From bece9bc73f09586476e56c5173766d7eb4563d4f Mon Sep 17 00:00:00 2001
From: m2Giles <69128853+m2Giles@users.noreply.github.com>
Date: Sat, 30 Dec 2023 21:24:21 -0500
Subject: [PATCH 1/3] fix(-dx): Workaround swtpm SELinux issues

swtpm has the wrong SELinux labels. You This is a deficiency with the OCI build process for ostree.

Libvirt is shipped with -dx image. This pulls in swtpm. On the discord there has been numerous callouts to issues with swtpm being broken. This should be a sufficient workaround for the time being. Compared to my original implementation, I've changed the binary location from /usr/local/bin to /tmp and using a tmpfile to create the required directory for the swtpm-rootca. swtpm is only 42K and we do not set noexec on tmp.
---
 Containerfile                                      |  1 +
 dx/usr/bin/swtpm-workaround                        | 11 +++++++++++
 dx/usr/lib/systemd/system/swtpm-workaround.service | 11 +++++++++++
 dx/usr/lib/tmpfiles.d/swtpm-workaround.conf        |  1 +
 4 files changed, 24 insertions(+)
 create mode 100755 dx/usr/bin/swtpm-workaround
 create mode 100644 dx/usr/lib/systemd/system/swtpm-workaround.service
 create mode 100644 dx/usr/lib/tmpfiles.d/swtpm-workaround.conf

diff --git a/Containerfile b/Containerfile
index 370a5cb474f..c4f63f0fab4 100644
--- a/Containerfile
+++ b/Containerfile
@@ -158,6 +158,7 @@ RUN wget https://raw.githubusercontent.com/ahmetb/kubectx/master/kubectx -O /usr
 # Set up services
 RUN systemctl enable docker.service && \
     systemctl enable podman.socket && \
+    systemctl enable swtpm-workaround.service && \
     systemctl disable pmie.service && \
     systemctl disable pmlogger.service
 
diff --git a/dx/usr/bin/swtpm-workaround b/dx/usr/bin/swtpm-workaround
new file mode 100755
index 00000000000..308365bc9d0
--- /dev/null
+++ b/dx/usr/bin/swtpm-workaround
@@ -0,0 +1,11 @@
+#!/usr/bin/env bash
+
+# Copy swtpm to someplace mutable
+cp /usr/bin/swtpm /tmp/swtpm
+
+# Bind mount it over so it is in the correct location
+mount --bind /tmp/swtpm /usr/bin/swtpm
+
+# Fix SELinux labels
+semanage fcontext -a -t swtpm_exec_t "/usr/bin/swtpm"
+restorecon /usr/bin/swtpm
diff --git a/dx/usr/lib/systemd/system/swtpm-workaround.service b/dx/usr/lib/systemd/system/swtpm-workaround.service
new file mode 100644
index 00000000000..acfea1fa77f
--- /dev/null
+++ b/dx/usr/lib/systemd/system/swtpm-workaround.service
@@ -0,0 +1,11 @@
+[Unit]
+Description=Workaround swtpm not having the correct label
+ConditionFileIsExecutable=/usr/bin/swtpm
+After=local-fs.target
+
+[Service]
+Type=oneshot
+ExecStart=/usr/bin/swtpm-workaround
+
+[Install]
+WantedBy=multi-user.target
\ No newline at end of file
diff --git a/dx/usr/lib/tmpfiles.d/swtpm-workaround.conf b/dx/usr/lib/tmpfiles.d/swtpm-workaround.conf
new file mode 100644
index 00000000000..6b2676a03a6
--- /dev/null
+++ b/dx/usr/lib/tmpfiles.d/swtpm-workaround.conf
@@ -0,0 +1 @@
+d /var/lib/swtpm-rootca 0750 root tss - -
\ No newline at end of file

From 67b36aa6453f7cc3ef8f99ab73a6d6f767a30a01 Mon Sep 17 00:00:00 2001
From: m2Giles <69128853+m2Giles@users.noreply.github.com>
Date: Sun, 31 Dec 2023 14:11:45 -0500
Subject: [PATCH 2/3] fix(-dx): Workaround swtpm SELinux Issues

Instead of calling a script, we can do everything inside of the systemd oneshot service file. The semanage line appears to not be needed. Since the correct file context already exists.Working out of /tmp doesn't seem to always work and a symlink to /usr/local/bin doesn't resolve it. Instead, use /usr/local/bin directly.

tmpfiles.d is used to copy swtpm into place and make sure that the swtpm-rootca directory exists.

Instead of including a .mount unit for the bind mount, I'm using mount directly and cleaning up. This seemed to result in faster boots than using .mount unit and allows us to clean up the changes in /usr/local/bin.
---
 dx/usr/bin/swtpm-workaround                        | 11 -----------
 dx/usr/lib/systemd/system/swtpm-workaround.service | 11 ++++++++++-
 dx/usr/lib/tmpfiles.d/swtpm-workaround.conf        |  1 +
 3 files changed, 11 insertions(+), 12 deletions(-)
 delete mode 100755 dx/usr/bin/swtpm-workaround

diff --git a/dx/usr/bin/swtpm-workaround b/dx/usr/bin/swtpm-workaround
deleted file mode 100755
index 308365bc9d0..00000000000
--- a/dx/usr/bin/swtpm-workaround
+++ /dev/null
@@ -1,11 +0,0 @@
-#!/usr/bin/env bash
-
-# Copy swtpm to someplace mutable
-cp /usr/bin/swtpm /tmp/swtpm
-
-# Bind mount it over so it is in the correct location
-mount --bind /tmp/swtpm /usr/bin/swtpm
-
-# Fix SELinux labels
-semanage fcontext -a -t swtpm_exec_t "/usr/bin/swtpm"
-restorecon /usr/bin/swtpm
diff --git a/dx/usr/lib/systemd/system/swtpm-workaround.service b/dx/usr/lib/systemd/system/swtpm-workaround.service
index acfea1fa77f..5a93f6ebed5 100644
--- a/dx/usr/lib/systemd/system/swtpm-workaround.service
+++ b/dx/usr/lib/systemd/system/swtpm-workaround.service
@@ -5,7 +5,16 @@ After=local-fs.target
 
 [Service]
 Type=oneshot
-ExecStart=/usr/bin/swtpm-workaround
+# Copy if it doens't exist
+ExecStartPre=/usr/bin/bash -c "[ -x /usr/local/bin/.swtpm ] || /usr/bin/cp /usr/bin/swtpm /usr/local/bin/.swtpm"
+# This is faster than using .mount unit. Also allows for the previous line/cleanup
+ExecStartPre=/usr/bin/mount --bind /usr/local/bin/.swtpm /usr/bin/swtpm
+# Fix SELinux label
+ExecStart=/usr/sbin/restorecon /usr/bin/swtpm
+# Clean-up after ourselves
+ExecStop=/usr/bin/umount /usr/bin/swtpm
+ExecStop=/usr/bin/rm /usr/local/bin/.swtpm
+RemainAfterExit=yes
 
 [Install]
 WantedBy=multi-user.target
\ No newline at end of file
diff --git a/dx/usr/lib/tmpfiles.d/swtpm-workaround.conf b/dx/usr/lib/tmpfiles.d/swtpm-workaround.conf
index 6b2676a03a6..7bd71535a9a 100644
--- a/dx/usr/lib/tmpfiles.d/swtpm-workaround.conf
+++ b/dx/usr/lib/tmpfiles.d/swtpm-workaround.conf
@@ -1 +1,2 @@
+C /usr/local/bin/.swtpm - - - - /usr/bin/swtpm
 d /var/lib/swtpm-rootca 0750 root tss - -
\ No newline at end of file

From 64a66788d7e61f6760e1548f85483756062902eb Mon Sep 17 00:00:00 2001
From: m2Giles <69128853+m2Giles@users.noreply.github.com>
Date: Sun, 31 Dec 2023 14:11:45 -0500
Subject: [PATCH 3/3] fix(-dx): Workaround swtpm SELinux Issues

Instead of calling a script, we can do everything inside of the systemd oneshot service file. The semanage line appears to not be needed. Since the correct file context already exists.Working out of /tmp doesn't seem to always work and a symlink to /usr/local/bin doesn't resolve it. Instead, use /usr/local/bin directly.

tmpfiles.d is used to copy swtpm into place and make sure that the swtpm-localca directory exists and is owned by user tss.

Instead of including a .mount unit for the bind mount, I'm using mount directly and cleaning up. This seemed to result in faster boots than using .mount unit and allows us to clean up the changes in /usr/local/bin.
---
 dx/usr/bin/swtpm-workaround                        | 11 -----------
 dx/usr/lib/systemd/system/swtpm-workaround.service | 11 ++++++++++-
 dx/usr/lib/tmpfiles.d/swtpm-workaround.conf        |  3 ++-
 3 files changed, 12 insertions(+), 13 deletions(-)
 delete mode 100755 dx/usr/bin/swtpm-workaround

diff --git a/dx/usr/bin/swtpm-workaround b/dx/usr/bin/swtpm-workaround
deleted file mode 100755
index 308365bc9d0..00000000000
--- a/dx/usr/bin/swtpm-workaround
+++ /dev/null
@@ -1,11 +0,0 @@
-#!/usr/bin/env bash
-
-# Copy swtpm to someplace mutable
-cp /usr/bin/swtpm /tmp/swtpm
-
-# Bind mount it over so it is in the correct location
-mount --bind /tmp/swtpm /usr/bin/swtpm
-
-# Fix SELinux labels
-semanage fcontext -a -t swtpm_exec_t "/usr/bin/swtpm"
-restorecon /usr/bin/swtpm
diff --git a/dx/usr/lib/systemd/system/swtpm-workaround.service b/dx/usr/lib/systemd/system/swtpm-workaround.service
index acfea1fa77f..5a93f6ebed5 100644
--- a/dx/usr/lib/systemd/system/swtpm-workaround.service
+++ b/dx/usr/lib/systemd/system/swtpm-workaround.service
@@ -5,7 +5,16 @@ After=local-fs.target
 
 [Service]
 Type=oneshot
-ExecStart=/usr/bin/swtpm-workaround
+# Copy if it doens't exist
+ExecStartPre=/usr/bin/bash -c "[ -x /usr/local/bin/.swtpm ] || /usr/bin/cp /usr/bin/swtpm /usr/local/bin/.swtpm"
+# This is faster than using .mount unit. Also allows for the previous line/cleanup
+ExecStartPre=/usr/bin/mount --bind /usr/local/bin/.swtpm /usr/bin/swtpm
+# Fix SELinux label
+ExecStart=/usr/sbin/restorecon /usr/bin/swtpm
+# Clean-up after ourselves
+ExecStop=/usr/bin/umount /usr/bin/swtpm
+ExecStop=/usr/bin/rm /usr/local/bin/.swtpm
+RemainAfterExit=yes
 
 [Install]
 WantedBy=multi-user.target
\ No newline at end of file
diff --git a/dx/usr/lib/tmpfiles.d/swtpm-workaround.conf b/dx/usr/lib/tmpfiles.d/swtpm-workaround.conf
index 6b2676a03a6..bf20bf6457b 100644
--- a/dx/usr/lib/tmpfiles.d/swtpm-workaround.conf
+++ b/dx/usr/lib/tmpfiles.d/swtpm-workaround.conf
@@ -1 +1,2 @@
-d /var/lib/swtpm-rootca 0750 root tss - -
\ No newline at end of file
+C /usr/local/bin/.swtpm - - - - /usr/bin/swtpm
+d /var/lib/swtpm-localca 0750 tss tss - -
\ No newline at end of file