bin/commit: Fix --tree=tar with --selinux-policy

The logic for `--selinux-policy` ended up in the `--tree=dir`
path, but there's no reason for that.  Fix the imported
labeling with `--tree=tar`.  Prep for use with containers.

We had this bug because the previous logic was trying to avoid
duplicating the code for generic `--selinux-policy` and
the case of `--selinux-policy-from-base --tree=dir`.

It's a bit more code, but it's cleaner if we dis-entangle them.

diff --git a/src/ostree/ot-builtin-commit.c b/src/ostree/ot-builtin-commit.c
index 370e085c115ae7f6da9ac312200606e1fcd3de21..b993678e7ebeac27ab42d34d81fc709b4a8748d7 100644 (file)
--- a/src/ostree/ot-builtin-commit.c
+++ b/src/ostree/ot-builtin-commit.c
@@ -602,6 +602,17 @@ ostree_builtin_commit (int argc, char **argv, OstreeCommandInvocation *invocatio
       filter_data.skip_list = skip_list;
       modifier = ostree_repo_commit_modifier_new (flags, commit_filter,
                                                   &filter_data, NULL);
+
+      if (opt_selinux_policy)
+        {
+          glnx_autofd int rootfs_dfd = -1;
+          if (!glnx_opendirat (AT_FDCWD, opt_selinux_policy, TRUE, &rootfs_dfd, error))
+            goto out;
+          policy = ostree_sepolicy_new_at (rootfs_dfd, cancellable, error);
+          if (!policy)
+            goto out;
+          ostree_repo_commit_modifier_set_sepolicy (modifier, policy);
+        }
     }
 
   if (opt_editor)
@@ -691,14 +702,8 @@ ostree_builtin_commit (int argc, char **argv, OstreeCommandInvocation *invocatio
         {
           if (first && opt_selinux_policy_from_base)
             {
-              opt_selinux_policy = g_strdup (tree);
-              opt_selinux_policy_from_base = FALSE;
-            }
-          if (first && opt_selinux_policy)
-            {
-              g_assert (modifier);
               glnx_autofd int rootfs_dfd = -1;
-              if (!glnx_opendirat (AT_FDCWD, opt_selinux_policy, TRUE, &rootfs_dfd, error))
+              if (!glnx_opendirat (AT_FDCWD, tree, TRUE, &rootfs_dfd, error))
                 goto out;
               policy = ostree_sepolicy_new_at (rootfs_dfd, cancellable, error);
               if (!policy)

diff --git a/tests/kolainst/destructive/itest-label-selinux.sh b/tests/kolainst/destructive/itest-label-selinux.sh
index d7337124b5ad54aa192cce705064d8f246dfc477..97b5cc5426a73ccc3d0e8313c5b21751fd3c9f33 100755 (executable)
--- a/tests/kolainst/destructive/itest-label-selinux.sh
+++ b/tests/kolainst/destructive/itest-label-selinux.sh
@@ -104,3 +104,16 @@ assert_file_has_content newls.txt ':lib_t:'
 ostree ls -X newbase /usr/etc/some.conf > newls.txt
 assert_file_has_content newls.txt ':etc_t:'
 echo "ok commit --selinux-policy-from-base"
+
+rm rootfs -rf
+mkdir rootfs
+mkdir -p rootfs/usr/{bin,lib,etc}
+echo 'somebinary' > rootfs/usr/bin/somebinary
+ls -Z rootfs/usr/bin/somebinary > lsz.txt
+assert_not_file_has_content lsz.txt ':bin_t:'
+rm -f lsz.txt
+tar -C rootfs -cf rootfs.tar .
+ostree commit -b newbase --selinux-policy / --tree=tar=rootfs.tar
+ostree ls -X newbase /usr/bin/somebinary > newls.txt
+assert_file_has_content newls.txt ':bin_t:'
+echo "ok commit --selinux-policy with --tree=tar"