Soft reboot: Detect SELinux policy deltas

gursewak1997 · gursewak1997 · commit 770289ff5fbb · 2025-11-14T10:58:33.000-08:00
Add check to prevent soft reboot when SELinux policies differ
between booted and target deployments, since policy is not
reloaded across soft reboots.

Assisted-by: Cursor (Auto)
Signed-off-by: gursewak1997 &lt;gursmangat@gmail.com&gt;
diff --git a/crates/lib/src/cli.rs b/crates/lib/src/cli.rs
@@ -763,6 +763,51 @@ fn has_soft_reboot_capability(deployment: Option<&crate::spec::BootEntry>) -> bo
     deployment.map(|d| d.soft_reboot_capable).unwrap_or(false)
 }
 
+/// Check if SELinux policy differs between booted and target deployments.
+/// Returns an error if SELinux is enabled and the policies differ.
+#[context("Checking SELinux policy compatibility with soft reboot")]
+fn check_selinux_policy_for_soft_reboot(
+    sysroot: &SysrootLock,
+    booted_deployment: &ostree::Deployment,
+    target_deployment: &ostree::Deployment,
+) -> Result<()> {
+    // Only check if SELinux is enabled
+    if !crate::lsm::selinux_enabled()? {
+        return Ok(());
+    }
+
+    let booted_fd = crate::utils::deployment_fd(sysroot, booted_deployment)?;
+    let booted_policy = crate::lsm::new_sepolicy_at(&booted_fd)?;
+    let target_fd = crate::utils::deployment_fd(sysroot, target_deployment)?;
+    let target_policy = crate::lsm::new_sepolicy_at(&target_fd)?;
+
+    match (booted_policy, target_policy) {
+        (None, None) => Ok(()), // Both absent, allow soft reboot
+        (Some(_), None) | (None, Some(_)) => {
+            anyhow::bail!(
+                "SELinux policy presence differs between booted and target deployments. \
+                 Soft reboot cannot be used because SELinux policy is not reloaded across soft reboots. \
+                 Please use a full reboot instead."
+            )
+        }
+        (Some(booted), Some(target)) => {
+            // SAFETY: new_sepolicy_at filters out policies without checksums
+            let booted_csum = booted.csum().expect("booted policy should have checksum");
+            let target_csum = target.csum().expect("target policy should have checksum");
+            if booted_csum != target_csum {
+                anyhow::bail!(
+                    "SELinux policy differs between booted and target deployments (booted: {:?}, target: {:?}). \
+                     Soft reboot cannot be used because SELinux policy is not reloaded across soft reboots. \
+                     Please use a full reboot instead.",
+                    booted_csum,
+                    target_csum
+                )
+            }
+            Ok(())
+        }
+    }
+}
+
 /// Prepare a soft reboot for the given deployment
 #[context("Preparing soft reboot")]
 fn prepare_soft_reboot(sysroot: &SysrootLock, deployment: &ostree::Deployment) -> Result<()> {
@@ -835,6 +880,11 @@ fn soft_reboot_staged(sysroot: &SysrootLock) -> Result<()> {
         .find(|d| d.is_staged())
         .ok_or_else(|| anyhow::anyhow!("Failed to find staged deployment"))?;
 
+    // Check SELinux policy compatibility before allowing soft reboot
+    if let Some(booted_deployment) = sysroot.booted_deployment() {
+        check_selinux_policy_for_soft_reboot(sysroot, &booted_deployment, staged_deployment)?;
+    }
+
     prepare_soft_reboot(sysroot, staged_deployment)?;
     Ok(())
 }
@@ -849,6 +899,13 @@ fn soft_reboot_rollback(booted_ostree: &BootedOstree<'_>) -> Result<()> {
         .first()
         .ok_or_else(|| anyhow::anyhow!("No rollback deployment found!"))?;
 
+    // Check SELinux policy compatibility before allowing soft reboot
+    check_selinux_policy_for_soft_reboot(
+        booted_ostree.sysroot,
+        &booted_ostree.deployment,
+        target_deployment,
+    )?;
+
     prepare_soft_reboot(booted_ostree.sysroot, target_deployment)
 }
 
