Merge pull request #577 from cgwalters/force-label-composefs

install: Explicitly label .ostree.cfs
containers · Jun 4, 2024 · e51bf9e · e51bf9e
2 parents 7cdb8de + 7ddd22b
commit e51bf9e
Showing 1 changed file with 9 additions and 0 deletions.
diff --git a/lib/src/install.rs b/lib/src/install.rs
@@ -52,6 +52,8 @@ const BOOT: &str = "boot";
 const RUN_BOOTC: &str = "/run/bootc";
 /// This is an ext4 special directory we need to ignore.
 const LOST_AND_FOUND: &str = "lost+found";
+/// The filename of the composefs EROFS superblock; TODO move this into ostree
+const OSTREE_COMPOSEFS_SUPER: &str = ".ostree.cfs";
 /// The mount path for selinux
 #[cfg(feature = "install")]
 const SELINUXFS: &str = "/sys/fs/selinux";
@@ -684,6 +686,13 @@ async fn initialize_ostree_root_from_self(
             )
             .with_context(|| format!("Recursive SELinux relabeling of {d}"))?;
         }
+
+        if let Some(cfs_super) = root.open_optional(OSTREE_COMPOSEFS_SUPER)? {
+            let label = crate::lsm::require_label(policy, "/usr".into(), 0o644)?;
+            crate::lsm::set_security_selinux(cfs_super.as_fd(), label.as_bytes())?;
+        } else {
+            tracing::warn!("Missing {OSTREE_COMPOSEFS_SUPER}; composefs is not enabled?");
+        }
     }
 
     // Write the entry for /boot to /etc/fstab.  TODO: Encourage OSes to use the karg?