diff --git a/src/libostree/ostree-sysroot.c b/src/libostree/ostree-sysroot.c index 446dd4ab..00db9f0a 100644 --- a/src/libostree/ostree-sysroot.c +++ b/src/libostree/ostree-sysroot.c @@ -26,6 +26,7 @@ #include #include "ostree-core-private.h" +#include "ostree-sepolicy-private.h" #include "ostree-sysroot-private.h" #include "ostree-deployment-private.h" #include "ostree-bootloader-uboot.h" @@ -1691,6 +1692,7 @@ ostree_sysroot_deployment_unlock (OstreeSysroot *self, GError **error) { gboolean ret = FALSE; + glnx_unref_object OstreeSePolicy *sepolicy = NULL; OstreeDeploymentUnlockedState current_unlocked = ostree_deployment_get_unlocked (deployment); glnx_unref_object OstreeDeployment *deployment_clone = @@ -1738,6 +1740,10 @@ ostree_sysroot_deployment_unlock (OstreeSysroot *self, if (!glnx_opendirat (self->sysroot_fd, deployment_path, TRUE, &deployment_dfd, error)) goto out; + sepolicy = ostree_sepolicy_new_at (deployment_dfd, cancellable, error); + if (!sepolicy) + goto out; + switch (unlocked_state) { case OSTREE_DEPLOYMENT_UNLOCKED_NONE: @@ -1765,8 +1771,16 @@ ostree_sysroot_deployment_unlock (OstreeSysroot *self, const char *development_ovl_upper; const char *development_ovl_work; - if (!glnx_mkdtempat (AT_FDCWD, development_ovldir, 0700, error)) - goto out; + /* Ensure that the directory is created with the same label as `/usr` */ + { g_auto(OstreeSepolicyFsCreatecon) con = { 0, }; + + if (!_ostree_sepolicy_preparefscreatecon (&con, sepolicy, + "/usr", 0755, error)) + goto out; + + if (!glnx_mkdtempat (AT_FDCWD, development_ovldir, 0755, error)) + goto out; + } development_ovl_upper = glnx_strjoina (development_ovldir, "/upper"); if (!glnx_shutil_mkdir_p_at (AT_FDCWD, development_ovl_upper, 0755, cancellable, error))