepolicy.h
index 19a067e..0c5d215 100644
--- a/src/libostree/ostree-sepolicy.h
+++ b/src/libostree/ostree-sepolicy.h
@@ -62,5 +62,14 @@ gboolean ostree_sepolicy_restorecon (OstreeSePolicy *self,
GCancellable *cancellable,
GError **error);
+gboolean ostree_sepolicy_setfscreatecon (OstreeSePolicy *self,
+ const char *path,
+ guint32 mode,
+ GError **error);
+
+void ostree_sepolicy_fscreatecon_cleanup (void **unused);
+
+#define ostree_cleanup_sepolicy_fscreatecon __attribute__ ((cleanup(ostree_sepolicy_fscreatecon_cleanup)))
+
G_END_DECLS
diff --git a/src/libostree/ostree-sysroot-deploy.c b/src/libostree/ostree-sysroot-deploy.c
index b328932..f7c8dcf 100644
--- a/src/libostree/ostree-sysroot-deploy.c
+++ b/src/libostree/ostree-sysroot-deploy.c
@@ -1893,13 +1893,6 @@ ostree_sysroot_deploy_tree (OstreeSysroot *self,
goto out;
}
- if (!ostree_sysroot_write_origin_file (self, new_deployment, NULL,
- cancellable, error))
- {
- g_prefix_error (error, "Writing out origin file: ");
- goto out;
- }
-
/* Create an empty boot configuration; we will merge things into
* it as we go.
*/
@@ -1915,6 +1908,9 @@ ostree_sysroot_deploy_tree (OstreeSysroot *self,
goto out;
}
+ g_clear_object (&self->sepolicy);
+ self->sepolicy = g_object_ref (sepolicy);
+
deployment_etc = g_file_get_child (new_deployment_path, "etc");
if (!selinux_relabel_var_if_needed (self, sepolicy, deployment_var,
@@ -1925,6 +1921,29 @@ ostree_sysroot_deploy_tree (OstreeSysroot *self,
cancellable, error))
goto out;
+ { ostree_cleanup_sepolicy_fscreatecon gpointer dummy = NULL;
+
+ /* Explicitly override the label for the origin file to ensure
+ * it's system_conf_t.
+ */
+ if (self->sepolicy != NULL
+ && ostree_sepolicy_get_name (self->sepolicy) != NULL)
+ {
+ if (!ostree_sepolicy_setfscreatecon (self->sepolicy,
+ "/etc/ostree/remotes.d/dummy.conf",
+ 0644,
+ error))
+ goto out;
+ }
+
+ if (!ostree_sysroot_write_origin_file (self, new_deployment, NULL,
+ cancellable, error))
+ {
+ g_prefix_error (error, "Writing out origin file: ");
+ goto out;
+ }
+ }
+
/* After this, install_deployment_kernel() will set the other boot
* options and write it out to disk.
*/
diff --git a/src/libostree/ostree-sysroot-private.h b/src/libostree/ostree-sysroot-private.h
index 28b0feb..97aa9e8 100644
--- a/src/libostree/ostree-sysroot-private.h
+++ b/src/libostree/ostree-sysroot-private.h
@@ -34,6 +34,8 @@ struct OstreeSysroot {
gboolean loaded;
+ OstreeSePolicy *sepolicy;
+
GPtrArray *deployments;
int bootversion;
int subbootversion;
diff --git a/src/libostree/ostree-sysroot.c b/src/libostree/ostree-sysroot.c
index 64a5e5b..d415008 100644
--- a/src/libostree/ostree-sysroot.c
+++ b/src/libostree/ostree-sysroot.c
@@ -63,6 +63,7 @@ ostree_sysroot_finalize (GObject *object)
OstreeSysroot *self = OSTREE_SYSROOT (object);
g_clear_object (&self->path);
+ g_clear_object (&self->sepolicy);
G_OBJECT_CLASS (ostree_sysroot_parent_class)->finalize (object);
}
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]
