Merge pull request #3151 from mvo5/selinux-labels-on-non-selinux-hosts

libostree: write selinux xattr when on non-selinux systems
This commit is contained in:
Colin Walters 2024-02-08 16:46:22 -05:00 committed by GitHub
commit 751ec9082e
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
4 changed files with 25 additions and 4 deletions

View File

@ -35,7 +35,9 @@ jobs:
- name: bootc install
run: |
set -xeuo pipefail
sudo podman run --rm -ti --privileged -v /:/target --pid=host --security-opt label=disable \
sudo podman run --env BOOTC_SKIP_SELINUX_HOST_CHECK=1 --rm -ti --privileged -v /:/target --pid=host --security-opt label=disable \
-v /var/lib/containers:/var/lib/containers \
localhost/test:latest bootc install to-filesystem --skip-fetch-check \
--disable-selinux --replace=alongside /target
--replace=alongside /target
# Verify labeling for /etc
sudo ls -dZ /ostree/deploy/default/deploy/*.0/etc |grep :etc_t:

View File

@ -195,7 +195,7 @@ create_file_copy_from_input_at (OstreeRepo *repo, OstreeRepoCheckoutAtOptions *o
g_autoptr (GVariant) modified_xattrs = NULL;
/* If we're doing SELinux labeling, prepare it */
if (sepolicy_enabled)
if (sepolicy_enabled && ostree_sepolicy_host_enabled (options->sepolicy))
{
/* If doing sepolicy path-based labeling, we don't want to set the
* security.selinux attr via the generic xattr paths in either the symlink
@ -1045,7 +1045,7 @@ checkout_tree_at_recurse (OstreeRepo *self, OstreeRepoCheckoutAtOptions *options
};
/* If we're doing SELinux labeling, prepare it */
if (sepolicy_enabled)
if (sepolicy_enabled && ostree_sepolicy_host_enabled (options->sepolicy))
{
/* We'll set the xattr via setfscreatecon(), so don't do it via generic xattrs below. */
modified_xattrs = _ostree_filter_selinux_xattr (xattrs);

View File

@ -753,3 +753,19 @@ _ostree_filter_selinux_xattr (GVariant *xattrs)
return NULL;
return g_variant_ref_sink (g_variant_builder_end (&builder));
}
/**
* ostree_sepolicy_host_enabled:
* @self: Policy
*
* Return if the host has selinux enabled
*/
gboolean
ostree_sepolicy_host_enabled (OstreeSePolicy *self)
{
#ifdef HAVE_SELINUX
return cached_is_selinux_enabled ();
#else
return FALSE;
#endif
}

View File

@ -77,4 +77,7 @@ void ostree_sepolicy_fscreatecon_cleanup (void **unused);
#define ostree_cleanup_sepolicy_fscreatecon \
__attribute__ ((cleanup (ostree_sepolicy_fscreatecon_cleanup)))
_OSTREE_PUBLIC
gboolean ostree_sepolicy_host_enabled (OstreeSePolicy *self);
G_END_DECLS