lsm: Add an API to set SELinux permissive

This is going to be needed for takeover installs.  There's
no point to trying to keep the LSM state running through
the whole thing because we're going to replace the OS anyways.

Signed-off-by: Colin Walters <[email protected]>

Author: cgwalters

lib/src/lsm.rs

@@ -1,3 +1,5 @@
+use std::fs::File;
+use std::io::Write;
 use std::os::unix::process::CommandExt;
 use std::path::Path;
 use std::process::Command;
@@ -79,6 +81,20 @@ pub(crate) fn container_setup_selinux() -> Result<()> {
     Ok(())
 }
 
+#[context("Setting SELinux permissive mode")]
+#[allow(dead_code)]
+#[cfg(feature = "install")]
+pub(crate) fn selinux_set_permissive() -> Result<()> {
+    let enforce_path = &Utf8Path::new(SELINUXFS).join("enforce");
+    if !enforce_path.exists() {
+        return Ok(());
+    }
+    let mut f = File::open(enforce_path)?;
+    f.write_all(b"0")?;
+    tracing::debug!("Set SELinux permissive mode");
+    Ok(())
+}
+
 fn selinux_label_for_path(target: &str) -> Result<String> {
     // TODO: detect case where SELinux isn't enabled
     let o = Command::new("matchpathcon").args(["-n", target]).output()?;