Revert "fstools: remove SELinux restorecon hack"

Now that procd only relables the filesystem in case of the system beging started with initramfs we will again need to take care of labeling newly created /overlay. This reverts commit 9e11b3723ce30b9b8c94ad7d15072a10cf13c0b4. Signed-off-by: Daniel Golle <daniel@makrotopia.org>
author: Daniel Golle <daniel@makrotopia.org> 2022-06-02 07:36:47 +0100
committer: Daniel Golle <daniel@makrotopia.org> 2022-06-02 07:36:47 +0100
commit: 93369be040612c906bcbb1631f44a92fa4122d24 (patch)
tree: 5f3a9a035782767713511ecb78abd47a5610fad6
parent: 9e11b3723ce30b9b8c94ad7d15072a10cf13c0b4 (diff)
download: fstools-93369be040612c906bcbb1631f44a92fa4122d24.tar.gz
3 files changed, 27 insertions, 0 deletions
diff --git a/libfstools/libfstools.h b/libfstools/libfstools.h
index be20fad..340e2dc 100644
--- a/libfstools/libfstools.h
+++ b/libfstools/libfstools.h
@@ -62,5 +62,6 @@ extern void overlay_delete(const char *dir, bool keep_sysupgrade);
 
 enum fs_state fs_state_get(const char *dir);
 int fs_state_set(const char *dir, enum fs_state state);
+void selinux_restorecon(char *overlaydir);
 
 #endif
diff --git a/libfstools/mount.c b/libfstools/mount.c
index 8646c19..3d4111f 100644
--- a/libfstools/mount.c
+++ b/libfstools/mount.c
@@ -86,6 +86,24 @@ pivot(char *new, char *old)
 	return 0;
 }
 
+void
+selinux_restorecon(char *overlaydir)
+{
+	struct stat s;
+	pid_t restorecon_pid;
+	int status;
+
+	/* on non-SELinux system we don't have /sbin/restorecon, return */
+	if (stat("/sbin/restorecon", &s))
+		return;
+
+	restorecon_pid = fork();
+	if (!restorecon_pid)
+		exit(execl("/sbin/restorecon", "restorecon", overlaydir, (char *) NULL));
+	else if (restorecon_pid > 0)
+		waitpid(restorecon_pid, &status, 0);
+}
+
 /**
  * fopivot - switch to overlay using passed dir as upper one
  *
@@ -112,6 +130,13 @@ fopivot(char *rw_root, char *ro_root)
 		 upperdir, workdir);
 
 	/*
+	 * Initialize SELinux security label on newly created overlay
+	 * filesystem where /upper doesn't yet exist
+	 */
+	if (stat(upperdir, &st))
+		selinux_restorecon(rw_root);
+
+	/*
 	 * Overlay FS v23 and later requires both a upper and
 	 * a work directory, both on the same filesystem, but
 	 * not part of the same subtree.
diff --git a/libfstools/overlay.c b/libfstools/overlay.c
index 4cc319e..6790337 100644
--- a/libfstools/overlay.c
+++ b/libfstools/overlay.c
@@ -195,6 +195,7 @@ switch2jffs(struct volume *v)
 		ULOG_ERR("failed - mount -t jffs2 %s %s: %m\n", v->blk, OVERLAYDIR);
 		return -1;
 	}
+	selinux_restorecon(OVERLAYDIR);
 
 	if (mount("none", "/", NULL, MS_NOATIME | MS_REMOUNT, 0)) {
 		ULOG_ERR("failed - mount -o remount,ro none: %m\n");
author	Daniel Golle <daniel@makrotopia.org>	2022-06-02 07:36:47 +0100
committer	Daniel Golle <daniel@makrotopia.org>	2022-06-02 07:36:47 +0100
commit	93369be040612c906bcbb1631f44a92fa4122d24 (patch)
tree	5f3a9a035782767713511ecb78abd47a5610fad6
parent	9e11b3723ce30b9b8c94ad7d15072a10cf13c0b4 (diff)
download	fstools-93369be040612c906bcbb1631f44a92fa4122d24.tar.gz