Add flag to make SELinux label failure fatal, add hack for /proc

I was working on `rpm-ostree livefs` which does some ostree-based
filesystem diffs, and noticed that we were ending up with `/proc`
not being labeled in our base trees.

Reading the selinux-policy source, indeed we have:

```
/proc			-d	<<none>>
/proc/.*			<<none>>
```

This dates pretty far back.  We really don't want unlabeled
content in ostree.  In this case it's mostly OK since the kernel
will assign a label, but again *everything* should be labeled via
OSTree so that it's all consistent, which will fix `ostree diff`.

Notably, `/proc` is the *only* file path that isn't covered when composing a
Fedora Atomic Host. So I added a hack here to hardcode it (although I'm a bit
uncertain about whether it should really be `proc_t` on disk before systemd
mounts or not).

Out of conservatism, I made this a flag, so if we hit issues down the line, we
could easily change rpm-ostree to stumble on as it did before.

Closes: #768
Approved by: jlebon

diff --git a/src/libostree/ostree-repo-commit.c b/src/libostree/ostree-repo-commit.c
index 56b4e8f88ad6df2d4829b6647e143eaec4e2e515..45577373de26953e2f415df1f17077b7ae94b150 100644 (file)
--- a/src/libostree/ostree-repo-commit.c
+++ b/src/libostree/ostree-repo-commit.c
@@ -2309,7 +2309,11 @@ get_modified_xattrs (OstreeRepo                       *self,
                                       &label, cancellable, error))
         return FALSE;
 
-      if (label)
+      if (!label && (modifier->flags & OSTREE_REPO_COMMIT_MODIFIER_FLAGS_ERROR_ON_UNLABELED) > 0)
+        {
+          return glnx_throw (error, "Failed to look up SELinux label for '%s'", relpath);
+        }
+      else if (label)
         {
           g_autoptr(GVariantBuilder) builder = NULL;
 

diff --git a/src/libostree/ostree-repo.h b/src/libostree/ostree-repo.h
index b88b980fae047b8e1094e9e0fb49ae04f8ceb71d..482ede7a6dabc0200b1a04e755ff8382bb272a21 100644 (file)
--- a/src/libostree/ostree-repo.h
+++ b/src/libostree/ostree-repo.h
@@ -537,12 +537,14 @@ typedef OstreeRepoCommitFilterResult (*OstreeRepoCommitFilter) (OstreeRepo    *r
  * @OSTREE_REPO_COMMIT_MODIFIER_FLAGS_SKIP_XATTRS: Do not process extended attributes
  * @OSTREE_REPO_COMMIT_MODIFIER_FLAGS_GENERATE_SIZES: Generate size information.
  * @OSTREE_REPO_COMMIT_MODIFIER_FLAGS_CANONICAL_PERMISSIONS: Canonicalize permissions for bare-user-only mode.
+ * @OSTREE_REPO_COMMIT_MODIFIER_FLAGS_ERROR_ON_UNLABELED: Emit an error if configured SELinux policy does not provide a label
  */
 typedef enum {
   OSTREE_REPO_COMMIT_MODIFIER_FLAGS_NONE = 0,
   OSTREE_REPO_COMMIT_MODIFIER_FLAGS_SKIP_XATTRS = (1 << 0),
   OSTREE_REPO_COMMIT_MODIFIER_FLAGS_GENERATE_SIZES = (1 << 1),
   OSTREE_REPO_COMMIT_MODIFIER_FLAGS_CANONICAL_PERMISSIONS = (1 << 2),
+  OSTREE_REPO_COMMIT_MODIFIER_FLAGS_ERROR_ON_UNLABELED = (1 << 3),
 } OstreeRepoCommitModifierFlags;
 
 /**

diff --git a/src/libostree/ostree-sepolicy.c b/src/libostree/ostree-sepolicy.c
index 2013f52390027593ef9e2f622b168543c82879e5..6063022ce6f1c920df2fa291404493e1e313f57f 100644 (file)
--- a/src/libostree/ostree-sepolicy.c
+++ b/src/libostree/ostree-sepolicy.c
@@ -526,35 +526,34 @@ ostree_sepolicy_get_label (OstreeSePolicy    *self,
                            GError          **error)
 {
 #ifdef HAVE_SELINUX
-  gboolean ret = FALSE;
-  int res;
-  char *con = NULL;
+  /* Early return if no policy */
+  if (!self->selinux_hnd)
+    return TRUE;
 
-  if (self->selinux_hnd)
+  /* http://marc.info/?l=selinux&m=149082134430052&w=2
+   * https://github.com/ostreedev/ostree/pull/768
+   */
+  if (strcmp (relpath, "/proc") == 0)
+    relpath = "/mnt";
+
+  char *con = NULL;
+  int res = selabel_lookup_raw (self->selinux_hnd, &con, relpath, unix_mode);
+  if (res != 0)
     {
-      res = selabel_lookup_raw (self->selinux_hnd, &con, relpath, unix_mode);
-      if (res != 0)
-        {
-          if (errno != ENOENT)
-            {
-              glnx_set_error_from_errno (error);
-              goto out;
-            }
-        }
+      if (errno == ENOENT)
+        *out_label = NULL;
       else
-        {
-          /* Ensure we consistently allocate with g_malloc */
-          *out_label = g_strdup (con);
-          freecon (con);
-        }
+        return glnx_throw_errno (error);
+    }
+  else
+    {
+      /* Ensure we consistently allocate with g_malloc */
+      *out_label = g_strdup (con);
+      freecon (con);
     }
 
-  ret = TRUE;
- out:
-  return ret;
-#else
-  return TRUE;
 #endif
+  return TRUE;
 }
 
 /**