From 55696824df5908cfe95ad9c7d291f38f9ae84fda Mon Sep 17 00:00:00 2001
From: Jonathan Lebon <jonathan@jlebon.com>
Date: Fri, 2 Nov 2018 15:10:38 -0400
Subject: [PATCH] compose: Use previous sepolicy if available

Rather than defaulting to the host system's SELinux policy, we can be
much more efficient here if we instead use the policy of the last commit
if available. Likely, the pkgcache is currently labeled with that
policy, which means we skip the relabeling phase before checkout. But
also, if the policy didn't change at all in the new rootfs, we also skip
the second relabeling phase after assembly.

Closes: #1659
Approved by: cgwalters
---
 src/app/rpmostree-compose-builtin-tree.c | 33 ++++++++++++++++++++++++
 1 file changed, 33 insertions(+)

diff --git a/src/app/rpmostree-compose-builtin-tree.c b/src/app/rpmostree-compose-builtin-tree.c
index b51d9fce..cc08a152 100644
--- a/src/app/rpmostree-compose-builtin-tree.c
+++ b/src/app/rpmostree-compose-builtin-tree.c
@@ -229,6 +229,39 @@ install_packages (RpmOstreeTreeComposeContext  *self,
     if (!rpmostree_context_setup (self->corectx, tmprootfs_abspath, NULL, self->treespec,
                                   cancellable, error))
       return FALSE;
+
+#define TMP_SELINUX_ROOTFS "selinux.tmp/etc/selinux"
+
+    gboolean selinux = TRUE;
+    if (!_rpmostree_jsonutil_object_get_optional_boolean_member (self->treefile, "selinux", &selinux, error))
+      return FALSE;
+
+    /* By default, the core starts with the SELinux policy of the root, but if we have a
+     * previous commit, it's much likelier that its policy will be closer to the final
+     * policy than the host system's policy. And in the case they match, we skip a full
+     * relabeling phase. Let's use that instead. */
+    if (selinux && self->previous_checksum)
+      {
+        if (!glnx_shutil_mkdir_p_at (self->workdir_dfd,
+                                     dirname (strdupa (TMP_SELINUX_ROOTFS)), 0755,
+                                     cancellable, error))
+          return FALSE;
+        OstreeRepoCheckoutAtOptions opts = { .subpath = "/usr/etc/selinux" };
+        if (!ostree_repo_checkout_at (self->repo, &opts, self->workdir_dfd,
+                                      TMP_SELINUX_ROOTFS, self->previous_checksum,
+                                      cancellable, error))
+          return FALSE;
+
+        g_autofree char *abspath = glnx_fdrel_abspath (self->workdir_dfd, "selinux.tmp");
+        g_autoptr(GFile) path = g_file_new_for_path (abspath);
+        g_autoptr(OstreeSePolicy) sepolicy = ostree_sepolicy_new (path, cancellable, error);
+        if (sepolicy == NULL)
+          return FALSE;
+
+        rpmostree_context_set_sepolicy (self->corectx, sepolicy);
+      }
+
+#undef TMP_SELINUX_ROOTFS
   }
 
   /* For unified core, we have a pkgcache repo. This may be auto-created under