WORKAROUND: Add ostree selinux module to workaround issues with relab…

…eling permissions

When using transient /etc, ostree-prepare-root will mount an overlayfs on /etc
from the initrd. This overlay mount will have the context kernel_t, meaning
that not only will an external process need to pass its selinux checks against
the overlay file, the overlay filesystem itself need to pass the selinux check
against the overlayfs upper/work dirs.

Unfortunately, even with a recent selinux-policy
(e.g. selinux-policy-38.1.23) the kernel_t type doesn't have right to
relabel files, nor the rights to manage device nodes so boot fails.

Makefile-decls.am

@@ -24,6 +24,7 @@ NULL =
 BUILT_SOURCES =
 MANPAGES =
 CLEANFILES =
+DISTCLEANFILES =
 EXTRA_DIST =
 bin_PROGRAMS =
 sbin_PROGRAMS =

Makefile-selinux.am

@@ -0,0 +1,18 @@
+if BUILD_SELINUX_MODULE
+selinux_moduledir = ${datadir}/selinux/packages
+selinux_module_DATA = $(NULL)
+
+ostree.pp.bz2: selinux/ostree.te selinux/ostree.fc selinux/build-selinux.sh
+	$(srcdir)/selinux/build-selinux.sh . $^
+
+selinux_module_DATA += ostree.pp.bz2
+endif
+
+EXTRA_DIST += \
+	selinux/build-selinux.sh \
+	selinux/ostree.te \
+	selinux/ostree.fc \
+	selinux/ostree.if \
+	$(NULL)
+
+DISTCLEANFILES += ostree.pp.bz2

Makefile.am

@@ -138,6 +138,7 @@ include Makefile-tests.am
 include Makefile-boot.am
 include Makefile-man.am
 include Makefile-bash.am
+include Makefile-selinux.am
 
 release-tag:
 	cd $(srcdir) && git $(srcdir) tag -m "Release $(VERSION)" v$(VERSION)

configure.ac

@@ -681,6 +681,17 @@ AM_COND_IF([BUILDOPT_IS_DEVEL_BUILD],
             release_build_type=release)
 OSTREE_FEATURES="$OSTREE_FEATURES $release_build_type"
 
+AC_ARG_ENABLE(selinux-module,
+        [AS_HELP_STRING([--enable-selinux-module],[Enable selinux module for system-helper])],
+        enable_selinux_module=$enableval, enable_selinux_module=auto)
+if test x$enable_selinux_module = xauto ; then
+   AC_CHECK_FILE([/usr/share/selinux/devel/Makefile], [enable_selinux_module=yes],  [enable_selinux_module=no])
+fi
+if test x$enable_selinux_module = xyes ; then
+   AC_CHECK_FILE([/usr/share/selinux/devel/Makefile], [],  [AC_MSG_ERROR([selinux-policy-devel needed to build selinux module])])
+fi
+AM_CONDITIONAL(BUILD_SELINUX_MODULE, test x$enable_selinux_module = xyes)
+
 # P2P API is public in OSTree >= 2018.6
 OSTREE_FEATURES="$OSTREE_FEATURES p2p"
 
@@ -722,6 +733,7 @@ echo "
     dracut:                                       $with_dracut
     mkinitcpio:                                   $with_mkinitcpio
     Static compiler for ostree-prepare-root:      $with_static_compiler
+    Build selinux module:                         $enable_selinux_module
     Composefs:                                    $with_composefs"
 AS_IF([test x$with_builtin_grub2_mkconfig = xyes], [
     echo "    builtin grub2-mkconfig (instead of system):   $with_builtin_grub2_mkconfig"

selinux/build-selinux.sh

@@ -0,0 +1,16 @@
+#!/bin/sh
+# Copyright 2023 Red Hat Inc.
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+set -x
+set -eu
+
+TMP=$(mktemp -d selinux-build-XXXXXX)
+output="$1"
+shift
+cp -- "$@" "$TMP/"
+
+make -C "$TMP" -f /usr/share/selinux/devel/Makefile ostree.pp
+bzip2 -9 "$TMP/ostree.pp"
+cp "$TMP/ostree.pp.bz2" "$output"
+rm -fr "$TMP"

selinux/ostree.if

@@ -0,0 +1 @@
+## <summary>selinux</summary>

selinux/ostree.te

@@ -0,0 +1,12 @@
+policy_module(ostree, 1.0)
+
+gen_require(`
+	type kernel_t;
+	attribute file_type;
+')
+
+# Work around issue with kernel_t not supporting relabelto/from and device node management
+
+files_relabel_all_files(kernel_t)
+manage_chr_files_pattern(kernel_t, file_type, file_type)
+manage_blk_files_pattern(kernel_t, file_type, file_type)