Backport fix for SELinux relabeling of systemd units

2019-03-27 18:27:16 -04:00 · 2019-03-27 18:27:16 -04:00 · edf3b2635a
commit edf3b2635a
parent 0b9a765df3
2 changed files with 84 additions and 1 deletions
--- a/0001-stages-files-fix-unit-relabeling-to-exclude-DestDir.patch
+++ b/0001-stages-files-fix-unit-relabeling-to-exclude-DestDir.patch
@ -0,0 +1,77 @@
+From 5d57d6107a56fecfe9b6c8bb1a06f2dd1889a7e0 Mon Sep 17 00:00:00 2001
+From: Benjamin Gilbert <bgilbert@redhat.com>
+Date: Wed, 27 Mar 2019 17:29:15 -0400
+Subject: [PATCH] stages/files: fix unit relabeling to exclude DestDir
+
+Non-runtime units and dropins need to be relabeled relative to DestDir,
+since relabeling happens in the real root.
+
+e42ecb08f9b5 addressed this for files.
+---
+ internal/exec/stages/files/units.go | 22 ++++++++++++++++++++--
+ 1 file changed, 20 insertions(+), 2 deletions(-)
+
+diff --git a/internal/exec/stages/files/units.go b/internal/exec/stages/files/units.go
+index 98c0797..c73141c 100644
+--- a/internal/exec/stages/files/units.go
+++ b/internal/exec/stages/files/units.go
+@@ -15,7 +15,9 @@
+ package files
+ 
+ import (
+	"fmt"
+ 	"path/filepath"
+	"strings"
+ 
+ 	"github.com/coreos/ignition/config/v3_0/types"
+ 	"github.com/coreos/ignition/internal/distro"
+@@ -85,6 +87,14 @@ func (s *stage) writeSystemdUnit(unit types.Unit, runtime bool) error {
+ 				s.Logger.Crit("error converting systemd dropin: %v", err)
+ 				return err
+ 			}
+			relabelPath := f.Node.Path
+			if !runtime {
+				// trim off prefix since this needs to be relative to the sysroot
+				if !strings.HasPrefix(f.Node.Path, s.DestDir) {
+					panic(fmt.Sprintf("Dropin path %s isn't under prefix %s", f.Node.Path, s.DestDir))
+				}
+				relabelPath = f.Node.Path[len(s.DestDir):]
+			}
+ 			if err := s.Logger.LogOp(
+ 				func() error { return u.PerformFetch(f) },
+ 				"writing systemd drop-in %q at %q", dropin.Name, f.Node.Path,
+@@ -92,7 +102,7 @@ func (s *stage) writeSystemdUnit(unit types.Unit, runtime bool) error {
+ 				return err
+ 			}
+ 			if !relabeledDropinDir {
+-				s.relabel(filepath.Dir("/" + f.Node.Path))
+				s.relabel(filepath.Dir(relabelPath))
+ 				relabeledDropinDir = true
+ 			}
+ 		}
+@@ -106,13 +116,21 @@ func (s *stage) writeSystemdUnit(unit types.Unit, runtime bool) error {
+ 			s.Logger.Crit("error converting unit: %v", err)
+ 			return err
+ 		}
+		relabelPath := f.Node.Path
+		if !runtime {
+			// trim off prefix since this needs to be relative to the sysroot
+			if !strings.HasPrefix(f.Node.Path, s.DestDir) {
+				panic(fmt.Sprintf("Unit path %s isn't under prefix %s", f.Node.Path, s.DestDir))
+			}
+			relabelPath = f.Node.Path[len(s.DestDir):]
+		}
+ 		if err := s.Logger.LogOp(
+ 			func() error { return u.PerformFetch(f) },
+ 			"writing unit %q at %q", unit.Name, f.Node.Path,
+ 		); err != nil {
+ 			return err
+ 		}
+-		s.relabel("/" + f.Node.Path)
+		s.relabel(relabelPath)
+ 
+ 		return nil
+ 	}, "processing unit %q", unit.Name)
+-- 
+2.20.1
+
--- a/ignition.spec
+++ b/ignition.spec
@ -73,13 +73,15 @@

 Name:           ignition
 Version:        2.0.0
-Release:        alpha.1.git%{shortcommit}%{?dist}
+Release:        alpha.2.git%{shortcommit}%{?dist}
 Summary:        First boot installer and configuration tool
 License:        ASL 2.0 and BSD
 URL:            https://%{provider_prefix}
 Source0:        https://%{provider_prefix}/archive/%{commit}/%{repo}-%{shortcommit}.tar.gz
 Source1:        https://%{dracutprovider_prefix}/archive/%{dracutcommit}/%{dracutrepo}-%{dracutshortcommit}.tar.gz

+Patch0:         0001-stages-files-fix-unit-relabeling-to-exclude-DestDir.patch
+
 # For RHEL7 we'll want to specify gopath and list of arches since there is no
 # gopath or go_arches macro.  We'll also want to make sure we pull in golang
 # 1.10 require golang >= 1.10
@ -339,6 +341,7 @@ This package contains a tool for validating Ignition configurations.
 # setup command reference: http://ftp.rpm.org/max-rpm/s1-rpm-inside-macros.html
 # unpack source0 and apply patches
 %setup -T -b 0 -q -n %{repo}-%{commit}
+%patch0 -p1

 # unpack source1 (dracut modules)
 %setup -T -D -a 1 -q -n %{repo}-%{commit}
@ -485,6 +488,9 @@ export GOPATH=%{buildroot}/%{gopath}:$(pwd)/vendor:%{gopath}
 %endif

 %changelog
+* Wed Mar 27 2019 Benjamin Gilbert <bgilbert@backtick.net> - 2.0.0-alpha.2.git906cf04
+- Backport fix for SELinux relabeling of systemd units
+
 * Wed Mar 27 2019 Jonathan Lebon <jonathan@jlebon.com> - 2.0.0-alpha.1.git906cf04
 - New release 2.0.0-alpha
 - ignition-dracut: Go back to master branch