Backport root homedir relabeling fix

Need https://github.com/coreos/ignition/pull/1029 for https://github.com/coreos/fedora-coreos-config/pull/426#issuecomment-658867731.
2020-07-15 13:35:57 -04:00 · 2020-07-15 13:35:57 -04:00 · 64c18a989e
commit 64c18a989e
parent 480b997359
2 changed files with 60 additions and 1 deletions
--- a/0001-files-don-t-relabel-homedir-symlinks-themselves.patch
+++ b/0001-files-don-t-relabel-homedir-symlinks-themselves.patch
@ -0,0 +1,51 @@
+From 6be9319720458c8c52dd0f5b760f5c6449775d14 Mon Sep 17 00:00:00 2001
+From: Jonathan Lebon <jonathan@jlebon.com>
+Date: Wed, 15 Jul 2020 12:13:12 -0400
+Subject: [PATCH] files: don't relabel homedir symlinks themselves
+
+Regression from #996. If the home directory is a symlink, then just
+relabel the referent, not the symlink itself. Since the symlink already
+existed, we assume that it's properly labeled.
+
+This causes an error on the FCOS live ISO, where `/sysroot` is mounted
+from the squashfs, and so is read-only. But even on non-live, we should
+just assume that whatever created the `/root -> /var/roothome` symlink
+labeled it correctly.
+
+This would normally be a no-op because `setfiles` would see that it's
+properly labeled and not even attempt a `setxattr`. But because we can't
+yet read SELinux labels from the initrd, it thinks it's unlabeled. (That
+will be fixed by https://bugzilla.redhat.com/show_bug.cgi?id=1845210).
+---
+ internal/exec/stages/files/passwd.go | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/internal/exec/stages/files/passwd.go b/internal/exec/stages/files/passwd.go
+index 3ef4b00..7e4263f 100644
+--- a/internal/exec/stages/files/passwd.go
+++ b/internal/exec/stages/files/passwd.go
+@@ -75,15 +75,18 @@ func (s *stage) createPasswd(config types.Config) error {
+ 			if err != nil {
+ 				return err
+ 			}
+-			s.relabel(homedir)
+ 
+ 			// Check if the homedir is actually a symlink, and make sure we
+-			// relabel the target too. This is relevant on OSTree-based
+-			// platforms, where /root is a link to /var/roothome.
+			// relabel the target instead in that case. This is relevant on
+			// OSTree-based platforms, where /root is a link to /var/roothome.
+ 			if resolved, err := s.ResolveSymlink(homedir); err != nil {
+ 				return err
+ 			} else if resolved != "" {
+				// note we don't relabel the symlink itself; we assume it's
+				// already properly labeled
+ 				s.relabel(resolved)
+			} else {
+				s.relabel(homedir)
+ 			}
+ 		}
+ 	}
+-- 
+2.26.2
+
--- a/ignition.spec
+++ b/ignition.spec
@ -73,13 +73,15 @@

 Name:           ignition
 Version:        2.4.0
-Release:        1.git%{shortcommit}%{?dist}
+Release:        2.git%{shortcommit}%{?dist}
 Summary:        First boot installer and configuration tool
 License:        ASL 2.0 and BSD
 URL:            https://%{provider_prefix}
 Source0:        https://%{provider_prefix}/archive/%{commit}/%{repo}-%{shortcommit}.tar.gz
 Source1:        https://%{dracutprovider_prefix}/archive/%{dracutcommit}/%{dracutrepo}-%{dracutshortcommit}.tar.gz

+Patch0: 0001-files-don-t-relabel-homedir-symlinks-themselves.patch
+
 %define gopath %{_datadir}/gocode
 ExcludeArch: ppc64
 BuildRequires: golang >= 1.10
@ -442,6 +444,7 @@ Ignition project's Github releases page.
 # setup command reference: http://ftp.rpm.org/max-rpm/s1-rpm-inside-macros.html
 # unpack source0 and apply patches
 %setup -T -b 0 -q -n %{repo}-%{commit}
+%patch0 -p1

 # unpack source1 (dracut modules)
 %setup -T -D -a 1 -q -n %{repo}-%{commit}
@ -606,6 +609,11 @@ export GOPATH=%{buildroot}/%{gopath}:$(pwd)/vendor:%{gopath}
 %endif

 %changelog
+* Wed Jul 15 2020 Jonathan Lebon <jonathan@jlebon.com> - 2.4.0-2.gitd18bf90
+- Backport root homedir relabeling fix
+  https://github.com/coreos/ignition/pull/1029 for
+  https://github.com/coreos/fedora-coreos-config/pull/426#issuecomment-658867731.
+
 * Mon Jul 13 2020 Benjamin Gilbert <bgilbert@redhat.com> - 2.4.0-1.gitd18bf90
 - New release
 - Bump ignition-dracut