From: Daan De Meyer Date: Tue, 9 Jan 2024 07:49:00 +0000 (+0100) Subject: Only set --security-label if the filesystem was relabeled X-Git-Tag: v20~4^2~1 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=0ffba6daec10334787beb5de78f5993d2df62baa;p=thirdparty%2Fmkosi.git Only set --security-label if the filesystem was relabeled Otherwise we run into virtiofsd errors when operating on non relabeled directories with --security-label enabled. --- diff --git a/mkosi/__init__.py b/mkosi/__init__.py index 924dc9f48..ab42a1876 100644 --- a/mkosi/__init__.py +++ b/mkosi/__init__.py @@ -43,6 +43,7 @@ from mkosi.config import ( format_tree, parse_config, summary, + want_selinux_relabel, yes_no, ) from mkosi.context import Context @@ -2354,25 +2355,7 @@ def run_firstboot(context: Context) -> None: def run_selinux_relabel(context: Context) -> None: - if context.config.selinux_relabel == ConfigFeature.disabled: - return - - selinux = context.root / "etc/selinux/config" - if not selinux.exists(): - if context.config.selinux_relabel == ConfigFeature.enabled: - die("SELinux relabel is requested but could not find selinux config at /etc/selinux/config") - return - - policy = run(["sh", "-c", f". {selinux} && echo $SELINUXTYPE"], - sandbox=context.sandbox(options=["--ro-bind", selinux, selinux]), - stdout=subprocess.PIPE).stdout.strip() - if not policy: - if context.config.selinux_relabel == ConfigFeature.enabled: - die("SELinux relabel is requested but no selinux policy is configured in /etc/selinux/config") - return - - if not find_binary("setfiles", root=context.config.tools()): - logging.info("setfiles is not installed, not relabeling files") + if not (policy := want_selinux_relabel(context.config, context.root)): return fc = context.root / "etc/selinux" / policy / "contexts/files/file_contexts" diff --git a/mkosi/config.py b/mkosi/config.py index 0b57548e8..8209a58ef 100644 --- a/mkosi/config.py +++ b/mkosi/config.py @@ -3561,3 +3561,29 @@ def json_type_transformer(refcls: Union[type[Args], type[Config]]) -> Callable[[ return val return json_transformer + + +def want_selinux_relabel(config: Config, root: Path, fatal: bool = True) -> Optional[str]: + if config.selinux_relabel == ConfigFeature.disabled: + return None + + selinux = root / "etc/selinux/config" + if not selinux.exists(): + if fatal and config.selinux_relabel == ConfigFeature.enabled: + die("SELinux relabel is requested but could not find selinux config at /etc/selinux/config") + return None + + policy = run(["sh", "-c", f". {selinux} && echo $SELINUXTYPE"], + sandbox=config.sandbox(options=["--ro-bind", selinux, selinux]), + stdout=subprocess.PIPE).stdout.strip() + if not policy: + if fatal and config.selinux_relabel == ConfigFeature.enabled: + die("SELinux relabel is requested but no selinux policy is configured in /etc/selinux/config") + return None + + if not find_binary("setfiles", root=config.tools()): + if fatal: + logging.info("setfiles is not installed, not relabeling files") + return None + + return policy diff --git a/mkosi/qemu.py b/mkosi/qemu.py index 267df7f22..fa3d518f1 100644 --- a/mkosi/qemu.py +++ b/mkosi/qemu.py @@ -30,6 +30,7 @@ from mkosi.config import ( QemuFirmware, QemuVsockCID, format_bytes, + want_selinux_relabel, ) from mkosi.log import die from mkosi.partition import finalize_root, find_partitions @@ -326,7 +327,7 @@ def start_virtiofsd(config: Config, directory: Path, *, uidmap: bool) -> Iterato "--sandbox=chroot", ] - if not uidmap: + if not uidmap and want_selinux_relabel(config, directory, fatal=False): cmdline += ["--security-label"] # We create the socket ourselves and pass the fd to virtiofsd to avoid race conditions where we start qemu