From: Daan De Meyer <daan.j.demeyer@gmail.com>
Date: Wed, 10 Jan 2024 15:47:58 +0000 (+0100)
Subject: Check for all required setfiles inputs in want_selinux_relabel()
X-Git-Tag: v20.1~8
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d9957a8c1c2934fef5c0ecbadef45c72cbc9d3b1;p=thirdparty%2Fmkosi.git

Check for all required setfiles inputs in want_selinux_relabel()

On Debian when policycoreutils is installed a policy is configured
without a matching binary policy being installed, so we have to
check that all parts are there.
---

diff --git a/mkosi/__init__.py b/mkosi/__init__.py
index 0edf6f269..749f028af 100644
--- a/mkosi/__init__.py
+++ b/mkosi/__init__.py
@@ -2348,18 +2348,10 @@ def run_firstboot(context: Context) -> None:
 
 
 def run_selinux_relabel(context: Context) -> None:
-    if not (policy := want_selinux_relabel(context.config, context.root)):
+    if not (selinux := want_selinux_relabel(context.config, context.root)):
         return
 
-    fc = context.root / "etc/selinux" / policy / "contexts/files/file_contexts"
-    binpolicydir = context.root / "etc/selinux" / policy / "policy"
-
-    try:
-        # The policy file is named policy.XX where XX is the policy version that indicates what features are
-        # available. It's not expected for there to be more than one file in this directory.
-        binpolicy = next(binpolicydir.iterdir())
-    except StopIteration:
-        die(f"SELinux binary policy not found in {binpolicydir}")
+    policy, fc, binpolicy = selinux
 
     with complete_step(f"Relabeling files using {policy} policy"):
         run(["setfiles", "-mFr", context.root, "-c", binpolicy, fc, context.root],
diff --git a/mkosi/config.py b/mkosi/config.py
index d8d476418..46b0c7ba3 100644
--- a/mkosi/config.py
+++ b/mkosi/config.py
@@ -3568,7 +3568,7 @@ def json_type_transformer(refcls: Union[type[Args], type[Config]]) -> Callable[[
     return json_transformer
 
 
-def want_selinux_relabel(config: Config, root: Path, fatal: bool = True) -> Optional[str]:
+def want_selinux_relabel(config: Config, root: Path, fatal: bool = True) -> Optional[tuple[str, Path, Path]]:
     if config.selinux_relabel == ConfigFeature.disabled:
         return None
 
@@ -3587,8 +3587,25 @@ def want_selinux_relabel(config: Config, root: Path, fatal: bool = True) -> Opti
         return None
 
     if not find_binary("setfiles", root=config.tools()):
-        if fatal:
-            logging.info("setfiles is not installed, not relabeling files")
+        if fatal and config.selinux_relabel == ConfigFeature.enabled:
+            die("SELinux relabel is requested but setfiles is not installed")
+        return None
+
+    fc = root / "etc/selinux" / policy / "contexts/files/file_contexts"
+    if not fc.exists():
+        if fatal and config.selinux_relabel == ConfigFeature.enabled:
+            die(f"SELinux relabel is requested but SELinux file contexts not found in {fc}")
+        return None
+
+    binpolicydir = root / "etc/selinux" / policy / "policy"
+
+    try:
+        # The policy file is named policy.XX where XX is the policy version that indicates what features are
+        # available. It's not expected for there to be more than one file in this directory.
+        binpolicy = next(binpolicydir.glob("*"))
+    except StopIteration:
+        if fatal and config.selinux_relabel == ConfigFeature.enabled:
+            die(f"SELinux relabel is requested but SELinux binary policy not found in {binpolicydir}")
         return None
 
-    return policy
+    return policy, fc, binpolicy