diff options
author | Colin Walters <walters@verbum.org> | 2015-01-22 17:35:32 -0500 |
---|---|---|
committer | Colin Walters <walters@verbum.org> | 2015-01-23 12:44:06 -0500 |
commit | 6ce80f9685e6273dbcb4731d6650a10976ea220a (patch) | |
tree | a21d00fa425b6648925380207786014ae12a0c34 | |
parent | 8f4999c854f066c11f5137771697c79928044e5d (diff) | |
download | ostree-6ce80f9685e6273dbcb4731d6650a10976ea220a.tar.gz |
Explicitly label .origin files as configuration
subscription-manager has a daemon that runs in a confined domain,
and it doesn't have permission to write usr_t, which is the default
label of /ostree/deploy/$osname/deploy.
A better long term fix is probably to move the origin file into the
deployment root as /etc/ostree/origin.conf or so.
In the meantime, let's ensure the .origin files are labeled as
configuration.
-rw-r--r-- | src/libostree/ostree-sepolicy.c | 61 | ||||
-rw-r--r-- | src/libostree/ostree-sepolicy.h | 9 | ||||
-rw-r--r-- | src/libostree/ostree-sysroot-deploy.c | 33 | ||||
-rw-r--r-- | src/libostree/ostree-sysroot-private.h | 2 | ||||
-rw-r--r-- | src/libostree/ostree-sysroot.c | 1 |
5 files changed, 99 insertions, 7 deletions
diff --git a/src/libostree/ostree-sepolicy.c b/src/libostree/ostree-sepolicy.c index c928ee32..91c78b47 100644 --- a/src/libostree/ostree-sepolicy.c +++ b/src/libostree/ostree-sepolicy.c @@ -45,6 +45,8 @@ struct OstreeSePolicy { GFile *path; + gboolean runtime_enabled; + #ifdef HAVE_SELINUX GFile *selinux_policy_root; struct selabel_handle *selinux_hnd; @@ -221,6 +223,8 @@ initable_init (GInitable *initable, if (enabled) { + self->runtime_enabled = is_selinux_enabled () == 1; + g_setenv ("LIBSELINUX_DISABLE_PCRE_PRECOMPILED", "1", FALSE); if (selinux_set_policy_root (gs_file_get_path_cached (policy_root)) != 0) { @@ -454,3 +458,60 @@ ostree_sepolicy_restorecon (OstreeSePolicy *self, return TRUE; #endif } + +/** + * ostree_sepolicy_setfscreatecon: + * @self: Policy + * @path: Use this path to determine a label + * @mode: Used along with @path + * @error: Error + * + */ +gboolean +ostree_sepolicy_setfscreatecon (OstreeSePolicy *self, + const char *path, + guint32 mode, + GError **error) +{ +#ifdef HAVE_SELINUX + gboolean ret = FALSE; + gs_free char *label = NULL; + + /* setfscreatecon() will bomb out if the host has SELinux disabled, + * but we're enabled for the target system. This is kind of a + * broken scenario...for now, we'll silently ignore the label + * request. To correctly handle the case of disabled host but + * enabled target will require nontrivial work. + */ + if (!self->runtime_enabled) + return TRUE; + + if (!ostree_sepolicy_get_label (self, path, mode, &label, NULL, error)) + goto out; + + if (setfscreatecon_raw (label) != 0) + { + gs_set_error_from_errno (error, errno); + return FALSE; + } + + ret = TRUE; + out: + return ret; +#else + return TRUE; +#endif +} + +/** + * ostree_sepolicy_fscreatecon_cleanup: + * + * Cleanup function for ostree_sepolicy_setfscreatecon(). + */ +void +ostree_sepolicy_fscreatecon_cleanup (void **unused) +{ +#ifdef HAVE_SELINUX + setfscreatecon (NULL); +#endif +} diff --git a/src/libostree/ostree-sepolicy.h b/src/libostree/ostree-sepolicy.h index 19a067eb..0c5d215e 100644 --- a/src/libostree/ostree-sepolicy.h +++ b/src/libostree/ostree-sepolicy.h @@ -62,5 +62,14 @@ gboolean ostree_sepolicy_restorecon (OstreeSePolicy *self, GCancellable *cancellable, GError **error); +gboolean ostree_sepolicy_setfscreatecon (OstreeSePolicy *self, + const char *path, + guint32 mode, + GError **error); + +void ostree_sepolicy_fscreatecon_cleanup (void **unused); + +#define ostree_cleanup_sepolicy_fscreatecon __attribute__ ((cleanup(ostree_sepolicy_fscreatecon_cleanup))) + G_END_DECLS diff --git a/src/libostree/ostree-sysroot-deploy.c b/src/libostree/ostree-sysroot-deploy.c index b3289327..f7c8dcf1 100644 --- a/src/libostree/ostree-sysroot-deploy.c +++ b/src/libostree/ostree-sysroot-deploy.c @@ -1893,13 +1893,6 @@ ostree_sysroot_deploy_tree (OstreeSysroot *self, goto out; } - if (!ostree_sysroot_write_origin_file (self, new_deployment, NULL, - cancellable, error)) - { - g_prefix_error (error, "Writing out origin file: "); - goto out; - } - /* Create an empty boot configuration; we will merge things into * it as we go. */ @@ -1915,6 +1908,9 @@ ostree_sysroot_deploy_tree (OstreeSysroot *self, goto out; } + g_clear_object (&self->sepolicy); + self->sepolicy = g_object_ref (sepolicy); + deployment_etc = g_file_get_child (new_deployment_path, "etc"); if (!selinux_relabel_var_if_needed (self, sepolicy, deployment_var, @@ -1925,6 +1921,29 @@ ostree_sysroot_deploy_tree (OstreeSysroot *self, cancellable, error)) goto out; + { ostree_cleanup_sepolicy_fscreatecon gpointer dummy = NULL; + + /* Explicitly override the label for the origin file to ensure + * it's system_conf_t. + */ + if (self->sepolicy != NULL + && ostree_sepolicy_get_name (self->sepolicy) != NULL) + { + if (!ostree_sepolicy_setfscreatecon (self->sepolicy, + "/etc/ostree/remotes.d/dummy.conf", + 0644, + error)) + goto out; + } + + if (!ostree_sysroot_write_origin_file (self, new_deployment, NULL, + cancellable, error)) + { + g_prefix_error (error, "Writing out origin file: "); + goto out; + } + } + /* After this, install_deployment_kernel() will set the other boot * options and write it out to disk. */ diff --git a/src/libostree/ostree-sysroot-private.h b/src/libostree/ostree-sysroot-private.h index 28b0feb7..97aa9e8a 100644 --- a/src/libostree/ostree-sysroot-private.h +++ b/src/libostree/ostree-sysroot-private.h @@ -34,6 +34,8 @@ struct OstreeSysroot { gboolean loaded; + OstreeSePolicy *sepolicy; + GPtrArray *deployments; int bootversion; int subbootversion; diff --git a/src/libostree/ostree-sysroot.c b/src/libostree/ostree-sysroot.c index 64a5e5bb..d415008d 100644 --- a/src/libostree/ostree-sysroot.c +++ b/src/libostree/ostree-sysroot.c @@ -63,6 +63,7 @@ ostree_sysroot_finalize (GObject *object) OstreeSysroot *self = OSTREE_SYSROOT (object); g_clear_object (&self->path); + g_clear_object (&self->sepolicy); G_OBJECT_CLASS (ostree_sysroot_parent_class)->finalize (object); } |