Check for all required setfiles inputs in want_selinux_relabel()

On Debian when policycoreutils is installed a policy is configured
without a matching binary policy being installed, so we have to
check that all parts are there.

diff --git a/mkosi/__init__.py b/mkosi/__init__.py
index 0edf6f269b59ddc5daf1f8b1528c57a0e89f4225..749f028af930e3f13f52b812fc9de676abefb4d8 100644 (file)
--- a/mkosi/__init__.py
+++ b/mkosi/__init__.py
@@ -2348,18 +2348,10 @@ def run_firstboot(context: Context) -> None:
 
 
 def run_selinux_relabel(context: Context) -> None:
-    if not (policy := want_selinux_relabel(context.config, context.root)):
+    if not (selinux := want_selinux_relabel(context.config, context.root)):
         return
 
-    fc = context.root / "etc/selinux" / policy / "contexts/files/file_contexts"
-    binpolicydir = context.root / "etc/selinux" / policy / "policy"
-
-    try:
-        # The policy file is named policy.XX where XX is the policy version that indicates what features are
-        # available. It's not expected for there to be more than one file in this directory.
-        binpolicy = next(binpolicydir.iterdir())
-    except StopIteration:
-        die(f"SELinux binary policy not found in {binpolicydir}")
+    policy, fc, binpolicy = selinux
 
     with complete_step(f"Relabeling files using {policy} policy"):
         run(["setfiles", "-mFr", context.root, "-c", binpolicy, fc, context.root],

diff --git a/mkosi/config.py b/mkosi/config.py
index d8d476418d6f5f2780054a8617986365403b62a8..46b0c7ba39120c832f5bdff1f93939fb51bf7289 100644 (file)
--- a/mkosi/config.py
+++ b/mkosi/config.py
@@ -3568,7 +3568,7 @@ def json_type_transformer(refcls: Union[type[Args], type[Config]]) -> Callable[[
     return json_transformer
 
 
-def want_selinux_relabel(config: Config, root: Path, fatal: bool = True) -> Optional[str]:
+def want_selinux_relabel(config: Config, root: Path, fatal: bool = True) -> Optional[tuple[str, Path, Path]]:
     if config.selinux_relabel == ConfigFeature.disabled:
         return None
 
@@ -3587,8 +3587,25 @@ def want_selinux_relabel(config: Config, root: Path, fatal: bool = True) -> Opti
         return None
 
     if not find_binary("setfiles", root=config.tools()):
-        if fatal:
-            logging.info("setfiles is not installed, not relabeling files")
+        if fatal and config.selinux_relabel == ConfigFeature.enabled:
+            die("SELinux relabel is requested but setfiles is not installed")
+        return None
+
+    fc = root / "etc/selinux" / policy / "contexts/files/file_contexts"
+    if not fc.exists():
+        if fatal and config.selinux_relabel == ConfigFeature.enabled:
+            die(f"SELinux relabel is requested but SELinux file contexts not found in {fc}")
+        return None
+
+    binpolicydir = root / "etc/selinux" / policy / "policy"
+
+    try:
+        # The policy file is named policy.XX where XX is the policy version that indicates what features are
+        # available. It's not expected for there to be more than one file in this directory.
+        binpolicy = next(binpolicydir.glob("*"))
+    except StopIteration:
+        if fatal and config.selinux_relabel == ConfigFeature.enabled:
+            die(f"SELinux relabel is requested but SELinux binary policy not found in {binpolicydir}")
         return None
 
-    return policy
+    return policy, fc, binpolicy