diff --git a/lib/src/install.rs b/lib/src/install.rs index 29e747081..cdf36a9f0 100644 --- a/lib/src/install.rs +++ b/lib/src/install.rs @@ -45,6 +45,7 @@ use serde::{Deserialize, Serialize}; use self::baseline::InstallBlockDeviceOpts; use crate::containerenv::ContainerExecutionInfo; +use crate::lsm; use crate::mount::Filesystem; use crate::spec::ImageReference; use crate::store::Storage; @@ -525,15 +526,9 @@ impl SourceInfo { Self::new(imageref, None, root, false, false) } - /// Construct a new source information structure - fn new( - imageref: ostree_container::ImageReference, - digest: Option, - root: &Dir, - in_host_mountns: bool, - have_host_container_storage: bool, - ) -> Result { + fn have_selinux_from_repo(root: &Dir) -> Result { let cancellable = ostree::gio::Cancellable::NONE; + let commit = Task::new("Reading ostree commit", "ostree") .args(["--repo=/ostree/repo", "rev-parse", "--single"]) .quiet() @@ -545,7 +540,22 @@ impl SourceInfo { .0; let root = root.downcast_ref::().unwrap(); let xattrs = root.xattrs(cancellable)?; - let selinux = crate::lsm::xattrs_have_selinux(&xattrs); + Ok(crate::lsm::xattrs_have_selinux(&xattrs)) + } + + /// Construct a new source information structure + fn new( + imageref: ostree_container::ImageReference, + digest: Option, + root: &Dir, + in_host_mountns: bool, + have_host_container_storage: bool, + ) -> Result { + let selinux = if Path::new("/ostree/repo").try_exists()? { + Self::have_selinux_from_repo(root)? + } else { + lsm::have_selinux_policy(root)? + }; Ok(Self { imageref, digest, diff --git a/lib/src/lsm.rs b/lib/src/lsm.rs index d801a8f88..f58ec94f5 100644 --- a/lib/src/lsm.rs +++ b/lib/src/lsm.rs @@ -98,6 +98,12 @@ pub(crate) fn selinux_ensure_install() -> Result { Err(anyhow::Error::msg(cmd.exec()).context("execve")) } +/// Query whether SELinux is apparently enabled in the target root +pub(crate) fn have_selinux_policy(root: &Dir) -> Result { + // TODO use ostree::SePolicy and query policy name + root.try_exists("etc/selinux/config").map_err(Into::into) +} + /// A type which will reset SELinux back to enforcing mode when dropped. /// This is a workaround for the deep difficulties in trying to reliably /// gain the `mac_admin` permission (install_t).