Merge remote-tracking branch 'origin/pr/343'

* origin/pr/343: (53 commits)
  Allow init_t and unconfined_service_t to transition to anything
  Allow 'xl devd' to get information about all block devices
  Make SELinux permissive if not yet relabeled
  Fix Debian build
  Drop SELinux on Debian
  Add missing build deps
  Enable SELinux in Debian build
  shut up shellcheck
  Try to get SELinux policy working for Debian
  minor cleanups
  Debian fix
  Fix bogus sed call
  Debug stuff
  Avoid unbootable system
  Try to fix autorelabel
  Enable SELinux when installing policy
  Do not install SELinux stuff with SELinux disabled
  Move SELinux stuff to its package
  Mark a bunch of packages as noarch
  Revert "Require relabeling for boot to succeed"
  ...

Makefile

@@ -8,10 +8,26 @@ release := $(shell lsb_release -is)
 
 # This makefile uses some bash-isms, make uses /bin/sh by default.
 SHELL = /bin/bash
+selinux_policies ::= qubes-qfile-unpacker.pp qubes-xendriverdomain.pp \
+	qubes-misc.pp
 
 all:
 	$(MAKE) -C misc VERSION=$(VERSION)
 	$(MAKE) -C qubes-rpc
+ifdef ENABLE_SELINUX
+ifeq ($(ENABLE_SELINUX),1)
+	$(MAKE) -C selinux -f /usr/share/selinux/devel/Makefile -- $(selinux_policies)
+
+install-rh: install-selinux
+install-deb: install-selinux
+
+install-selinux:
+	install -D -m 0644 -t $(DESTDIR)/usr/share/selinux/packages -- $(patsubst %,selinux/%,$(selinux_policies))
+.PHONY: install-selinux
+else ifneq ($(ENABLE_SELINUX),0)
+$(error bad value for $$(ENABLE_SELINUX))
+endif
+endif
 
 clean:
 	make -C misc clean
@@ -38,6 +54,9 @@ SYSTEM_DROPINS += systemd-random-seed.service
 SYSTEM_DROPINS += tor.service [email protected]
 SYSTEM_DROPINS += systemd-timesyncd.service
 SYSTEM_DROPINS += systemd-logind.service
+ifeq ($(ENABLE_SELINUX),1)
+SYSTEM_DROPINS += selinux-autorelabel.target selinux-autorelabel.service
+endif
 
 SYSTEM_DROPINS_NETWORKING := NetworkManager.service NetworkManager-wait-online.service
 SYSTEM_DROPINS_NETWORKING += tinyproxy.service
@@ -57,7 +76,7 @@ ifeq ($(release),Ubuntu)
 
 # Debian Dropins
 else ifeq ($(release), Debian)
-    # 'crond.service' is named 'cron.service in Debian
+    # 'crond.service' is named 'cron.service' in Debian
     SYSTEM_DROPINS := $(strip $(patsubst crond.service, cron.service, $(SYSTEM_DROPINS)))
 
     # Wheezy System Dropins
@@ -104,6 +123,9 @@ install-init:
 	# since those scripts are shared between sysvinit and systemd.
 	install -m 0755 init/*.sh vm-systemd/*.sh $(DESTDIR)$(LIBDIR)/qubes/init/
 	install -m 0644 init/functions $(DESTDIR)$(LIBDIR)/qubes/init/
+ifneq ($(ENABLE_SELINUX),1)
+	rm -f $(DESTDIR)$(LIBDIR)/qubes/init/relabel-root.sh
+endif
 
 # Systemd service files
 SYSTEMD_ALL_SERVICES := $(wildcard vm-systemd/qubes-*.service) vm-systemd/dev-xvdc1-swap.service

debian/control

@@ -172,4 +172,11 @@ Description: Passwordless root access from normal user
  Configure sudo, PolicyKit and similar tool to not ask for any password when
  switching from user to root. Since all the user data in a VM is accessible
  already from normal user account, there is not much more to guard there. Qubes
- VM is a single user system.
+ VMs are single user systems.
+
+Package: qubes-core-agent-selinux
+Architecture: any
+Depends: selinux-policy-default
+Description: SELinux policy for Qubes VMs
+ SELinux policy for the Qubes VM tools.  This allows the Qubes VM tools to run in
+ a VM with SELinux enforcing, as is the default on Red Hat-family distributions.

debian/qubes-core-agent.install

@@ -85,6 +85,8 @@ lib/systemd/system/dev-xvdc1-swap.service
 lib/systemd/system/qubes-early-vm-config.service
 lib/systemd/system/qubes-misc-post.service
 lib/systemd/system/qubes-mount-dirs.service
+lib/systemd/system/qubes-relabel-root.service
+lib/systemd/system/qubes-relabel-rw.service
 lib/systemd/system/qubes-rootfs-resize.service
 lib/systemd/system/qubes-sysinit.service
 lib/systemd/system/qubes-update-check.service

debian/qubes-core-agent.postinst

@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/bin/bash --
 # postinst script for core-agent-linux
 #
 # see: dh_installdeb(1)
@@ -20,18 +20,18 @@ set -e
 # the debian-policy package
 
 
-debug() {
+debug () {
     if [ "${DEBDEBUG}" == "1" ]; then
         echo -e "$@"
     fi
 }
 
 # FIXME: add user units support to is_static()/is_masked()/mask()/unmask() functions
-is_static() {
+is_static () {
     [ -f "/lib/systemd/system/$1" ] && ! grep -q '^[[].nstall]' "/lib/systemd/system/$1"
 }
 
-is_masked() {
+is_masked () {
     if [ ! -L /etc/systemd/system/"$1" ]
     then
        return 1
@@ -44,19 +44,19 @@ is_masked() {
     return 1
 }
 
-mask() {
+mask () {
     ln -sf /dev/null /etc/systemd/system/"$1"
 }
 
-unmask() {
+unmask () {
     if ! is_masked "$1"
     then
         return 0
     fi
     rm -f /etc/systemd/system/"$1"
 }
 
-preset_units() {
+preset_units () {
     local represet=
     # shellcheck disable=SC2206
     local extra_opts=( $3 )
@@ -97,7 +97,7 @@ preset_units() {
     systemctl daemon-reload
 }
 
-installSerialConf() {
+installSerialConf () {
     debug "Installing over-ridden serial.conf init script..."
     if [ -e /etc/init/serial.conf ]; then
         cp /usr/share/qubes/serial.conf /etc/init/serial.conf
@@ -117,21 +117,22 @@ case "${1}" in
 
             # ensure that hostname resolves to 127.0.1.1 resp. ::1 and that /etc/hosts is
             # in the form expected by qubes-sysinit.sh
+            hostname=$(hostname)
             if ! is_protected_file /etc/hostname ; then
                 for ip in '127\.0\.1\.1' '::1'; do
                     if grep -q "^${ip}\(\s\|$\)" /etc/hosts; then
-                        sed -i "/^${ip}\s/,+0s/\(\s$(hostname)\)\+\(\s\|$\)/\2/g" /etc/hosts || true
-                        sed -i "s/^${ip}\(\s\|$\).*$/\0 $(hostname)/" /etc/hosts || true
+                        sed -i "/^${ip}\s/,+0s/\(\s$hostname\)\+\(\s\|$\)/\2/g" /etc/hosts || true
+                        sed -i "s/^${ip}\(\s\|$\).*$/\0 $hostname/" /etc/hosts || true
                     else
-                        echo "${ip//\\/} $(hostname)" >> /etc/hosts || true
+                        echo "${ip//\\/} $hostname" >> /etc/hosts || true
                     fi
                 done
             fi
 
             # remove hostname from 127.0.0.1 line (in debian the hostname is by default
             # resolved to 127.0.1.1)
             if ! is_protected_file /etc/hosts ; then
-                sed -i "/^127\.0\.0\.1\s/,+0s/\(\s$(hostname)\)\+\(\s\|$\)/\2/g" /etc/hosts || true
+                sed -i "/^127\.0\.0\.1\s/,+0s/\(\s$hostname\)\+\(\s\|$\)/\2/g" /etc/hosts || true
             fi
 
             # Set default "runlevel"

debian/rules

@@ -12,10 +12,10 @@ export DESTDIR=$(shell pwd)/debian/tmp
 	dh $@ --with systemd,python3 --with=config-package
 
 override_dh_auto_build:
-	make all
+	make all ENABLE_SELINUX=0
 
 override_dh_auto_install:
-	make install-deb
+	make install-deb ENABLE_SELINUX=0
 	make -C app-menu install
 	make -C config-overrides install
 	make -C filesystem install

init/functions

@@ -173,6 +173,7 @@ initialize_home() {
     local homedir_gid
     local waitpid
     local waitpids
+    local enable_selinux
 
     home_root="$1"
     mode="$2"
@@ -202,7 +203,8 @@ initialize_home() {
         if ! test -d "$home_root/$homedirwithouthome" || [ "$mode" = "unconditionally" ] ; then
             echo "initialize_home: populating $mode $home_root/$homedirwithouthome from /etc/skel" >&2
             mkdir -p "$home_root/$homedirwithouthome"
-            cp -af -T /etc/skel "$home_root/$homedirwithouthome"
+            if test -d /sys/fs/selinux; then enable_selinux="Z"; else enable_selinux=''; fi
+            cp "-af$enable_selinux" -T /etc/skel "$home_root/$homedirwithouthome"
             echo "initialize_home: adjusting permissions $mode on $home_root/$homedirwithouthome" >&2
             chown -R "$uid" "$home_root/$homedirwithouthome" &
             waitpids="$!"

init/relabel-root.sh

@@ -0,0 +1,9 @@
+#!/bin/sh --
+set -eu
+# shellcheck disable=SC1091
+. /etc/selinux/config
+echo 0 > /sys/fs/selinux/enforce
+setfiles -r /mnt -- "/etc/selinux/$SELINUXTYPE/contexts/files/file_contexts" /mnt
+touch /.qubes-relabeled
+rm -f /.autorelabel
+systemctl --force poweroff