shaba/ostree
1
0
Fork 0
mirror of https://github.com/ostreedev/ostree.git synced 2024-12-22 17:35:55 +03:00
Code Issues Projects Releases Wiki Activity

libostree: write selinux xattr when on non-selinux systems

Browse Source 
Currently when writing data for selinux systems on a non-selinux
system there will be no labels. This is because
`ostree_sepolicy_setfscreatecon()` just returns TRUE on non-selinux
systems and xattr writing for `security.seliux` is filtered out.

This patches uses the suggestion of Colin Walters (thanks!) from
https://github.com/ostreedev/ostree/issues/2804 and detects if
the host has selinux enabled and if not just skips filtering the
xattrs for selinux.
This commit is contained in:
Michael Vogt 2024-01-31 18:02:24 +01:00
parent da89214065
commit 092a2b736d
3 changed files with 21 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
src/libostree/ostree-repo-checkout.c
View File

@ -195,7 +195,7 @@ create_file_copy_from_input_at (OstreeRepo *repo, OstreeRepoCheckoutAtOptions *o
g_autoptr (GVariant) modified_xattrs = NULL; g_autoptr (GVariant) modified_xattrs = NULL;
/* If we're doing SELinux labeling, prepare it */ /* If we're doing SELinux labeling, prepare it */
if (sepolicy_enabled) if (sepolicy_enabled && ostree_sepolicy_host_enabled (options->sepolicy))
{ {
/* If doing sepolicy path-based labeling, we don't want to set the /* If doing sepolicy path-based labeling, we don't want to set the
* security.selinux attr via the generic xattr paths in either the symlink * security.selinux attr via the generic xattr paths in either the symlink
@ -1045,7 +1045,7 @@ checkout_tree_at_recurse (OstreeRepo *self, OstreeRepoCheckoutAtOptions *options
}; };
/* If we're doing SELinux labeling, prepare it */ /* If we're doing SELinux labeling, prepare it */
if (sepolicy_enabled) if (sepolicy_enabled && ostree_sepolicy_host_enabled (options->sepolicy))
{ {
/* We'll set the xattr via setfscreatecon(), so don't do it via generic xattrs below. */ /* We'll set the xattr via setfscreatecon(), so don't do it via generic xattrs below. */
modified_xattrs = _ostree_filter_selinux_xattr (xattrs); modified_xattrs = _ostree_filter_selinux_xattr (xattrs);

16
src/libostree/ostree-sepolicy.c
View File

@ -753,3 +753,19 @@ _ostree_filter_selinux_xattr (GVariant *xattrs)
return NULL; return NULL;
return g_variant_ref_sink (g_variant_builder_end (&builder)); return g_variant_ref_sink (g_variant_builder_end (&builder));
} }
/**
* ostree_sepolicy_host_enabled:
* @self: Policy
*
* Return if the host has selinux enabled
*/
gboolean
ostree_sepolicy_host_enabled (OstreeSePolicy *self)
{
#ifdef HAVE_SELINUX
return cached_is_selinux_enabled ();
#else
return FALSE;
#endif
}

3
src/libostree/ostree-sepolicy.h
View File

@ -77,4 +77,7 @@ void ostree_sepolicy_fscreatecon_cleanup (void **unused);
#define ostree_cleanup_sepolicy_fscreatecon \ #define ostree_cleanup_sepolicy_fscreatecon \
__attribute__ ((cleanup (ostree_sepolicy_fscreatecon_cleanup))) __attribute__ ((cleanup (ostree_sepolicy_fscreatecon_cleanup)))
_OSTREE_PUBLIC
gboolean ostree_sepolicy_host_enabled (OstreeSePolicy *self);
G_END_DECLS G_END_DECLS