Skip to content

Commit

Permalink
Only set --security-label if the filesystem was relabeled
Browse files Browse the repository at this point in the history
Otherwise we run into virtiofsd errors when operating on non relabeled
directories with --security-label enabled.
  • Loading branch information
DaanDeMeyer committed Jan 9, 2024
1 parent 67ba3bf commit 61d7b23
Show file tree
Hide file tree
Showing 3 changed files with 30 additions and 20 deletions.
21 changes: 2 additions & 19 deletions mkosi/__init__.py
Original file line number Diff line number Diff line change
Expand Up @@ -44,6 +44,7 @@
parse_config,
summary,
yes_no,
want_selinux_relabel,
)
from mkosi.context import Context
from mkosi.distributions import Distribution
Expand Down Expand Up @@ -2354,25 +2355,7 @@ def run_firstboot(context: Context) -> None:


def run_selinux_relabel(context: Context) -> None:
if context.config.selinux_relabel == ConfigFeature.disabled:
return

selinux = context.root / "etc/selinux/config"
if not selinux.exists():
if context.config.selinux_relabel == ConfigFeature.enabled:
die("SELinux relabel is requested but could not find selinux config at /etc/selinux/config")
return

policy = run(["sh", "-c", f". {selinux} && echo $SELINUXTYPE"],
sandbox=context.sandbox(options=["--ro-bind", selinux, selinux]),
stdout=subprocess.PIPE).stdout.strip()
if not policy:
if context.config.selinux_relabel == ConfigFeature.enabled:
die("SELinux relabel is requested but no selinux policy is configured in /etc/selinux/config")
return

if not find_binary("setfiles", root=context.config.tools()):
logging.info("setfiles is not installed, not relabeling files")
if not (policy := want_selinux_relabel(context.config, context.root)):
return

fc = context.root / "etc/selinux" / policy / "contexts/files/file_contexts"
Expand Down
26 changes: 26 additions & 0 deletions mkosi/config.py
Original file line number Diff line number Diff line change
Expand Up @@ -3561,3 +3561,29 @@ def json_transformer(key: str, val: Any) -> Any:
return val

return json_transformer


def want_selinux_relabel(config: Config, root: Path, fatal: bool = True) -> Optional[str]:
if config.selinux_relabel == ConfigFeature.disabled:
return None

selinux = root / "etc/selinux/config"
if not selinux.exists():
if fatal and config.selinux_relabel == ConfigFeature.enabled:
die("SELinux relabel is requested but could not find selinux config at /etc/selinux/config")
return None

policy = run(["sh", "-c", f". {selinux} && echo $SELINUXTYPE"],
sandbox=config.sandbox(options=["--ro-bind", selinux, selinux]),
stdout=subprocess.PIPE).stdout.strip()
if not policy:
if fatal and config.selinux_relabel == ConfigFeature.enabled:
die("SELinux relabel is requested but no selinux policy is configured in /etc/selinux/config")
return None

if not find_binary("setfiles", root=config.tools()):
if fatal:
logging.info("setfiles is not installed, not relabeling files")
return None

return policy
3 changes: 2 additions & 1 deletion mkosi/qemu.py
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,7 @@
QemuFirmware,
QemuVsockCID,
format_bytes,
want_selinux_relabel,
)
from mkosi.log import die
from mkosi.partition import finalize_root, find_partitions
Expand Down Expand Up @@ -326,7 +327,7 @@ def start_virtiofsd(config: Config, directory: Path, *, uidmap: bool) -> Iterato
"--sandbox=chroot",
]

if not uidmap:
if not uidmap and want_selinux_relabel(config, directory, fatal=False):
cmdline += ["--security-label"]

# We create the socket ourselves and pass the fd to virtiofsd to avoid race conditions where we start qemu
Expand Down

0 comments on commit 61d7b23

Please sign in to comment.