From: Daan De Meyer <daan.j.demeyer@gmail.com>
Date: Tue, 14 Feb 2023 12:01:17 +0000 (+0100)
Subject: Relabel image when selinux policy is installed
X-Git-Tag: v15~329
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=cdef7ba19d4e85cfe4df0d27336d7950a42bb0da;p=thirdparty%2Fmkosi.git

Relabel image when selinux policy is installed

If an selinux policy is installed in the image, let's relabel it
automatically.
---

diff --git a/mkosi/__init__.py b/mkosi/__init__.py
index dc90e9fd7..3ee494a00 100644
--- a/mkosi/__init__.py
+++ b/mkosi/__init__.py
@@ -3086,6 +3086,25 @@ def run_preset_all(state: MkosiState) -> None:
         run(["systemctl", "--root", state.root, "preset-all"])
 
 
+def run_selinux_relabel(state: MkosiState) -> None:
+    selinux = state.root / "etc/selinux/config"
+    if not selinux.exists():
+        return
+
+    policy = run(["sh", "-c", f". {selinux} && echo $SELINUXTYPE"], text=True, stdout=subprocess.PIPE).stdout.strip()
+    if not policy:
+        return
+
+    fc = Path('/etc/selinux') / policy / 'contexts/files/file_contexts'
+
+    # We want to be able to relabel the underlying APIVFS mountpoints, so mount root non-recursive to a
+    # temporary location so that the underlying mountpoints become visible.
+    cmd = f"mkdir /tmp/relabel && mount --bind / /tmp/relabel && exec setfiles -m -r /tmp/relabel -F {fc} /tmp/relabel || exit $?"
+
+    with complete_step(f"Relabeling files using {policy} policy"):
+        run_workspace_command(state, ["sh", "-c", cmd])
+
+
 def reuse_cache_tree(state: MkosiState) -> bool:
     if not state.config.incremental:
         return False
@@ -3230,6 +3249,7 @@ def build_image(state: MkosiState, *, manifest: Optional[Manifest] = None) -> No
         reset_machine_id(state)
         reset_random_seed(state.root)
         run_finalize_script(state)
+        run_selinux_relabel(state)
 
     roothash = invoke_repart(state, skip=("esp", "xbootldr"))