compose: Use previous sepolicy if available

Rather than defaulting to the host system's SELinux policy, we can be much more efficient here if we instead use the policy of the last commit if available. Likely, the pkgcache is currently labeled with that policy, which means we skip the relabeling phase before checkout. But also, if the policy didn't change at all in the new rootfs, we also skip the second relabeling phase after assembly. Closes: #1659 Approved by: cgwalters
2018-11-02 15:10:38 -04:00 · 2018-11-02 15:10:38 -04:00 · 55696824df
commit 55696824df
parent ef587b5c5b
1 changed files with 33 additions and 0 deletions
--- a/src/app/rpmostree-compose-builtin-tree.c
+++ b/src/app/rpmostree-compose-builtin-tree.c
@ -229,6 +229,39 @@ install_packages (RpmOstreeTreeComposeContext  *self,
    if (!rpmostree_context_setup (self->corectx, tmprootfs_abspath, NULL, self->treespec,
                                  cancellable, error))
      return FALSE;
+
+#define TMP_SELINUX_ROOTFS "selinux.tmp/etc/selinux"
+
+    gboolean selinux = TRUE;
+    if (!_rpmostree_jsonutil_object_get_optional_boolean_member (self->treefile, "selinux", &selinux, error))
+      return FALSE;
+
+    /* By default, the core starts with the SELinux policy of the root, but if we have a
+     * previous commit, it's much likelier that its policy will be closer to the final
+     * policy than the host system's policy. And in the case they match, we skip a full
+     * relabeling phase. Let's use that instead. */
+    if (selinux && self->previous_checksum)
+      {
+        if (!glnx_shutil_mkdir_p_at (self->workdir_dfd,
+                                     dirname (strdupa (TMP_SELINUX_ROOTFS)), 0755,
+                                     cancellable, error))
+          return FALSE;
+        OstreeRepoCheckoutAtOptions opts = { .subpath = "/usr/etc/selinux" };
+        if (!ostree_repo_checkout_at (self->repo, &opts, self->workdir_dfd,
+                                      TMP_SELINUX_ROOTFS, self->previous_checksum,
+                                      cancellable, error))
+          return FALSE;
+
+        g_autofree char *abspath = glnx_fdrel_abspath (self->workdir_dfd, "selinux.tmp");
+        g_autoptr(GFile) path = g_file_new_for_path (abspath);
+        g_autoptr(OstreeSePolicy) sepolicy = ostree_sepolicy_new (path, cancellable, error);
+        if (sepolicy == NULL)
+          return FALSE;
+
+        rpmostree_context_set_sepolicy (self->corectx, sepolicy);
+      }
+
+#undef TMP_SELINUX_ROOTFS
  }

  /* For unified core, we have a pkgcache repo. This may be auto-created under