install: Always mount selinuxfs *before* install_t re-execution

cgwalters · cgwalters · commit 841d831d74b7 · 2023-01-25T19:10:11.000-05:00
My changes to ensure `install_t` actually re-broke the labeling
on `/etc`, because we were mounting selinuxfs *after* the
re-exec.

Reorder and clean up things so that we always do the mount
before the re-exec for install_t.

Signed-off-by: Colin Walters &lt;walters@verbum.org&gt;
diff --git a/lib/src/install.rs b/lib/src/install.rs
@@ -657,6 +657,13 @@ pub(crate) async fn install(opts: InstallOpts) -> Result<()> {
         let host_selinux = crate::lsm::selinux_enabled()?;
         tracing::debug!("Target has SELinux, host={host_selinux}");
         if host_selinux {
+            // /sys/fs/selinuxfs is not normally mounted, so we do that now.
+            // Because SELinux enablement status is cached process-wide and was very likely
+            // already queried by something else (e.g. glib's constructor), we would also need
+            // to re-exec.  But, selinux_ensure_install does that unconditionally right now too,
+            // so let's just fall through to that.
+            crate::lsm::container_setup_selinux()?;
+            // This will re-execute the current process (once).
             crate::lsm::selinux_ensure_install()?;
         } else if opts.disable_selinux {
             override_disable_selinux = true;
@@ -670,13 +677,6 @@ pub(crate) async fn install(opts: InstallOpts) -> Result<()> {
         tracing::debug!("Target does not enable SELinux");
     }
 
-    // Because SELinux enablement status is cached process-wide and was very likely
-    // already queried by something else (e.g. glib's constructor), we need to mount
-    // selinuxfs now if needed, then re-exec *again*.
-    if srcdata.selinux && !override_disable_selinux {
-        crate::lsm::container_setup_selinux()?;
-    }
-
     // Create our global (read-only) state which gets wrapped in an Arc
     // so we can pass it to worker threads too. Right now this just
     // combines our command line options along with some bind mounts from the host.
diff --git a/lib/src/lsm.rs b/lib/src/lsm.rs
@@ -60,14 +60,14 @@ pub(crate) fn container_setup_selinux() -> Result<()> {
     let path = Utf8Path::new(SELINUXFS);
     if !path.join("enforce").exists() {
         if !path.exists() {
+            tracing::debug!("Creating {path}");
             std::fs::create_dir(path)?;
         }
         Task::new("Mounting selinuxfs", "mount")
             .args(["selinuxfs", "-t", "selinuxfs", path.as_str()])
             .run()?;
     }
-
-    selinux_ensure_install()
+    Ok(())
 }
 
 fn selinux_label_for_path(target: &str) -> Result<String> {

Original file line number	Diff line number	Diff line change
`@@ -60,14 +60,14 @@ pub(crate) fn container_setup_selinux() -> Result<()> {`
`60`	`60`	`let path = Utf8Path::new(SELINUXFS);`
`61`	`61`	`if !path.join("enforce").exists() {`
`62`	`62`	`if !path.exists() {`
	`63`	`+ tracing::debug!("Creating {path}");`
`63`	`64`	`std::fs::create_dir(path)?;`
`64`	`65`	`}`
`65`	`66`	`Task::new("Mounting selinuxfs", "mount")`
`66`	`67`	`.args(["selinuxfs", "-t", "selinuxfs", path.as_str()])`
`67`	`68`	`.run()?;`
`68`	`69`	`}`
`69`		`-`
`70`		`- selinux_ensure_install()`
	`70`	`+ Ok(())`
`71`	`71`	`}`
`72`	`72`
`73`	`73`	`fn selinux_label_for_path(target: &str) -> Result<String> {`