compose: Don't require SELinux policy in legacy path

In #1630, we lowered SELinux policy loading into the core. However, this
also enabled SELinux policy loading from the host system even in the
legacy (non-unified) compose path. This meant that compose systems now
needed to have the policy installed even though we didn't need it at
all. This caused regressions in pungi:

https://pagure.io/dusty/failed-composes/issue/956

Just make the binding of the "selinux" member conditional on whether or
not we're in unified mode (which is really when we even care about
having it loaded from the start for pkgcache purposes).

Closes: #1656
Approved by: cgwalters
This commit is contained in:
Jonathan Lebon 2018-11-02 09:48:34 -04:00 committed by Atomic Bot
parent 79d4e52d99
commit 6d39cfa78f
4 changed files with 17 additions and 2 deletions

View File

@ -303,6 +303,7 @@ rpm_ostree_rojig_compose_new (const char *treefile_path,
self->treespec = rpmostree_composeutil_get_treespec (self->corectx, self->treespec = rpmostree_composeutil_get_treespec (self->corectx,
self->treefile_rs, self->treefile_rs,
self->treefile, self->treefile,
TRUE,
error); error);
*out_context = g_steal_pointer (&self); *out_context = g_steal_pointer (&self);

View File

@ -576,6 +576,7 @@ rpm_ostree_compose_context_new (const char *treefile_pathstr,
self->treespec = rpmostree_composeutil_get_treespec (self->corectx, self->treespec = rpmostree_composeutil_get_treespec (self->corectx,
self->treefile_rs, self->treefile_rs,
self->treefile, self->treefile,
opt_unified_core,
error); error);
if (!self->treespec) if (!self->treespec)
return FALSE; return FALSE;

View File

@ -242,6 +242,7 @@ RpmOstreeTreespec *
rpmostree_composeutil_get_treespec (RpmOstreeContext *ctx, rpmostree_composeutil_get_treespec (RpmOstreeContext *ctx,
RORTreefile *treefile_rs, RORTreefile *treefile_rs,
JsonObject *treedata, JsonObject *treedata,
gboolean bind_selinux,
GError **error) GError **error)
{ {
GLNX_AUTO_PREFIX_ERROR ("Parsing treefile", error); GLNX_AUTO_PREFIX_ERROR ("Parsing treefile", error);
@ -256,8 +257,6 @@ rpmostree_composeutil_get_treespec (RpmOstreeContext *ctx,
return FALSE; return FALSE;
if (!treespec_bind_bool (treedata, treespec, "recommends", TRUE, error)) if (!treespec_bind_bool (treedata, treespec, "recommends", TRUE, error))
return FALSE; return FALSE;
if (!treespec_bind_bool (treedata, treespec, "selinux", TRUE, error))
return FALSE;
if (!treespec_bind_array (treedata, treespec, "install-langs", "instlangs", FALSE, error)) if (!treespec_bind_array (treedata, treespec, "install-langs", "instlangs", FALSE, error))
return FALSE; return FALSE;
{ const char *releasever; { const char *releasever;
@ -268,6 +267,19 @@ rpmostree_composeutil_get_treespec (RpmOstreeContext *ctx,
g_key_file_set_string (treespec, "tree", "releasever", releasever); g_key_file_set_string (treespec, "tree", "releasever", releasever);
} }
if (bind_selinux)
{
if (!treespec_bind_bool (treedata, treespec, "selinux", TRUE, error))
return FALSE;
}
else
{
/* In the legacy compose path, we don't want to use any of the core's selinux stuff,
* e.g. importing, relabeling, etc... so just disable it. We do still set the policy
* to the final one right before commit as usual. */
g_key_file_set_boolean (treespec, "tree", "selinux", FALSE);
}
const char *input_ref = NULL; const char *input_ref = NULL;
if (!_rpmostree_jsonutil_object_get_optional_string_member (treedata, "ref", &input_ref, error)) if (!_rpmostree_jsonutil_object_get_optional_string_member (treedata, "ref", &input_ref, error))
return FALSE; return FALSE;

View File

@ -47,6 +47,7 @@ RpmOstreeTreespec *
rpmostree_composeutil_get_treespec (RpmOstreeContext *ctx, rpmostree_composeutil_get_treespec (RpmOstreeContext *ctx,
RORTreefile *treefile_rs, RORTreefile *treefile_rs,
JsonObject *treedata, JsonObject *treedata,
gboolean bind_selinux,
GError **error); GError **error);
GHashTable * GHashTable *