From edf3b2635a72bc86e8eaecfe8578a8eb9526d56d Mon Sep 17 00:00:00 2001 From: Benjamin Gilbert Date: Wed, 27 Mar 2019 18:27:16 -0400 Subject: [PATCH] Backport fix for SELinux relabeling of systemd units --- ...x-unit-relabeling-to-exclude-DestDir.patch | 77 +++++++++++++++++++ ignition.spec | 8 +- 2 files changed, 84 insertions(+), 1 deletion(-) create mode 100644 0001-stages-files-fix-unit-relabeling-to-exclude-DestDir.patch diff --git a/0001-stages-files-fix-unit-relabeling-to-exclude-DestDir.patch b/0001-stages-files-fix-unit-relabeling-to-exclude-DestDir.patch new file mode 100644 index 0000000..8aaab11 --- /dev/null +++ b/0001-stages-files-fix-unit-relabeling-to-exclude-DestDir.patch @@ -0,0 +1,77 @@ +From 5d57d6107a56fecfe9b6c8bb1a06f2dd1889a7e0 Mon Sep 17 00:00:00 2001 +From: Benjamin Gilbert +Date: Wed, 27 Mar 2019 17:29:15 -0400 +Subject: [PATCH] stages/files: fix unit relabeling to exclude DestDir + +Non-runtime units and dropins need to be relabeled relative to DestDir, +since relabeling happens in the real root. + +e42ecb08f9b5 addressed this for files. +--- + internal/exec/stages/files/units.go | 22 ++++++++++++++++++++-- + 1 file changed, 20 insertions(+), 2 deletions(-) + +diff --git a/internal/exec/stages/files/units.go b/internal/exec/stages/files/units.go +index 98c0797..c73141c 100644 +--- a/internal/exec/stages/files/units.go ++++ b/internal/exec/stages/files/units.go +@@ -15,7 +15,9 @@ + package files + + import ( ++ "fmt" + "path/filepath" ++ "strings" + + "github.com/coreos/ignition/config/v3_0/types" + "github.com/coreos/ignition/internal/distro" +@@ -85,6 +87,14 @@ func (s *stage) writeSystemdUnit(unit types.Unit, runtime bool) error { + s.Logger.Crit("error converting systemd dropin: %v", err) + return err + } ++ relabelPath := f.Node.Path ++ if !runtime { ++ // trim off prefix since this needs to be relative to the sysroot ++ if !strings.HasPrefix(f.Node.Path, s.DestDir) { ++ panic(fmt.Sprintf("Dropin path %s isn't under prefix %s", f.Node.Path, s.DestDir)) ++ } ++ relabelPath = f.Node.Path[len(s.DestDir):] ++ } + if err := s.Logger.LogOp( + func() error { return u.PerformFetch(f) }, + "writing systemd drop-in %q at %q", dropin.Name, f.Node.Path, +@@ -92,7 +102,7 @@ func (s *stage) writeSystemdUnit(unit types.Unit, runtime bool) error { + return err + } + if !relabeledDropinDir { +- s.relabel(filepath.Dir("/" + f.Node.Path)) ++ s.relabel(filepath.Dir(relabelPath)) + relabeledDropinDir = true + } + } +@@ -106,13 +116,21 @@ func (s *stage) writeSystemdUnit(unit types.Unit, runtime bool) error { + s.Logger.Crit("error converting unit: %v", err) + return err + } ++ relabelPath := f.Node.Path ++ if !runtime { ++ // trim off prefix since this needs to be relative to the sysroot ++ if !strings.HasPrefix(f.Node.Path, s.DestDir) { ++ panic(fmt.Sprintf("Unit path %s isn't under prefix %s", f.Node.Path, s.DestDir)) ++ } ++ relabelPath = f.Node.Path[len(s.DestDir):] ++ } + if err := s.Logger.LogOp( + func() error { return u.PerformFetch(f) }, + "writing unit %q at %q", unit.Name, f.Node.Path, + ); err != nil { + return err + } +- s.relabel("/" + f.Node.Path) ++ s.relabel(relabelPath) + + return nil + }, "processing unit %q", unit.Name) +-- +2.20.1 + diff --git a/ignition.spec b/ignition.spec index 8f8cde8..b33a2b5 100644 --- a/ignition.spec +++ b/ignition.spec @@ -73,13 +73,15 @@ Name: ignition Version: 2.0.0 -Release: alpha.1.git%{shortcommit}%{?dist} +Release: alpha.2.git%{shortcommit}%{?dist} Summary: First boot installer and configuration tool License: ASL 2.0 and BSD URL: https://%{provider_prefix} Source0: https://%{provider_prefix}/archive/%{commit}/%{repo}-%{shortcommit}.tar.gz Source1: https://%{dracutprovider_prefix}/archive/%{dracutcommit}/%{dracutrepo}-%{dracutshortcommit}.tar.gz +Patch0: 0001-stages-files-fix-unit-relabeling-to-exclude-DestDir.patch + # For RHEL7 we'll want to specify gopath and list of arches since there is no # gopath or go_arches macro. We'll also want to make sure we pull in golang # 1.10 require golang >= 1.10 @@ -339,6 +341,7 @@ This package contains a tool for validating Ignition configurations. # setup command reference: http://ftp.rpm.org/max-rpm/s1-rpm-inside-macros.html # unpack source0 and apply patches %setup -T -b 0 -q -n %{repo}-%{commit} +%patch0 -p1 # unpack source1 (dracut modules) %setup -T -D -a 1 -q -n %{repo}-%{commit} @@ -485,6 +488,9 @@ export GOPATH=%{buildroot}/%{gopath}:$(pwd)/vendor:%{gopath} %endif %changelog +* Wed Mar 27 2019 Benjamin Gilbert - 2.0.0-alpha.2.git906cf04 +- Backport fix for SELinux relabeling of systemd units + * Wed Mar 27 2019 Jonathan Lebon - 2.0.0-alpha.1.git906cf04 - New release 2.0.0-alpha - ignition-dracut: Go back to master branch