bin/commit: Fix --tree=tar with --selinux-policy

The logic for `--selinux-policy` ended up in the `--tree=dir` path, but there's no reason for that. Fix the imported labeling with `--tree=tar`. Prep for use with containers. We had this bug because the previous logic was trying to avoid duplicating the code for generic `--selinux-policy` and the case of `--selinux-policy-from-base --tree=dir`. It's a bit more code, but it's cleaner if we dis-entangle them.
2025-01-09 01:18:35 +03:00 · 2021-09-29 09:03:24 -04:00 · 2021-09-29 09:03:24 -04:00 · ab12e380fc
commit ab12e380fc
parent e8394c755b
2 changed files with 25 additions and 7 deletions
--- a/src/ostree/ot-builtin-commit.c
+++ b/src/ostree/ot-builtin-commit.c
@ -602,6 +602,17 @@ ostree_builtin_commit (int argc, char **argv, OstreeCommandInvocation *invocatio
      filter_data.skip_list = skip_list;
      modifier = ostree_repo_commit_modifier_new (flags, commit_filter,
                                                  &filter_data, NULL);
+
+      if (opt_selinux_policy)
+        {
+          glnx_autofd int rootfs_dfd = -1;
+          if (!glnx_opendirat (AT_FDCWD, opt_selinux_policy, TRUE, &rootfs_dfd, error))
+            goto out;
+          policy = ostree_sepolicy_new_at (rootfs_dfd, cancellable, error);
+          if (!policy)
+            goto out;
+          ostree_repo_commit_modifier_set_sepolicy (modifier, policy);
+        }
    }

  if (opt_editor)
@ -691,14 +702,8 @@ ostree_builtin_commit (int argc, char **argv, OstreeCommandInvocation *invocatio
        {
          if (first && opt_selinux_policy_from_base)
            {
-              opt_selinux_policy = g_strdup (tree);
-              opt_selinux_policy_from_base = FALSE;
-            }
-          if (first && opt_selinux_policy)
-            {
-              g_assert (modifier);
              glnx_autofd int rootfs_dfd = -1;
-              if (!glnx_opendirat (AT_FDCWD, opt_selinux_policy, TRUE, &rootfs_dfd, error))
+              if (!glnx_opendirat (AT_FDCWD, tree, TRUE, &rootfs_dfd, error))
                goto out;
              policy = ostree_sepolicy_new_at (rootfs_dfd, cancellable, error);
              if (!policy)
--- a/tests/kolainst/destructive/itest-label-selinux.sh
+++ b/tests/kolainst/destructive/itest-label-selinux.sh
@ -104,3 +104,16 @@ assert_file_has_content newls.txt ':lib_t:'
 ostree ls -X newbase /usr/etc/some.conf > newls.txt
 assert_file_has_content newls.txt ':etc_t:'
 echo "ok commit --selinux-policy-from-base"
+
+rm rootfs -rf
+mkdir rootfs
+mkdir -p rootfs/usr/{bin,lib,etc}
+echo 'somebinary' > rootfs/usr/bin/somebinary
+ls -Z rootfs/usr/bin/somebinary > lsz.txt
+assert_not_file_has_content lsz.txt ':bin_t:'
+rm -f lsz.txt
+tar -C rootfs -cf rootfs.tar .
+ostree commit -b newbase --selinux-policy / --tree=tar=rootfs.tar
+ostree ls -X newbase /usr/bin/somebinary > newls.txt
+assert_file_has_content newls.txt ':bin_t:'
+echo "ok commit --selinux-policy with --tree=tar"