From 092a2b736dc8bf70b790d13622288dd6afe8c539 Mon Sep 17 00:00:00 2001 From: Michael Vogt Date: Wed, 31 Jan 2024 18:02:24 +0100 Subject: [PATCH] libostree: write selinux xattr when on non-selinux systems Currently when writing data for selinux systems on a non-selinux system there will be no labels. This is because `ostree_sepolicy_setfscreatecon()` just returns TRUE on non-selinux systems and xattr writing for `security.seliux` is filtered out. This patches uses the suggestion of Colin Walters (thanks!) from https://github.com/ostreedev/ostree/issues/2804 and detects if the host has selinux enabled and if not just skips filtering the xattrs for selinux. --- src/libostree/ostree-repo-checkout.c | 4 ++-- src/libostree/ostree-sepolicy.c | 16 ++++++++++++++++ src/libostree/ostree-sepolicy.h | 3 +++ 3 files changed, 21 insertions(+), 2 deletions(-) diff --git a/src/libostree/ostree-repo-checkout.c b/src/libostree/ostree-repo-checkout.c index 0516ef48..530a40f8 100644 --- a/src/libostree/ostree-repo-checkout.c +++ b/src/libostree/ostree-repo-checkout.c @@ -195,7 +195,7 @@ create_file_copy_from_input_at (OstreeRepo *repo, OstreeRepoCheckoutAtOptions *o g_autoptr (GVariant) modified_xattrs = NULL; /* If we're doing SELinux labeling, prepare it */ - if (sepolicy_enabled) + if (sepolicy_enabled && ostree_sepolicy_host_enabled (options->sepolicy)) { /* If doing sepolicy path-based labeling, we don't want to set the * security.selinux attr via the generic xattr paths in either the symlink @@ -1045,7 +1045,7 @@ checkout_tree_at_recurse (OstreeRepo *self, OstreeRepoCheckoutAtOptions *options }; /* If we're doing SELinux labeling, prepare it */ - if (sepolicy_enabled) + if (sepolicy_enabled && ostree_sepolicy_host_enabled (options->sepolicy)) { /* We'll set the xattr via setfscreatecon(), so don't do it via generic xattrs below. */ modified_xattrs = _ostree_filter_selinux_xattr (xattrs); diff --git a/src/libostree/ostree-sepolicy.c b/src/libostree/ostree-sepolicy.c index d61a9cc5..66cbb55a 100644 --- a/src/libostree/ostree-sepolicy.c +++ b/src/libostree/ostree-sepolicy.c @@ -753,3 +753,19 @@ _ostree_filter_selinux_xattr (GVariant *xattrs) return NULL; return g_variant_ref_sink (g_variant_builder_end (&builder)); } + +/** + * ostree_sepolicy_host_enabled: + * @self: Policy + * + * Return if the host has selinux enabled + */ +gboolean +ostree_sepolicy_host_enabled (OstreeSePolicy *self) +{ +#ifdef HAVE_SELINUX + return cached_is_selinux_enabled (); +#else + return FALSE; +#endif +} diff --git a/src/libostree/ostree-sepolicy.h b/src/libostree/ostree-sepolicy.h index 20984567..a7e14c2b 100644 --- a/src/libostree/ostree-sepolicy.h +++ b/src/libostree/ostree-sepolicy.h @@ -77,4 +77,7 @@ void ostree_sepolicy_fscreatecon_cleanup (void **unused); #define ostree_cleanup_sepolicy_fscreatecon \ __attribute__ ((cleanup (ostree_sepolicy_fscreatecon_cleanup))) +_OSTREE_PUBLIC +gboolean ostree_sepolicy_host_enabled (OstreeSePolicy *self); + G_END_DECLS -- 2.30.2