core: Convert path to ostree convention when deleting

E.g. we currently process all files under `/var/lib/selinux/targeted` as going into `/usr/etc/selinux/targeted` instead. But the rpmdb doesn't know that. So we need to do the translation even when deleting. Another notable dir which falls in that bucket is `/boot`. Fixes: #3421
coreos · Sep 15, 2023 · 122e0ac · 122e0ac
1 parent 39df152
commit 122e0ac
Show file tree

Hide file tree

Showing 2 changed files with 33 additions and 11 deletions.
diff --git a/src/libpriv/rpmostree-core.cxx b/src/libpriv/rpmostree-core.cxx
@@ -3050,19 +3050,17 @@ delete_package_from_root (RpmOstreeContext *self, rpmte pkg, int rootfs_dfd, GHa
       fn += strspn (fn, "/");
       g_assert (fn[0]);
 
-      g_autofree char *fn_owned = NULL;
-      /* Handle ostree's /usr/etc */
-      if (g_str_has_prefix (fn, "etc/"))
-        fn = fn_owned = g_strconcat ("usr/", fn, NULL);
-      else
-        {
-          /* Otherwise be sure we've canonicalized usr/ */
-          fn_owned = canonicalize_non_usrmove_path (self, fn);
-          if (fn_owned)
-            fn = fn_owned;
-        }
+      /* Be sure we've canonicalized usr/ */
+      g_autofree char *fn_owned = canonicalize_non_usrmove_path (self, fn);
+      if (fn_owned)
+        fn = fn_owned;
       (void)fn_owned; /* Pacify static analysis */
 
+      /* Convert to ostree convention. */
+      auto translated = rpmostreecxx::translate_path_for_ostree (fn);
+      if (translated.size () != 0)
+        fn = translated.c_str ();
+
       /* for now, we only remove files from /usr */
       if (!g_str_has_prefix (fn, "usr/"))
         continue;

diff --git a/tests/vmcheck/test-override-replace-2.sh b/tests/vmcheck/test-override-replace-2.sh
@@ -143,3 +143,27 @@ new_root=$(vm_get_deployment_root 0)
 vm_cmd grep ' /var/pkg-with-different-var ' "${new_root}/usr/lib/tmpfiles.d/pkg-pkg-with-var.conf"
 vm_rpmostree cleanup -p
 echo "ok override replace deletes tmpfiles.d dropin"
+
+# https://github.com/coreos/rpm-ostree/issues/3421
+# Test that we can override selinux; we use the "gold"
+# selinux because we know it won't be GC'd.  Use e.g.
+# `koji latest-pkg f38 selinux-policy`
+# to find this.  (In contrast, koji latest-pkg f38-updates selinux-policy
+# will get the latest updates).
+versionid=$(vm_cmd grep -E '^VERSION_ID=' /etc/os-release)
+versionid=${versionid:11} # trim off VERSION_ID=
+vm_cmd rpm-ostree db list "$(vm_get_deployment_info 0 checksum)" > current-dblist.txt
+case $versionid in
+  # XXX: this isn't actually the gold selinux; that one is too old for
+  # container-selinux and moby-engine. rather than trying to change multiple
+  # packages, we use one that's in coreos-pool since that also prevents GC
+  38)
+    evr=38.25-1.fc38
+    koji_url=https://koji.fedoraproject.org/koji/buildinfo?buildID=2274128
+    ;;
+  *) assert_not_reached "Unsupported Fedora version: $versionid";;
+esac
+assert_not_file_has_content current-dblist.txt selinux-policy-$evr
+vm_rpmostree override replace "${koji_url}"
+vm_rpmostree cleanup -p
+echo "ok override replace selinux-policy-targeted"