</para></listitem>
</varlistentry>
+ <varlistentry>
+ <term><option>--selinux-labeling-epoch</option>0 | 1</term>
+
+ <listitem><para>
+ When SELinux labeling is enabled, epoch <literal>1</literal> ensures that <literal>/usr/etc</literal> is labeled as if it was <literal>/etc</literal>.
+ </para></listitem>
+ </varlistentry>
+
<varlistentry>
<term><option>--bootable</option></term>
<listitem><para>
#include <gio/gunixoutputstream.h>
#include <glib-unix.h>
#include <glib/gprintf.h>
+#include <stdbool.h>
#include <sys/ioctl.h>
#include <sys/statvfs.h>
#include <sys/xattr.h>
if (modifier && modifier->sepolicy)
{
g_autofree char *label = NULL;
+ const char *path_for_labeling = relpath;
- if (!ostree_sepolicy_get_label (modifier->sepolicy, relpath,
+ bool using_v1 = (modifier->flags & OSTREE_REPO_COMMIT_MODIFIER_FLAGS_SELINUX_LABEL_V1) > 0;
+ bool is_usretc = g_str_equal (relpath, "/usr/etc") || g_str_has_prefix (relpath, "/usr/etc/");
+ if (using_v1 && is_usretc)
+ path_for_labeling += strlen ("/usr");
+
+ if (!ostree_sepolicy_get_label (modifier->sepolicy, path_for_labeling,
g_file_info_get_attribute_uint32 (file_info, "unix::mode"),
&label, cancellable, error))
return FALSE;
* 2017.13
* @OSTREE_REPO_COMMIT_MODIFIER_FLAGS_DEVINO_CANONICAL: If a devino cache hit is found, skip
* modifier filters (non-directories only); Since: 2017.14
+ * @OSTREE_REPO_COMMIT_MODIFIER_FLAGS_SELINUX_LABEL_V1: For SELinux and other systems, label
+ * /usr/etc as if it was /etc.
*
* Flags modifying commit behavior. In bare-user-only mode,
* @OSTREE_REPO_COMMIT_MODIFIER_FLAGS_CANONICAL_PERMISSIONS and
OSTREE_REPO_COMMIT_MODIFIER_FLAGS_ERROR_ON_UNLABELED = (1 << 3),
OSTREE_REPO_COMMIT_MODIFIER_FLAGS_CONSUME = (1 << 4),
OSTREE_REPO_COMMIT_MODIFIER_FLAGS_DEVINO_CANONICAL = (1 << 5),
+ OSTREE_REPO_COMMIT_MODIFIER_FLAGS_SELINUX_LABEL_V1 = (1 << 6),
} OstreeRepoCommitModifierFlags;
/**
static gboolean opt_no_xattrs;
static char *opt_selinux_policy;
static gboolean opt_selinux_policy_from_base;
+static int opt_selinux_labeling_epoch;
static gboolean opt_canonical_permissions;
static gboolean opt_ro_executables;
static gboolean opt_consume;
"Set SELinux labels based on policy in root filesystem PATH (may be /)", "PATH" },
{ "selinux-policy-from-base", 'P', 0, G_OPTION_ARG_NONE, &opt_selinux_policy_from_base,
"Set SELinux labels based on first --tree argument", NULL },
+ { "selinux-labeling-epoch", 0, 0, G_OPTION_ARG_INT, &opt_selinux_labeling_epoch,
+ "Configure the default SELinux labeling rules; 0 is the default, 1 enables labeling /usr/etc "
+ "as /etc",
+ NULL },
{ "link-checkout-speedup", 0, 0, G_OPTION_ARG_NONE, &opt_link_checkout_speedup,
"Optimize for commits of trees composed of hardlinks into the repository", NULL },
{ "devino-canonical", 'I', 0, G_OPTION_ARG_NONE, &opt_devino_canonical,
flags |= OSTREE_REPO_COMMIT_MODIFIER_FLAGS_SKIP_XATTRS;
if (opt_consume)
flags |= OSTREE_REPO_COMMIT_MODIFIER_FLAGS_CONSUME;
+ switch (opt_selinux_labeling_epoch)
+ {
+ case 0:
+ break;
+ case 1:
+ flags |= OSTREE_REPO_COMMIT_MODIFIER_FLAGS_SELINUX_LABEL_V1;
+ break;
+ default:
+ {
+ glnx_throw (error, "Unknown SELinux labeling epoch: %d", opt_selinux_labeling_epoch);
+ goto out;
+ }
+ }
if (opt_devino_canonical)
{
opt_link_checkout_speedup = TRUE; /* Imply this */
rm co -rf
echo "ok commit with sepolicy"
+ostree ls -X ${host_refspec} /usr/etc/sysctl.conf > ls.txt
+if grep -qF ':etc_t:' ls.txt; then
+ ostree checkout -H ${host_refspec} co
+ ostree commit -b testbranch --link-checkout-speedup \
+ --selinux-policy co --tree=dir=co --selinux-labeling-epoch=1
+ ostree ls -X testbranch /usr/etc/sysctl.conf > ls.txt
+ assert_file_has_content ls.txt ':system_conf_t:'
+ rm co ls.txt -rf
+ ostree refs --delete testbranch
+else
+ echo 'Already using --selinux-labeling-epoch > 0 on host, hopefully!'
+fi
+
+echo "ok --selinux-labeling-epoch=1"
+
# Now let's check that selinux policy labels can be applied on checkout
rm rootfs -rf
projects / ostree.git / commitdiff