manifests: set proper SELinux labels for '/boot/efi' and '/boot/lost+found'

Issue: osbuild/osbuild#1877

Co-authored-by: Dusty Mabe <[email protected]>

Author: nikita-dubrovskii

build.sh

@@ -173,9 +173,12 @@ patch_osbuild() {
     mv /usr/bin/osbuild-mpp /usr/lib/osbuild/tools/
 
     # Now all the software is under the /usr/lib/osbuild dir and we can patch
-    cat /usr/lib/coreos-assembler/0001-hacks-for-coreos-selinux-issues.patch                      \
-        /usr/lib/coreos-assembler/0001-org.osbuild.mkdir-support-creating-dirs-on-mounts.patch    \
-        | patch -d /usr/lib/osbuild -p1
+    cat /usr/lib/coreos-assembler/0001-org.osbuild.mkdir-support-creating-dirs-on-mounts.patch    \
+        /usr/lib/coreos-assembler/0001-parsing-add-parse_location_into_parts.patch                \
+        /usr/lib/coreos-assembler/0002-parsing-treat-locations-without-scheme-as-belonging-.patch \
+        /usr/lib/coreos-assembler/0003-org.osbuild.selinux-support-operating-on-mounts.patch      \
+        /usr/lib/coreos-assembler/0004-org.osbuild.selinux-support-for-specifying-where-fil.patch \
+            | patch -d /usr/lib/osbuild -p1
 
     # And then move the files back; supermin appliance creation will need it back
     # in the places delivered by the RPM.

src/0001-hacks-for-coreos-selinux-issues.patch

@@ -0,0 +1,68 @@
+From 234d0776d9fa9a5f0f26e6ff8db290652e01f664 Mon Sep 17 00:00:00 2001
+From: Nikita Dubrovskii <[email protected]>
+Date: Fri, 18 Oct 2024 12:28:32 +0200
+Subject: [PATCH 1/4] parsing: add parse_location_into_parts
+
+New fucntion returns tuple of 'root' and relative 'file path', which could be
+useful in contexts, where knowing 'root' is required, for example setting
+selinux labels.
+---
+ osbuild/util/parsing.py | 25 +++++++++++++++++++------
+ 1 file changed, 19 insertions(+), 6 deletions(-)
+
+diff --git a/osbuild/util/parsing.py b/osbuild/util/parsing.py
+index f8fb2768..f75ffd67 100644
+--- a/osbuild/util/parsing.py
++++ b/osbuild/util/parsing.py
+@@ -2,7 +2,7 @@
+ 
+ import os
+ import re
+-from typing import Dict, Union
++from typing import Dict, Tuple, Union
+ from urllib.parse import ParseResult, urlparse
+ 
+ 
+@@ -72,9 +72,9 @@ def parse_input(url: ParseResult, args: Dict) -> os.PathLike:
+     return root
+ 
+ 
+-def parse_location(location: str, args: Dict) -> str:
++def parse_location_into_parts(location: str, args: Dict) -> Tuple[str, str]:
+     """
+-    Parses the location URL to derive the corresponding file path.
++    Parses the location URL to derive the corresponding root and url path.
+ 
+     Parameters:
+     - location (str): The location URL to be parsed.
+@@ -97,11 +97,24 @@ def parse_location(location: str, args: Dict) -> str:
+     if not url.path.startswith("/"):
+         raise ValueError(f"url.path from location must start with '/', got: {url.path}")
+ 
+-    path = os.path.relpath(url.path, "/")
++    return root, url.path
++
++
++def parse_location(location: str, args: Dict) -> str:
++    """
++    Parses the location URL to derive the corresponding file path.
++
++    Parameters:
++    - location (str): The location URL to be parsed.
++    - args (Dict): A dictionary containing arguments including mounts and
++    path information as passed by osbuild.api.arguments()
++    """
++
++    root, urlpath = parse_location_into_parts(location, args)
++    path = os.path.relpath(urlpath, "/")
+     path = os.path.join(root, path)
+     path = os.path.normpath(path)
+-
+-    if url.path.endswith("/"):
++    if urlpath.endswith("/"):
+         path = os.path.join(path, ".")
+ 
+     return path
+-- 
+2.47.0
+

src/0001-parsing-add-parse_location_into_parts.patch

@@ -0,0 +1,49 @@
+From 779783e873aa7353bf3b8e27b6b81a9f48b3d225 Mon Sep 17 00:00:00 2001
+From: Nikita Dubrovskii <[email protected]>
+Date: Mon, 28 Oct 2024 11:20:23 +0100
+Subject: [PATCH 2/4] parsing: treat locations without scheme as belonging to
+ 'tree://'
+
+---
+ osbuild/util/parsing.py  | 4 ++++
+ stages/org.osbuild.mkdir | 9 +++------
+ 2 files changed, 7 insertions(+), 6 deletions(-)
+
+diff --git a/osbuild/util/parsing.py b/osbuild/util/parsing.py
+index f75ffd67..0877abec 100644
+--- a/osbuild/util/parsing.py
++++ b/osbuild/util/parsing.py
+@@ -82,6 +82,10 @@ def parse_location_into_parts(location: str, args: Dict) -> Tuple[str, str]:
+     path information as passed by osbuild.api.arguments()
+     """
+ 
++    if "://" not in location:
++        print("INFO: location has no scheme, assuming 'tree://'")
++        location = f"tree://{location}"
++
+     url = urlparse(location)
+ 
+     scheme = url.scheme
+diff --git a/stages/org.osbuild.mkdir b/stages/org.osbuild.mkdir
+index d2d11a7a..01f5f431 100755
+--- a/stages/org.osbuild.mkdir
++++ b/stages/org.osbuild.mkdir
+@@ -15,12 +15,9 @@ def main(args):
+         parents = item.get("parents", False)
+         exist_ok = item.get("exist_ok", False)
+ 
+-        if "://" not in path:
+-            if not path.startswith("/"):
+-                print("WARNING: relative path used, this is discouraged!")
+-                path = f"tree:///{path}"
+-            else:
+-                path = f"tree://{path}"
++        if "://" not in path and not path.startswith("/"):
++            print("WARNING: relative path used, this is discouraged!")
++            path = f"tree:///{path}"
+ 
+         target = parsing.parse_location(path, args)
+         if parents:
+-- 
+2.47.0
+

src/0002-parsing-treat-locations-without-scheme-as-belonging-.patch

@@ -0,0 +1,125 @@
+From e3454fe7de62f675fcfc3092689803416a457984 Mon Sep 17 00:00:00 2001
+From: Nikita Dubrovskii <[email protected]>
+Date: Thu, 17 Oct 2024 12:57:00 +0200
+Subject: [PATCH 3/4] org.osbuild.selinux: support operating on mounts
+
+This adds support for specifying paths to operate on,
+rather than just the root of the target:
+```
+- type: org.osbuild.selinux
+  options:
+    file_contexts: etc/selinux/targeted/contexts/files/file_contexts
+    target: mount://root/path/to/dir
+  mounts:
+    - name: root
+      source: disk
+      target: /
+```
+
+or
+
+```
+- type: org.osbuild.selinux
+  options:
+    labels:
+      mount://root/path/to/file: system_u:object_r:boot_t:s0
+      mount://root/path/to/other/file: system_u:object_r:var_t:s0
+  mounts:
+    - name: root
+      source: disk
+      target: /
+
+```
+---
+ stages/org.osbuild.selinux           | 21 ++++++++++++---------
+ stages/org.osbuild.selinux.meta.json | 17 ++++++++++++++++-
+ 2 files changed, 28 insertions(+), 10 deletions(-)
+
+diff --git a/stages/org.osbuild.selinux b/stages/org.osbuild.selinux
+index 563d827b..40487599 100755
+--- a/stages/org.osbuild.selinux
++++ b/stages/org.osbuild.selinux
+@@ -4,26 +4,30 @@ import pathlib
+ import sys
+ 
+ import osbuild.api
+-from osbuild.util import selinux
++from osbuild.util import parsing, selinux
+ 
+ 
+-def main(tree, options):
++def main(args):
++    # Get the path where the tree is
++    options = args["options"]
+     file_contexts = options.get("file_contexts")
+     exclude_paths = options.get("exclude_paths")
++    target = options.get("target", "tree:///")
++    root, target = parsing.parse_location_into_parts(target, args)
+ 
+     if file_contexts:
+-        file_contexts = os.path.join(f"{tree}", options["file_contexts"])
++        file_contexts = os.path.join(args["tree"], options["file_contexts"])
+         if exclude_paths:
+-            exclude_paths = [os.path.join(tree, p.lstrip("/")) for p in exclude_paths]
+-        selinux.setfiles(file_contexts, os.fspath(tree), "", exclude_paths=exclude_paths)
++            exclude_paths = [os.path.normpath(f"{root}/{target}/{p}") for p in exclude_paths]
++        selinux.setfiles(file_contexts, os.path.normpath(root), target, exclude_paths=exclude_paths)
+ 
+     labels = options.get("labels", {})
+     for path, label in labels.items():
+-        fullpath = os.path.join(tree, path.lstrip("/"))
++        fullpath = parsing.parse_location(path, args)
+         selinux.setfilecon(fullpath, label)
+ 
+     if options.get("force_autorelabel", False):
+-        stamp = pathlib.Path(tree, ".autorelabel")
++        stamp = pathlib.Path(root, ".autorelabel")
+         # Creating just empty /.autorelabel resets only the type of files.
+         # To ensure that the full context is reset, we write "-F" into the file.
+         # This mimics the behavior of `fixfiles -F boot`. The "-F" option is
+@@ -34,6 +38,5 @@ def main(tree, options):
+ 
+ 
+ if __name__ == '__main__':
+-    args = osbuild.api.arguments()
+-    r = main(args["tree"], args["options"])
++    r = main(osbuild.api.arguments())
+     sys.exit(r)
+diff --git a/stages/org.osbuild.selinux.meta.json b/stages/org.osbuild.selinux.meta.json
+index 30dbddae..87b13e59 100644
+--- a/stages/org.osbuild.selinux.meta.json
++++ b/stages/org.osbuild.selinux.meta.json
+@@ -33,6 +33,21 @@
+         }
+       ],
+       "properties": {
++        "target": {
++          "oneOf": [
++            {
++              "type": "string",
++              "description": "Target path, if a mount",
++              "pattern": "^mount://.+"
++            },
++            {
++              "type": "string",
++              "description": "Target path, if a tree",
++              "pattern": "^tree://.+"
++            }
++          ],
++          "default": "tree:///"
++        },
+         "file_contexts": {
+           "type": "string",
+           "description": "Path to the active SELinux policy's `file_contexts`"
+@@ -53,7 +68,7 @@
+         },
+         "force_autorelabel": {
+           "type": "boolean",
+-          "description": "Do not use. Forces auto-relabelling on first boot.",
++          "description": "Do not use. Forces auto-relabelling on first boot. Affects target's root or tree:/// by default",
+           "default": false
+         }
+       }
+-- 
+2.47.0
+