manifests: set proper SELinux labels for '/boot/efi' and '/boot/lost+found'

build.sh

@@ -173,7 +173,11 @@ patch_osbuild() {
     mv /usr/bin/osbuild-mpp /usr/lib/osbuild/tools/
 
     # Now all the software is under the /usr/lib/osbuild dir and we can patch
-    patch -d /usr/lib/osbuild -p1 < /usr/lib/coreos-assembler/0001-hacks-for-coreos-selinux-issues.patch
+    cat /usr/lib/coreos-assembler/0001-parsing-add-parse_location_into_parts.patch                \
+        /usr/lib/coreos-assembler/0002-parsing-treat-locations-without-scheme-as-belonging-.patch \
+        /usr/lib/coreos-assembler/0003-org.osbuild.selinux-support-operating-on-mounts.patch      \
+        /usr/lib/coreos-assembler/0004-org.osbuild.selinux-support-for-specifying-where-fil.patch \
+            | patch -d /usr/lib/osbuild -p1
 
     # And then move the files back; supermin appliance creation will need it back
     # in the places delivered by the RPM.

src/0001-parsing-add-parse_location_into_parts.patch

@@ -0,0 +1,68 @@
+From 077244e3b9f4a3ba46244a1b3e056cb70609e265 Mon Sep 17 00:00:00 2001
+From: Nikita Dubrovskii <[email protected]>
+Date: Fri, 18 Oct 2024 12:28:32 +0200
+Subject: [PATCH 1/4] parsing: add parse_location_into_parts
+
+New fucntion returns tuple of 'root' and relative 'file path', which could be
+useful in contexts, where knowing 'root' is required, for example setting
+selinux labels.
+---
+ osbuild/util/parsing.py | 25 +++++++++++++++++++------
+ 1 file changed, 19 insertions(+), 6 deletions(-)
+
+diff --git a/osbuild/util/parsing.py b/osbuild/util/parsing.py
+index f8fb2768..f75ffd67 100644
+--- a/osbuild/util/parsing.py
++++ b/osbuild/util/parsing.py
+@@ -2,7 +2,7 @@
+
+ import os
+ import re
+-from typing import Dict, Union
++from typing import Dict, Tuple, Union
+ from urllib.parse import ParseResult, urlparse
+
+
+@@ -72,9 +72,9 @@ def parse_input(url: ParseResult, args: Dict) -> os.PathLike:
+     return root
+
+
+-def parse_location(location: str, args: Dict) -> str:
++def parse_location_into_parts(location: str, args: Dict) -> Tuple[str, str]:
+     """
+-    Parses the location URL to derive the corresponding file path.
++    Parses the location URL to derive the corresponding root and url path.
+
+     Parameters:
+     - location (str): The location URL to be parsed.
+@@ -97,11 +97,24 @@ def parse_location(location: str, args: Dict) -> str:
+     if not url.path.startswith("/"):
+         raise ValueError(f"url.path from location must start with '/', got: {url.path}")
+
+-    path = os.path.relpath(url.path, "/")
++    return root, url.path
++
++
++def parse_location(location: str, args: Dict) -> str:
++    """
++    Parses the location URL to derive the corresponding file path.
++
++    Parameters:
++    - location (str): The location URL to be parsed.
++    - args (Dict): A dictionary containing arguments including mounts and
++    path information as passed by osbuild.api.arguments()
++    """
++
++    root, urlpath = parse_location_into_parts(location, args)
++    path = os.path.relpath(urlpath, "/")
+     path = os.path.join(root, path)
+     path = os.path.normpath(path)
+-
+-    if url.path.endswith("/"):
++    if urlpath.endswith("/"):
+         path = os.path.join(path, ".")
+
+     return path
+-- 
+2.47.0
+

src/0002-parsing-treat-locations-without-scheme-as-belonging-.patch

@@ -0,0 +1,55 @@
+From 6a59e740e4ccb761f9d87c2c6f837fa748908a90 Mon Sep 17 00:00:00 2001
+From: Nikita Dubrovskii <[email protected]>
+Date: Mon, 28 Oct 2024 11:20:23 +0100
+Subject: [PATCH 2/4] parsing: treat locations without scheme as belonging to
+ 'tree://'
+
+---
+ osbuild/util/parsing.py  | 6 +++++-
+ stages/org.osbuild.mkdir | 9 +++------
+ 2 files changed, 8 insertions(+), 7 deletions(-)
+
+diff --git a/osbuild/util/parsing.py b/osbuild/util/parsing.py
+index f75ffd67..d6d16f22 100644
+--- a/osbuild/util/parsing.py
++++ b/osbuild/util/parsing.py
+@@ -77,11 +77,15 @@ def parse_location_into_parts(location: str, args: Dict) -> Tuple[str, str]:
+     Parses the location URL to derive the corresponding root and url path.
+
+     Parameters:
+-    - location (str): The location URL to be parsed.
++    - location (str): The location URL to be parsed. If the URL has no scheme,
++    then 'tree://' is implied
+     - args (Dict): A dictionary containing arguments including mounts and
+     path information as passed by osbuild.api.arguments()
+     """
+
++    if "://" not in location:
++        location = f"tree://{location}"
++
+     url = urlparse(location)
+
+     scheme = url.scheme
+diff --git a/stages/org.osbuild.mkdir b/stages/org.osbuild.mkdir
+index d2d11a7a..01f5f431 100755
+--- a/stages/org.osbuild.mkdir
++++ b/stages/org.osbuild.mkdir
+@@ -15,12 +15,9 @@ def main(args):
+         parents = item.get("parents", False)
+         exist_ok = item.get("exist_ok", False)
+
+-        if "://" not in path:
+-            if not path.startswith("/"):
+-                print("WARNING: relative path used, this is discouraged!")
+-                path = f"tree:///{path}"
+-            else:
+-                path = f"tree://{path}"
++        if "://" not in path and not path.startswith("/"):
++            print("WARNING: relative path used, this is discouraged!")
++            path = f"tree:///{path}"
+
+         target = parsing.parse_location(path, args)
+         if parents:
+-- 
+2.47.0
+

src/0003-org.osbuild.selinux-support-operating-on-mounts.patch

@@ -0,0 +1,116 @@
+From 84d4de577057f66e1ad1c8e91631c441c0294532 Mon Sep 17 00:00:00 2001
+From: Nikita Dubrovskii <[email protected]>
+Date: Thu, 17 Oct 2024 12:57:00 +0200
+Subject: [PATCH 3/4] org.osbuild.selinux: support operating on mounts
+
+This adds support for specifying paths to operate on,
+rather than just the root of the target:
+```
+- type: org.osbuild.selinux
+  options:
+    file_contexts: etc/selinux/targeted/contexts/files/file_contexts
+    target: mount://root/path/to/dir
+  mounts:
+    - name: root
+      source: disk
+      target: /
+```
+
+or
+
+```
+- type: org.osbuild.selinux
+  options:
+    labels:
+      mount://root/path/to/file: system_u:object_r:boot_t:s0
+      mount://root/path/to/other/file: system_u:object_r:var_t:s0
+  mounts:
+    - name: root
+      source: disk
+      target: /
+
+```
+---
+ stages/org.osbuild.selinux           | 21 ++++++++++++---------
+ stages/org.osbuild.selinux.meta.json |  8 +++++++-
+ 2 files changed, 19 insertions(+), 10 deletions(-)
+
+diff --git a/stages/org.osbuild.selinux b/stages/org.osbuild.selinux
+index 563d827b..40487599 100755
+--- a/stages/org.osbuild.selinux
++++ b/stages/org.osbuild.selinux
+@@ -4,26 +4,30 @@ import pathlib
+ import sys
+
+ import osbuild.api
+-from osbuild.util import selinux
++from osbuild.util import parsing, selinux
+
+
+-def main(tree, options):
++def main(args):
++    # Get the path where the tree is
++    options = args["options"]
+     file_contexts = options.get("file_contexts")
+     exclude_paths = options.get("exclude_paths")
++    target = options.get("target", "tree:///")
++    root, target = parsing.parse_location_into_parts(target, args)
+
+     if file_contexts:
+-        file_contexts = os.path.join(f"{tree}", options["file_contexts"])
++        file_contexts = os.path.join(args["tree"], options["file_contexts"])
+         if exclude_paths:
+-            exclude_paths = [os.path.join(tree, p.lstrip("/")) for p in exclude_paths]
+-        selinux.setfiles(file_contexts, os.fspath(tree), "", exclude_paths=exclude_paths)
++            exclude_paths = [os.path.normpath(f"{root}/{target}/{p}") for p in exclude_paths]
++        selinux.setfiles(file_contexts, os.path.normpath(root), target, exclude_paths=exclude_paths)
+
+     labels = options.get("labels", {})
+     for path, label in labels.items():
+-        fullpath = os.path.join(tree, path.lstrip("/"))
++        fullpath = parsing.parse_location(path, args)
+         selinux.setfilecon(fullpath, label)
+
+     if options.get("force_autorelabel", False):
+-        stamp = pathlib.Path(tree, ".autorelabel")
++        stamp = pathlib.Path(root, ".autorelabel")
+         # Creating just empty /.autorelabel resets only the type of files.
+         # To ensure that the full context is reset, we write "-F" into the file.
+         # This mimics the behavior of `fixfiles -F boot`. The "-F" option is
+@@ -34,6 +38,5 @@ def main(tree, options):
+
+
+ if __name__ == '__main__':
+-    args = osbuild.api.arguments()
+-    r = main(args["tree"], args["options"])
++    r = main(osbuild.api.arguments())
+     sys.exit(r)
+diff --git a/stages/org.osbuild.selinux.meta.json b/stages/org.osbuild.selinux.meta.json
+index 30dbddae..e536cead 100644
+--- a/stages/org.osbuild.selinux.meta.json
++++ b/stages/org.osbuild.selinux.meta.json
+@@ -33,6 +33,12 @@
+         }
+       ],
+       "properties": {
++        "target": {
++          "type": "string",
++          "description": "Target path in the tree or on a mount",
++          "pattern": "^mount://[^/]+/|^tree:///",
++          "default": "tree:///"
++        },
+         "file_contexts": {
+           "type": "string",
+           "description": "Path to the active SELinux policy's `file_contexts`"
+@@ -53,7 +59,7 @@
+         },
+         "force_autorelabel": {
+           "type": "boolean",
+-          "description": "Do not use. Forces auto-relabelling on first boot.",
++          "description": "Do not use. Forces auto-relabelling on first boot. Affects target's root or tree:/// by default",
+           "default": false
+         }
+       }
+-- 
+2.47.0
+

src/0004-org.osbuild.selinux-support-for-specifying-where-fil.patch

@@ -0,0 +1,92 @@
+From a8e8ebde4400e94036df35f72b08708f00bd4ffe Mon Sep 17 00:00:00 2001
+From: Nikita Dubrovskii <[email protected]>
+Date: Fri, 18 Oct 2024 17:04:07 +0200
+Subject: [PATCH 4/4] org.osbuild.selinux: support for specifying where
+ file_contexts comes from
+
+file_context now can come from
+- tree (current default)
+- mount
+- input
+
+Example:
+```
+- type: org.osbuild.selinux
+  inputs:
+    tree:
+      type: org.osbuild.tree
+      origin: org.osbuild.pipeline
+      references:
+        - name:tree
+  options:
+    file_contexts: input://tree/etc/selinux/targeted/contexts/files/file_contexts
+```
+---
+ stages/org.osbuild.selinux           |  6 +++++-
+ stages/org.osbuild.selinux.meta.json | 12 ++++++++----
+ 2 files changed, 13 insertions(+), 5 deletions(-)
+
+diff --git a/stages/org.osbuild.selinux b/stages/org.osbuild.selinux
+index 40487599..8e25a281 100755
+--- a/stages/org.osbuild.selinux
++++ b/stages/org.osbuild.selinux
+@@ -9,6 +9,7 @@ from osbuild.util import parsing, selinux
+
+ def main(args):
+     # Get the path where the tree is
++    tree = args["tree"]
+     options = args["options"]
+     file_contexts = options.get("file_contexts")
+     exclude_paths = options.get("exclude_paths")
+@@ -16,7 +17,10 @@ def main(args):
+     root, target = parsing.parse_location_into_parts(target, args)
+
+     if file_contexts:
+-        file_contexts = os.path.join(args["tree"], options["file_contexts"])
++        if "://" not in file_contexts:
++            file_contexts = os.path.normpath(f"{tree}/{file_contexts}")
++        else:
++            file_contexts = parsing.parse_location(file_contexts, args)
+         if exclude_paths:
+             exclude_paths = [os.path.normpath(f"{root}/{target}/{p}") for p in exclude_paths]
+         selinux.setfiles(file_contexts, os.path.normpath(root), target, exclude_paths=exclude_paths)
+diff --git a/stages/org.osbuild.selinux.meta.json b/stages/org.osbuild.selinux.meta.json
+index e536cead..9a9d7bb1 100644
+--- a/stages/org.osbuild.selinux.meta.json
++++ b/stages/org.osbuild.selinux.meta.json
+@@ -1,8 +1,8 @@
+ {
+   "summary": "Set SELinux file contexts",
+   "description": [
+-    "Sets correct SELinux labels for every file in the tree, according to the",
+-    "SELinux policy installed inside the tree.",
++    "Sets correct SELinux labels for every file in the tree or on mount, according to",
++    "the SELinux policy.",
+     "Uses the host's `setfiles` program and the tree's `file_contexts`, usually",
+     "    /etc/selinux/<SELINUXTYPE>/contexts/files/file_contexts",
+     "where <SELINUXTYPE> is the value set in /etc/selinux/config (usually \"targeted\"",
+@@ -40,8 +40,8 @@
+           "default": "tree:///"
+         },
+         "file_contexts": {
+-          "type": "string",
+-          "description": "Path to the active SELinux policy's `file_contexts`"
++          "description": "Path to the active SELinux policy's `file_contexts`. Supports `tree://`, `mount://`, and `input://` schemes. Plain paths imply `tree://`.",
++          "type": "string"
+         },
+         "exclude_paths": {
+           "type": "array",
+@@ -70,6 +70,10 @@
+     },
+     "mounts": {
+       "type": "array"
++    },
++    "inputs": {
++      "type": "object",
++      "additionalProperties": true
+     }
+   }
+ }
+-- 
+2.47.0
+