This commit is contained in:
Jonathan Lebon 2018-11-02 11:56:18 -04:00
parent 3ce3a4b5d5
commit d8a5bf5d7a
2 changed files with 98 additions and 1 deletions

View File

@ -0,0 +1,93 @@
From 62a3ffcb42d9af23715f21a8c9b5d688c31c999d Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Fri, 2 Nov 2018 11:46:26 -0400
Subject: [PATCH] compose: Don't require SELinux policy in legacy path
In #1630, we lowered SELinux policy loading into the core. However, this
also enabled SELinux policy loading from the host system even in the
legacy (non-unified) compose path. This meant that compose systems now
needed to have the policy installed even though we didn't need it at
all. This caused regressions in pungi:
https://pagure.io/dusty/failed-composes/issue/956
Just make the binding of the "selinux" member conditional on whether or
not we're in unified mode (which is really when we even care about
having it loaded from the start for pkgcache purposes).
Closes: #1656
Approved by: cgwalters
---
src/app/rpmostree-compose-builtin-tree.c | 1 +
src/app/rpmostree-composeutil.c | 16 ++++++++++++++--
src/app/rpmostree-composeutil.h | 1 +
3 files changed, 16 insertions(+), 2 deletions(-)
diff --git a/src/app/rpmostree-compose-builtin-tree.c b/src/app/rpmostree-compose-builtin-tree.c
index 620fa36..4e9d45c 100644
--- a/src/app/rpmostree-compose-builtin-tree.c
+++ b/src/app/rpmostree-compose-builtin-tree.c
@@ -576,6 +576,7 @@ rpm_ostree_compose_context_new (const char *treefile_pathstr,
self->treespec = rpmostree_composeutil_get_treespec (self->corectx,
self->treefile_rs,
self->treefile,
+ opt_unified_core,
error);
if (!self->treespec)
return FALSE;
diff --git a/src/app/rpmostree-composeutil.c b/src/app/rpmostree-composeutil.c
index 820ecfd..621bc85 100644
--- a/src/app/rpmostree-composeutil.c
+++ b/src/app/rpmostree-composeutil.c
@@ -241,6 +241,7 @@ RpmOstreeTreespec *
rpmostree_composeutil_get_treespec (RpmOstreeContext *ctx,
RORTreefile *treefile_rs,
JsonObject *treedata,
+ gboolean bind_selinux,
GError **error)
{
GLNX_AUTO_PREFIX_ERROR ("Parsing treefile", error);
@@ -255,8 +256,6 @@ rpmostree_composeutil_get_treespec (RpmOstreeContext *ctx,
return FALSE;
if (!treespec_bind_bool (treedata, treespec, "recommends", TRUE, error))
return FALSE;
- if (!treespec_bind_bool (treedata, treespec, "selinux", TRUE, error))
- return FALSE;
if (!treespec_bind_array (treedata, treespec, "install-langs", "instlangs", FALSE, error))
return FALSE;
{ const char *releasever;
@@ -267,6 +266,19 @@ rpmostree_composeutil_get_treespec (RpmOstreeContext *ctx,
g_key_file_set_string (treespec, "tree", "releasever", releasever);
}
+ if (bind_selinux)
+ {
+ if (!treespec_bind_bool (treedata, treespec, "selinux", TRUE, error))
+ return FALSE;
+ }
+ else
+ {
+ /* In the legacy compose path, we don't want to use any of the core's selinux stuff,
+ * e.g. importing, relabeling, etc... so just disable it. We do still set the policy
+ * to the final one right before commit as usual. */
+ g_key_file_set_boolean (treespec, "tree", "selinux", FALSE);
+ }
+
const char *input_ref = NULL;
if (!_rpmostree_jsonutil_object_get_optional_string_member (treedata, "ref", &input_ref, error))
return FALSE;
diff --git a/src/app/rpmostree-composeutil.h b/src/app/rpmostree-composeutil.h
index e3e64c6..3d91f58 100644
--- a/src/app/rpmostree-composeutil.h
+++ b/src/app/rpmostree-composeutil.h
@@ -47,6 +47,7 @@ RpmOstreeTreespec *
rpmostree_composeutil_get_treespec (RpmOstreeContext *ctx,
RORTreefile *treefile_rs,
JsonObject *treedata,
+ gboolean bind_selinux,
GError **error);
GHashTable *
--
2.17.1

View File

@ -14,7 +14,7 @@
Summary: Hybrid image/package system Summary: Hybrid image/package system
Name: rpm-ostree Name: rpm-ostree
Version: 2018.9 Version: 2018.9
Release: 2%{?dist} Release: 3%{?dist}
#VCS: https://github.com/cgwalters/rpm-ostree #VCS: https://github.com/cgwalters/rpm-ostree
# This tarball is generated via "cd packaging && make -f Makefile.dist-packaging dist-snapshot" # This tarball is generated via "cd packaging && make -f Makefile.dist-packaging dist-snapshot"
# in the upstream git. If rust is enabled, it contains vendored sources. # in the upstream git. If rust is enabled, it contains vendored sources.
@ -23,6 +23,7 @@ License: LGPLv2+
URL: https://github.com/projectatomic/rpm-ostree URL: https://github.com/projectatomic/rpm-ostree
Patch0: 0001-rust-Drop-crates-io-patch-and-use-0.4.0.patch Patch0: 0001-rust-Drop-crates-io-patch-and-use-0.4.0.patch
Patch1: 0001-compose-Don-t-require-SELinux-policy-in-legacy-path.patch
%if %{with rust} %if %{with rust}
%if !%{defined rust_arches} %if !%{defined rust_arches}
@ -201,6 +202,9 @@ $PYTHON autofiles.py > files.devel \
%files devel -f files.devel %files devel -f files.devel
%changelog %changelog
* Fri Nov 02 2018 Jonathan Lebon <jonathan@jlebon.com> - 2018.9-3
- Backport patch for https://pagure.io/dusty/failed-composes/issue/956
* Tue Oct 30 2018 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 2018.9-2 * Tue Oct 30 2018 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 2018.9-2
- Rebuild for libsolv 0.7 - Rebuild for libsolv 0.7