SELinux: Label /usr and sysext image contents

So far we did not correctly label /usr because it broke certain things like Docker. With the sysext Docker and new policies we should try again. First generate the policy before branching off the base squashfs (which already misses a lot of things because they the most postprocessing is done late in finish_image!). Then label /usr and also the sysext contents in their folder - not in the overlay mount because this would operate on the whole image.
flatcar · Dec 20, 2023 · e02f04f · e02f04f
1 parent 0341db0
commit e02f04f
Show file tree

Hide file tree

Showing 3 changed files with 8 additions and 9 deletions.
diff --git a/build_library/build_image_util.sh b/build_library/build_image_util.sh
@@ -715,11 +715,6 @@ EOF
         "${BUILD_DIR}/${image_kconfig}"
   fi
 
-  # Build the selinux policy
-  if pkg_use_enabled coreos-base/coreos selinux; then
-      sudo chroot "${root_fs_dir}" bash -c "cd /usr/share/selinux/mcs && semodule -s mcs -i *.pp"
-  fi
-
   # Run tmpfiles once to make sure that /etc has everything in place before
   # we freeze it in /usr/share/flatcar/etc as lowerdir in the overlayfs.
 
@@ -752,10 +747,8 @@ EOF
   # The labeling has to be done before moving /etc to /usr/share/flatcar/etc to prevent wrong labels for these files and as
   # the relabeling on boot would cause upcopies in the overlay.
   if pkg_use_enabled coreos-base/coreos selinux; then
-    # TODO: Breaks the system:
-    # sudo setfiles -Dv -r "${root_fs_dir}" "${root_fs_dir}"/etc/selinux/mcs/contexts/files/file_contexts "${root_fs_dir}"
-    # sudo setfiles -Dv -r "${root_fs_dir}" "${root_fs_dir}"/etc/selinux/mcs/contexts/files/file_contexts "${root_fs_dir}"/usr
-    # For now we only try it with /etc
+    sudo setfiles -Dv -r "${root_fs_dir}" "${root_fs_dir}"/etc/selinux/mcs/contexts/files/file_contexts "${root_fs_dir}"
+    sudo setfiles -Dv -r "${root_fs_dir}" "${root_fs_dir}"/etc/selinux/mcs/contexts/files/file_contexts "${root_fs_dir}"/usr
     sudo setfiles -Dv -r "${root_fs_dir}" "${root_fs_dir}"/etc/selinux/mcs/contexts/files/file_contexts "${root_fs_dir}"/etc
   fi
 

diff --git a/build_library/prod_image_util.sh b/build_library/prod_image_util.sh
@@ -91,6 +91,11 @@ create_prod_image() {
   run_ldconfig "${root_fs_dir}"
   run_localedef "${root_fs_dir}"
 
+  # Build the selinux policy
+  if pkg_use_enabled coreos-base/coreos selinux; then
+      sudo chroot "${root_fs_dir}" bash -c "cd /usr/share/selinux/mcs && semodule -s mcs -i *.pp"
+  fi
+
   local root_with_everything="${root_fs_dir}"
 
   # Call helper script for adding sysexts to the base OS.

diff --git a/build_sysext b/build_sysext
@@ -219,6 +219,7 @@ done
 
 # Unmount in order to get rid of the overlay
 umount "${BUILD_DIR}/install-root"
+sudo setfiles -Dv -r "${BUILD_DIR}/install-root" "${BUILD_DIR}/fs-root"/etc/selinux/mcs/contexts/files/file_contexts "${BUILD_DIR}/install-root"/usr
 umount "${BUILD_DIR}/fs-root"
 
 if [[ "$FLAGS_generate_pkginfo" = "${FLAGS_TRUE}" ]] ; then