From: Daan De Meyer Date: Thu, 20 Jul 2023 10:39:54 +0000 (+0200) Subject: Rework selinux labelling X-Git-Tag: v15~72^2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F1686%2Fhead;p=thirdparty%2Fmkosi.git Rework selinux labelling Let's run setfiles on the host instead of inside the image. To make this work, we have to explicitly tell it to use the binary policy from the image to check contexts against. --- diff --git a/mkosi/__init__.py b/mkosi/__init__.py index 570b150c5..90ab69446 100644 --- a/mkosi/__init__.py +++ b/mkosi/__init__.py @@ -1579,19 +1579,22 @@ def run_selinux_relabel(state: MkosiState) -> None: if not policy: return - fc = Path('/etc/selinux') / policy / 'contexts/files/file_contexts' + if not shutil.which("setfiles"): + logging.info("setfiles is not installed, not relabeling files") + return + + fc = state.root / "etc/selinux" / policy / "contexts/files/file_contexts" + binpolicydir = state.root / "etc/selinux" / policy / "policy" - # We want to be able to relabel the underlying APIVFS mountpoints, so mount root non-recursive to a - # temporary location so that the underlying mountpoints become visible. - cmd = f"mkdir /tmp/relabel && mount --bind / /tmp/relabel && exec setfiles -m -r /tmp/relabel -F {fc} /tmp/relabel || exit $?" + try: + # The policy file is named policy.XX where XX is the policy version that indicates what features are + # available. It's not expected for there to be more than one file in this directory. + binpolicy = next(binpolicydir.iterdir()) + except StopIteration: + die(f"SELinux binary policy not found in {binpolicydir}") with complete_step(f"Relabeling files using {policy} policy"): - bwrap( - cmd=["chroot", "sh", "-c", cmd], - apivfs=state.root, - scripts=dict(chroot=chroot_cmd(state.root)), - env=state.config.environment, - ) + run(["setfiles", "-mFr", state.root, "-c", binpolicy, fc, state.root], env=state.config.environment) def need_build_packages(config: MkosiConfig) -> bool: