From c6cfe6c7df2cab0bf819772d54f8c4d404e0bca7 Mon Sep 17 00:00:00 2001
From: Chris Evich <cevich@redhat.com>
Date: Thu, 4 Aug 2022 14:14:18 -0400
Subject: [PATCH] Set EC2 cirrus-agent SELinux context to unconfined

Long ago, many test failures and other problems were experienced in
Cirrus-CI managed google-cloud VMs.  None of the problems were
reproducible manually.  It was discovered that because the cirrus agent
starts from a metadata-downloaded script, it was executing with a more
restrictive SELinux type.  This is not the case when running tests
manually, where root sshs in.

It's been observed recently, a similar situation may be occurring in
EC2.  However, in this case, the agent is started by cloud-init, and was
observed operating with the type `cloud_init_t`.  In case this is the
source of trouble now or in the future, fix the setup to match GCP.

Signed-off-by: Chris Evich <cevich@redhat.com>
---
 base_images/fedora_base-setup.sh | 15 ++++++++++-----
 1 file changed, 10 insertions(+), 5 deletions(-)

diff --git a/base_images/fedora_base-setup.sh b/base_images/fedora_base-setup.sh
index 89f57f7e..41a3400f 100644
--- a/base_images/fedora_base-setup.sh
+++ b/base_images/fedora_base-setup.sh
@@ -75,15 +75,20 @@ if ! ((CONTAINER)); then
     # service must be labeled properly to ensure it's child processes can
     # run with the proper contexts.
     METADATA_SERVICE_CTX=unconfined_u:unconfined_r:unconfined_t:s0
-    if [[ ! "$PACKER_BUILD_NAME" =~ "aws" ]]; then  # GCP Image
+    if [[ "$PACKER_BUILD_NAME" =~ "aws" ]]; then
+        echo "Setting AWS startup service (for Cirrus-CI agent) SELinux unconfined"
+        # AWS relies on cloud-init to run a user-data startup script.  Manual
+        # observation showed this happens in the cloud-final service.
+        METADATA_SERVICE_PATH=cloud-final.service
+    else  # GCP Image
         echo "Setting GCP startup service (for Cirrus-CI agent) SELinux unconfined"
         # ref: https://cloud.google.com/compute/docs/startupscript
         METADATA_SERVICE_PATH=systemd/system/google-startup-scripts.service
-        echo "$sourcemsg" | $SUDO tee -a /etc/$METADATA_SERVICE_PATH
-        sed -r -e \
-            "s/^Type=oneshot/Type=oneshot\nSELinuxContext=$METADATA_SERVICE_CTX/" \
-            /lib/$METADATA_SERVICE_PATH | $SUDO tee -a /etc/$METADATA_SERVICE_PATH
     fi
+    echo "$sourcemsg" | $SUDO tee -a /etc/$METADATA_SERVICE_PATH
+    sed -r -e \
+        "s/^Type=oneshot/Type=oneshot\nSELinuxContext=$METADATA_SERVICE_CTX/" \
+        /lib/$METADATA_SERVICE_PATH | $SUDO tee -a /etc/$METADATA_SERVICE_PATH
 fi
 
 if [[ "$OS_RELEASE_ID" == "fedora" ]] && ((OS_RELEASE_VER>=33)); then