From 64558e6cd92fa914296a547553df2c5e51decb03 Mon Sep 17 00:00:00 2001 From: Daan De Meyer Date: Thu, 20 Jul 2023 12:39:54 +0200 Subject: [PATCH] Rework selinux labelling Let's run setfiles on the host instead of inside the image. To make this work, we have to explicitly tell it to use the binary policy from the image to check contexts against. --- mkosi/__init__.py | 23 +++++++++++++---------- 1 file changed, 13 insertions(+), 10 deletions(-) diff --git a/mkosi/__init__.py b/mkosi/__init__.py index 570b150c5..90ab69446 100644 --- a/mkosi/__init__.py +++ b/mkosi/__init__.py @@ -1579,19 +1579,22 @@ def run_selinux_relabel(state: MkosiState) -> None: if not policy: return - fc = Path('/etc/selinux') / policy / 'contexts/files/file_contexts' + if not shutil.which("setfiles"): + logging.info("setfiles is not installed, not relabeling files") + return + + fc = state.root / "etc/selinux" / policy / "contexts/files/file_contexts" + binpolicydir = state.root / "etc/selinux" / policy / "policy" - # We want to be able to relabel the underlying APIVFS mountpoints, so mount root non-recursive to a - # temporary location so that the underlying mountpoints become visible. - cmd = f"mkdir /tmp/relabel && mount --bind / /tmp/relabel && exec setfiles -m -r /tmp/relabel -F {fc} /tmp/relabel || exit $?" + try: + # The policy file is named policy.XX where XX is the policy version that indicates what features are + # available. It's not expected for there to be more than one file in this directory. + binpolicy = next(binpolicydir.iterdir()) + except StopIteration: + die(f"SELinux binary policy not found in {binpolicydir}") with complete_step(f"Relabeling files using {policy} policy"): - bwrap( - cmd=["chroot", "sh", "-c", cmd], - apivfs=state.root, - scripts=dict(chroot=chroot_cmd(state.root)), - env=state.config.environment, - ) + run(["setfiles", "-mFr", state.root, "-c", binpolicy, fc, state.root], env=state.config.environment) def need_build_packages(config: MkosiConfig) -> bool: -- 2.47.2