From 479050e7540dc90de9ec6f49960b98e095537224 Mon Sep 17 00:00:00 2001
From: Jonathan Lebon <jonathan@jlebon.com>
Date: Wed, 2 Nov 2022 12:19:09 -0400
Subject: [PATCH] libpriv/postprocess: work around semanage bug

There is a bug in the latest semanage code which causes an invocation of
`semodule --rebuild-if-modules-changed` to still write a policy even
though nothing changed since a full policy build. On FCOS and RHCOS,
this bug is triggered as early as `ostree admin deploy` in cosa when
creating the disk images. This results in shipping images with a policy
diff baked in.

Hack around this by immediately rerunning
`semodule --rebuild-if-modules-changed` after building the policy.

Fixes: https://github.com/openshift/os/issues/1036
---
 src/libpriv/rpmostree-postprocess.cxx | 20 +++++++++++++++-----
 tests/kolainst/nondestructive/misc.sh |  5 +++++
 2 files changed, 20 insertions(+), 5 deletions(-)

diff --git a/src/libpriv/rpmostree-postprocess.cxx b/src/libpriv/rpmostree-postprocess.cxx
index fc5c3cb038..bfadaa73dd 100644
--- a/src/libpriv/rpmostree-postprocess.cxx
+++ b/src/libpriv/rpmostree-postprocess.cxx
@@ -387,11 +387,21 @@ postprocess_final (int rootfs_dfd, rpmostreecxx::Treefile &treefile, gboolean un
     {
       g_print ("Recompiling policy\n");
 
-      /* Now regenerate SELinux policy so that postprocess scripts from users and from us
-       * (e.g. the /etc/default/useradd incision) that affect it are baked in. */
-      rust::Vec child_argv = { rust::String ("semodule"), rust::String ("-nB") };
-      ROSCXX_TRY (bubblewrap_run_sync (rootfs_dfd, child_argv, false, (bool)unified_core_mode),
-                  error);
+      {
+        /* Now regenerate SELinux policy so that postprocess scripts from users and from us
+         * (e.g. the /etc/default/useradd incision) that affect it are baked in. */
+        rust::Vec child_argv = { rust::String ("semodule"), rust::String ("-nB") };
+        ROSCXX_TRY (bubblewrap_run_sync (rootfs_dfd, child_argv, false, (bool)unified_core_mode),
+                    error);
+      }
+
+      /* Temporary workaround for https://github.com/openshift/os/issues/1036. */
+      {
+        rust::Vec child_argv = { rust::String ("semodule"), rust::String ("-n"),
+                                 rust::String ("--rebuild-if-modules-changed") };
+        ROSCXX_TRY (bubblewrap_run_sync (rootfs_dfd, child_argv, false, (bool)unified_core_mode),
+                    error);
+      }
     }
 
   auto container = treefile.get_container ();
diff --git a/tests/kolainst/nondestructive/misc.sh b/tests/kolainst/nondestructive/misc.sh
index f98a13f043..e43dc87de1 100755
--- a/tests/kolainst/nondestructive/misc.sh
+++ b/tests/kolainst/nondestructive/misc.sh
@@ -7,6 +7,11 @@ cd $(mktemp -d)
 libtest_prepare_offline
 libtest_enable_repover 0
 
+# Sanity-check the policy isn't marked as modified
+if ostree admin config-diff | grep 'selinux/targeted/policy'; then
+    assert_not_reached "selinux policy is marked as modified"
+fi
+
 # Ensure multicall is correctly set up and working.
 R_O_DIGEST=$(sha512sum $(which rpm-ostree) | cut -d' ' -f1)
 O_C_DIGEST=$(sha512sum $(which /usr/libexec/libostree/ext/ostree-container) | cut -d' ' -f1)