From a88881039eef1e3db32f5cf0972099280cbe4227 Mon Sep 17 00:00:00 2001
From: Daniel J Walsh <dwalsh@redhat.com>
Date: Mon, 27 Mar 2017 17:31:06 -0400
Subject: [PATCH] sysroot/unlock: Ensure overlay label on /usr is `usr_t`

Otherwise, we get `tmp_t` by default which can break a lot of things; we noticed
this with `atomic scan`.

Closes: https://github.com/ostreedev/ostree/issues/762

Closes: #763
Approved by: rhatdan
---
 src/libostree/ostree-sysroot.c | 18 ++++++++++++++++--
 1 file changed, 16 insertions(+), 2 deletions(-)

diff --git a/src/libostree/ostree-sysroot.c b/src/libostree/ostree-sysroot.c
index 446dd4ab..00db9f0a 100644
--- a/src/libostree/ostree-sysroot.c
+++ b/src/libostree/ostree-sysroot.c
@@ -26,6 +26,7 @@
 #include <sys/wait.h>
 
 #include "ostree-core-private.h"
+#include "ostree-sepolicy-private.h"
 #include "ostree-sysroot-private.h"
 #include "ostree-deployment-private.h"
 #include "ostree-bootloader-uboot.h"
@@ -1691,6 +1692,7 @@ ostree_sysroot_deployment_unlock (OstreeSysroot     *self,
                                   GError           **error)
 {
   gboolean ret = FALSE;
+  glnx_unref_object OstreeSePolicy *sepolicy = NULL;
   OstreeDeploymentUnlockedState current_unlocked =
     ostree_deployment_get_unlocked (deployment); 
   glnx_unref_object OstreeDeployment *deployment_clone =
@@ -1738,6 +1740,10 @@ ostree_sysroot_deployment_unlock (OstreeSysroot     *self,
   if (!glnx_opendirat (self->sysroot_fd, deployment_path, TRUE, &deployment_dfd, error))
     goto out;
 
+  sepolicy = ostree_sepolicy_new_at (deployment_dfd, cancellable, error);
+  if (!sepolicy)
+    goto out;
+
   switch (unlocked_state)
     {
     case OSTREE_DEPLOYMENT_UNLOCKED_NONE:
@@ -1765,8 +1771,16 @@ ostree_sysroot_deployment_unlock (OstreeSysroot     *self,
         const char *development_ovl_upper;
         const char *development_ovl_work;
 
-        if (!glnx_mkdtempat (AT_FDCWD, development_ovldir, 0700, error))
-          goto out;
+        /* Ensure that the directory is created with the same label as `/usr` */
+        { g_auto(OstreeSepolicyFsCreatecon) con = { 0, };
+
+          if (!_ostree_sepolicy_preparefscreatecon (&con, sepolicy,
+                                                    "/usr", 0755, error))
+            goto out;
+
+          if (!glnx_mkdtempat (AT_FDCWD, development_ovldir, 0755, error))
+            goto out;
+        }
 
         development_ovl_upper = glnx_strjoina (development_ovldir, "/upper");
         if (!glnx_shutil_mkdir_p_at (AT_FDCWD, development_ovl_upper, 0755, cancellable, error))