Add flag to make SELinux label failure fatal, add hack for /proc

I was working on `rpm-ostree livefs` which does some ostree-based
filesystem diffs, and noticed that we were ending up with `/proc`
not being labeled in our base trees.

Reading the selinux-policy source, indeed we have:

```
/proc			-d	<<none>>
/proc/.*			<<none>>
```

This dates pretty far back.  We really don't want unlabeled
content in ostree.  In this case it's mostly OK since the kernel
will assign a label, but again *everything* should be labeled via
OSTree so that it's all consistent, which will fix `ostree diff`.

Notably, `/proc` is the *only* file path that isn't covered when composing a
Fedora Atomic Host. So I added a hack here to hardcode it (although I'm a bit
uncertain about whether it should really be `proc_t` on disk before systemd
mounts or not).

Out of conservatism, I made this a flag, so if we hit issues down the line, we
could easily change rpm-ostree to stumble on as it did before.

Closes: #768
Approved by: jlebon

src/libostree/ostree-repo-commit.c

@@ -2309,7 +2309,11 @@ get_modified_xattrs (OstreeRepo                       *self,
                                       &label, cancellable, error))
         return FALSE;
 
-      if (label)
+      if (!label && (modifier->flags & OSTREE_REPO_COMMIT_MODIFIER_FLAGS_ERROR_ON_UNLABELED) > 0)
+        {
+          return glnx_throw (error, "Failed to look up SELinux label for '%s'", relpath);
+        }
+      else if (label)
         {
           g_autoptr(GVariantBuilder) builder = NULL;
 

src/libostree/ostree-repo.h

@@ -537,12 +537,14 @@ typedef OstreeRepoCommitFilterResult (*OstreeRepoCommitFilter) (OstreeRepo    *r
  * @OSTREE_REPO_COMMIT_MODIFIER_FLAGS_SKIP_XATTRS: Do not process extended attributes
  * @OSTREE_REPO_COMMIT_MODIFIER_FLAGS_GENERATE_SIZES: Generate size information.
  * @OSTREE_REPO_COMMIT_MODIFIER_FLAGS_CANONICAL_PERMISSIONS: Canonicalize permissions for bare-user-only mode.
+ * @OSTREE_REPO_COMMIT_MODIFIER_FLAGS_ERROR_ON_UNLABELED: Emit an error if configured SELinux policy does not provide a label
  */
 typedef enum {
   OSTREE_REPO_COMMIT_MODIFIER_FLAGS_NONE = 0,
   OSTREE_REPO_COMMIT_MODIFIER_FLAGS_SKIP_XATTRS = (1 << 0),
   OSTREE_REPO_COMMIT_MODIFIER_FLAGS_GENERATE_SIZES = (1 << 1),
   OSTREE_REPO_COMMIT_MODIFIER_FLAGS_CANONICAL_PERMISSIONS = (1 << 2),
+  OSTREE_REPO_COMMIT_MODIFIER_FLAGS_ERROR_ON_UNLABELED = (1 << 3),
 } OstreeRepoCommitModifierFlags;
 
 /**

src/libostree/ostree-sepolicy.c

@@ -526,35 +526,34 @@ ostree_sepolicy_get_label (OstreeSePolicy    *self,
                            GError          **error)
 {
 #ifdef HAVE_SELINUX
-  gboolean ret = FALSE;
-  int res;
-  char *con = NULL;
+  /* Early return if no policy */
+  if (!self->selinux_hnd)
+    return TRUE;
 
-  if (self->selinux_hnd)
+  /* http://marc.info/?l=selinux&m=149082134430052&w=2
+   * https://github.com/ostreedev/ostree/pull/768
+   */
+  if (strcmp (relpath, "/proc") == 0)
+    relpath = "/mnt";
+
+  char *con = NULL;
+  int res = selabel_lookup_raw (self->selinux_hnd, &con, relpath, unix_mode);
+  if (res != 0)
     {
-      res = selabel_lookup_raw (self->selinux_hnd, &con, relpath, unix_mode);
-      if (res != 0)
-        {
-          if (errno != ENOENT)
-            {
-              glnx_set_error_from_errno (error);
-              goto out;
-            }
-        }
+      if (errno == ENOENT)
+        *out_label = NULL;
       else
-        {
-          /* Ensure we consistently allocate with g_malloc */
-          *out_label = g_strdup (con);
-          freecon (con);
-        }
+        return glnx_throw_errno (error);
+    }
+  else
+    {
+      /* Ensure we consistently allocate with g_malloc */
+      *out_label = g_strdup (con);
+      freecon (con);
     }
 
-  ret = TRUE;
- out:
-  return ret;
-#else
-  return TRUE;
 #endif
+  return TRUE;
 }
 
 /**