From 6d39cfa78fd8c48cfa996374e4d70fa5d9e915af Mon Sep 17 00:00:00 2001 From: Jonathan Lebon Date: Fri, 2 Nov 2018 09:48:34 -0400 Subject: [PATCH] compose: Don't require SELinux policy in legacy path In #1630, we lowered SELinux policy loading into the core. However, this also enabled SELinux policy loading from the host system even in the legacy (non-unified) compose path. This meant that compose systems now needed to have the policy installed even though we didn't need it at all. This caused regressions in pungi: https://pagure.io/dusty/failed-composes/issue/956 Just make the binding of the "selinux" member conditional on whether or not we're in unified mode (which is really when we even care about having it loaded from the start for pkgcache purposes). Closes: #1656 Approved by: cgwalters --- src/app/rpmostree-compose-builtin-rojig.c | 1 + src/app/rpmostree-compose-builtin-tree.c | 1 + src/app/rpmostree-composeutil.c | 16 ++++++++++++++-- src/app/rpmostree-composeutil.h | 1 + 4 files changed, 17 insertions(+), 2 deletions(-) diff --git a/src/app/rpmostree-compose-builtin-rojig.c b/src/app/rpmostree-compose-builtin-rojig.c index 44db1fc5..dadbc09e 100644 --- a/src/app/rpmostree-compose-builtin-rojig.c +++ b/src/app/rpmostree-compose-builtin-rojig.c @@ -303,6 +303,7 @@ rpm_ostree_rojig_compose_new (const char *treefile_path, self->treespec = rpmostree_composeutil_get_treespec (self->corectx, self->treefile_rs, self->treefile, + TRUE, error); *out_context = g_steal_pointer (&self); diff --git a/src/app/rpmostree-compose-builtin-tree.c b/src/app/rpmostree-compose-builtin-tree.c index 0bc25a06..a372ccd0 100644 --- a/src/app/rpmostree-compose-builtin-tree.c +++ b/src/app/rpmostree-compose-builtin-tree.c @@ -576,6 +576,7 @@ rpm_ostree_compose_context_new (const char *treefile_pathstr, self->treespec = rpmostree_composeutil_get_treespec (self->corectx, self->treefile_rs, self->treefile, + opt_unified_core, error); if (!self->treespec) return FALSE; diff --git a/src/app/rpmostree-composeutil.c b/src/app/rpmostree-composeutil.c index bae857f9..544a4790 100644 --- a/src/app/rpmostree-composeutil.c +++ b/src/app/rpmostree-composeutil.c @@ -242,6 +242,7 @@ RpmOstreeTreespec * rpmostree_composeutil_get_treespec (RpmOstreeContext *ctx, RORTreefile *treefile_rs, JsonObject *treedata, + gboolean bind_selinux, GError **error) { GLNX_AUTO_PREFIX_ERROR ("Parsing treefile", error); @@ -256,8 +257,6 @@ rpmostree_composeutil_get_treespec (RpmOstreeContext *ctx, return FALSE; if (!treespec_bind_bool (treedata, treespec, "recommends", TRUE, error)) return FALSE; - if (!treespec_bind_bool (treedata, treespec, "selinux", TRUE, error)) - return FALSE; if (!treespec_bind_array (treedata, treespec, "install-langs", "instlangs", FALSE, error)) return FALSE; { const char *releasever; @@ -268,6 +267,19 @@ rpmostree_composeutil_get_treespec (RpmOstreeContext *ctx, g_key_file_set_string (treespec, "tree", "releasever", releasever); } + if (bind_selinux) + { + if (!treespec_bind_bool (treedata, treespec, "selinux", TRUE, error)) + return FALSE; + } + else + { + /* In the legacy compose path, we don't want to use any of the core's selinux stuff, + * e.g. importing, relabeling, etc... so just disable it. We do still set the policy + * to the final one right before commit as usual. */ + g_key_file_set_boolean (treespec, "tree", "selinux", FALSE); + } + const char *input_ref = NULL; if (!_rpmostree_jsonutil_object_get_optional_string_member (treedata, "ref", &input_ref, error)) return FALSE; diff --git a/src/app/rpmostree-composeutil.h b/src/app/rpmostree-composeutil.h index f11bdda4..11a19328 100644 --- a/src/app/rpmostree-composeutil.h +++ b/src/app/rpmostree-composeutil.h @@ -47,6 +47,7 @@ RpmOstreeTreespec * rpmostree_composeutil_get_treespec (RpmOstreeContext *ctx, RORTreefile *treefile_rs, JsonObject *treedata, + gboolean bind_selinux, GError **error); GHashTable *