Skip to content

Commit

Permalink
install: Just check etc/selinux/config if we don't have ostree
Browse files Browse the repository at this point in the history
Pairs with ostreedev/ostree-rs-ext#674
to enable consuming containers that don't have `/ostree`.

Signed-off-by: Colin Walters <[email protected]>
  • Loading branch information
cgwalters committed Oct 24, 2024
1 parent cc6ddc3 commit efac46a
Show file tree
Hide file tree
Showing 2 changed files with 25 additions and 9 deletions.
28 changes: 19 additions & 9 deletions lib/src/install.rs
Original file line number Diff line number Diff line change
Expand Up @@ -45,6 +45,7 @@ use serde::{Deserialize, Serialize};

use self::baseline::InstallBlockDeviceOpts;
use crate::containerenv::ContainerExecutionInfo;
use crate::lsm;
use crate::mount::Filesystem;
use crate::spec::ImageReference;
use crate::store::Storage;
Expand Down Expand Up @@ -525,15 +526,9 @@ impl SourceInfo {
Self::new(imageref, None, root, false, false)
}

/// Construct a new source information structure
fn new(
imageref: ostree_container::ImageReference,
digest: Option<String>,
root: &Dir,
in_host_mountns: bool,
have_host_container_storage: bool,
) -> Result<Self> {
fn have_selinux_from_repo(root: &Dir) -> Result<bool> {
let cancellable = ostree::gio::Cancellable::NONE;

let commit = Task::new("Reading ostree commit", "ostree")
.args(["--repo=/ostree/repo", "rev-parse", "--single"])
.quiet()
Expand All @@ -545,7 +540,22 @@ impl SourceInfo {
.0;
let root = root.downcast_ref::<ostree::RepoFile>().unwrap();
let xattrs = root.xattrs(cancellable)?;
let selinux = crate::lsm::xattrs_have_selinux(&xattrs);
Ok(crate::lsm::xattrs_have_selinux(&xattrs))
}

/// Construct a new source information structure
fn new(
imageref: ostree_container::ImageReference,
digest: Option<String>,
root: &Dir,
in_host_mountns: bool,
have_host_container_storage: bool,
) -> Result<Self> {
let selinux = if Path::new("/ostree/repo").try_exists()? {
Self::have_selinux_from_repo(root)?
} else {
lsm::have_selinux_policy(root)?
};
Ok(Self {
imageref,
digest,
Expand Down
6 changes: 6 additions & 0 deletions lib/src/lsm.rs
Original file line number Diff line number Diff line change
Expand Up @@ -98,6 +98,12 @@ pub(crate) fn selinux_ensure_install() -> Result<bool> {
Err(anyhow::Error::msg(cmd.exec()).context("execve"))
}

/// Query whether SELinux is apparently enabled in the target root
pub(crate) fn have_selinux_policy(root: &Dir) -> Result<bool> {
// TODO use ostree::SePolicy and query policy name
root.try_exists("etc/selinux/config").map_err(Into::into)
}

/// A type which will reset SELinux back to enforcing mode when dropped.
/// This is a workaround for the deep difficulties in trying to reliably
/// gain the `mac_admin` permission (install_t).
Expand Down

0 comments on commit efac46a

Please sign in to comment.