diff options
| author | Colin Walters <walters@verbum.org> | 2021-09-29 09:03:24 -0400 |
|---|---|---|
| committer | Colin Walters <walters@verbum.org> | 2021-09-30 11:44:27 -0400 |
| commit | ab12e380fc51487672d07ddf47295ee182e62d36 (patch) | |
| tree | 353424b101c8649336336f8bb48565e16fcf0b0c | |
| parent | e8394c755bbbfaf9071baad2c55b3d76a82555ea (diff) | |
| download | ostree-ab12e380fc51487672d07ddf47295ee182e62d36.tar.gz | |
bin/commit: Fix --tree=tar with --selinux-policy
The logic for `--selinux-policy` ended up in the `--tree=dir`
path, but there's no reason for that. Fix the imported
labeling with `--tree=tar`. Prep for use with containers.
We had this bug because the previous logic was trying to avoid
duplicating the code for generic `--selinux-policy` and
the case of `--selinux-policy-from-base --tree=dir`.
It's a bit more code, but it's cleaner if we dis-entangle them.
| -rw-r--r-- | src/ostree/ot-builtin-commit.c | 19 | ||||
| -rwxr-xr-x | tests/kolainst/destructive/itest-label-selinux.sh | 13 |
2 files changed, 25 insertions, 7 deletions
diff --git a/src/ostree/ot-builtin-commit.c b/src/ostree/ot-builtin-commit.c index 370e085c..b993678e 100644 --- a/src/ostree/ot-builtin-commit.c +++ b/src/ostree/ot-builtin-commit.c @@ -602,6 +602,17 @@ ostree_builtin_commit (int argc, char **argv, OstreeCommandInvocation *invocatio filter_data.skip_list = skip_list; modifier = ostree_repo_commit_modifier_new (flags, commit_filter, &filter_data, NULL); + + if (opt_selinux_policy) + { + glnx_autofd int rootfs_dfd = -1; + if (!glnx_opendirat (AT_FDCWD, opt_selinux_policy, TRUE, &rootfs_dfd, error)) + goto out; + policy = ostree_sepolicy_new_at (rootfs_dfd, cancellable, error); + if (!policy) + goto out; + ostree_repo_commit_modifier_set_sepolicy (modifier, policy); + } } if (opt_editor) @@ -691,14 +702,8 @@ ostree_builtin_commit (int argc, char **argv, OstreeCommandInvocation *invocatio { if (first && opt_selinux_policy_from_base) { - opt_selinux_policy = g_strdup (tree); - opt_selinux_policy_from_base = FALSE; - } - if (first && opt_selinux_policy) - { - g_assert (modifier); glnx_autofd int rootfs_dfd = -1; - if (!glnx_opendirat (AT_FDCWD, opt_selinux_policy, TRUE, &rootfs_dfd, error)) + if (!glnx_opendirat (AT_FDCWD, tree, TRUE, &rootfs_dfd, error)) goto out; policy = ostree_sepolicy_new_at (rootfs_dfd, cancellable, error); if (!policy) diff --git a/tests/kolainst/destructive/itest-label-selinux.sh b/tests/kolainst/destructive/itest-label-selinux.sh index d7337124..97b5cc54 100755 --- a/tests/kolainst/destructive/itest-label-selinux.sh +++ b/tests/kolainst/destructive/itest-label-selinux.sh @@ -104,3 +104,16 @@ assert_file_has_content newls.txt ':lib_t:' ostree ls -X newbase /usr/etc/some.conf > newls.txt assert_file_has_content newls.txt ':etc_t:' echo "ok commit --selinux-policy-from-base" + +rm rootfs -rf +mkdir rootfs +mkdir -p rootfs/usr/{bin,lib,etc} +echo 'somebinary' > rootfs/usr/bin/somebinary +ls -Z rootfs/usr/bin/somebinary > lsz.txt +assert_not_file_has_content lsz.txt ':bin_t:' +rm -f lsz.txt +tar -C rootfs -cf rootfs.tar . +ostree commit -b newbase --selinux-policy / --tree=tar=rootfs.tar +ostree ls -X newbase /usr/bin/somebinary > newls.txt +assert_file_has_content newls.txt ':bin_t:' +echo "ok commit --selinux-policy with --tree=tar" |