From fc27c6ba2b90e595d652f30360467a2a909366fa Mon Sep 17 00:00:00 2001
From: Colin Walters <walters@verbum.org>
Date: Fri, 29 Mar 2019 02:03:53 +0000
Subject: [PATCH] core: Add a hack for /etc/selinux/config and %pre

I'm not very proud of this code, but I'm also not yet convinced that
we should rework things to re-interleave pre/post for just this
one thing.  Particularly when there's a patch to fix it
that just needs to be applied:
https://src.fedoraproject.org/rpms/selinux-policy/pull-request/16#

But practically speaking this fixes using `coreos-assembler`
for me with Silverblue and `tpm2-abrmd-selinux`.

Closes: https://github.com/projectatomic/rpm-ostree/issues/1804

Closes: #1806
Approved by: jlebon
---
 src/libpriv/rpmostree-core.c | 26 ++++++++++++++++++++++++++
 1 file changed, 26 insertions(+)

diff --git a/src/libpriv/rpmostree-core.c b/src/libpriv/rpmostree-core.c
index 1d1b87cc..bba8f36d 100644
--- a/src/libpriv/rpmostree-core.c
+++ b/src/libpriv/rpmostree-core.c
@@ -4035,6 +4035,25 @@ rpmostree_context_assemble (RpmOstreeContext      *self,
                            &var_lib_rpm_statedir, error))
         return FALSE;
 
+      /* Workaround for https://github.com/projectatomic/rpm-ostree/issues/1804 */
+      gboolean created_etc_selinux_config = FALSE;
+      static const char usr_etc_selinux_config[] = "usr/etc/selinux/config";
+      if (!glnx_fstatat_allow_noent (tmprootfs_dfd, "usr/etc/selinux", NULL, 0, error))
+        return FALSE;
+      if (errno == 0)
+        {
+          if (!glnx_fstatat_allow_noent (tmprootfs_dfd, usr_etc_selinux_config, NULL, 0, error))
+            return FALSE;
+          if (errno == ENOENT)
+            {
+              if (!glnx_file_replace_contents_at (tmprootfs_dfd, usr_etc_selinux_config, (guint8*)"", 0,
+                                                  GLNX_FILE_REPLACE_NODATASYNC,
+                                                  cancellable, error))
+                return FALSE;
+              created_etc_selinux_config = TRUE;
+            }
+        }
+
       /* We're technically deviating from RPM here by running all the %pre's
        * beforehand, rather than each package's %pre & %post in order. Though I
        * highly doubt this should cause any issues. The advantage of doing it
@@ -4062,6 +4081,13 @@ rpmostree_context_assemble (RpmOstreeContext      *self,
         rpmostree_output_progress_end_msg (&task, "%u done", n_pre_scripts_run);
       }
 
+      /* Now undo our hack above */
+      if (created_etc_selinux_config)
+        {
+          if (!glnx_unlinkat (tmprootfs_dfd, usr_etc_selinux_config, 0, error))
+            return FALSE;
+        }
+
       if (faccessat (tmprootfs_dfd, "etc/passwd", F_OK, 0) == 0)
         {
           g_autofree char *contents =