diff --git a/lib/src/cli.rs b/lib/src/cli.rs index 520c6d511..da4441bab 100644 --- a/lib/src/cli.rs +++ b/lib/src/cli.rs @@ -293,7 +293,9 @@ pub(crate) async fn prepare_for_write() -> Result<()> { } ensure_self_unshared_mount_namespace().await?; if crate::lsm::selinux_enabled()? { - crate::lsm::selinux_ensure_install()?; + if !crate::lsm::selinux_ensure_install()? { + tracing::warn!("Do not have install_t capabilities"); + } } Ok(()) } diff --git a/lib/src/lsm.rs b/lib/src/lsm.rs index 740d32efe..2760e146f 100644 --- a/lib/src/lsm.rs +++ b/lib/src/lsm.rs @@ -41,8 +41,18 @@ fn context_is_install_t(context: &str) -> bool { context.contains(":install_t:") } +#[context("Testing install_t")] +fn test_install_t() -> Result { + let tmpf = tempfile::NamedTempFile::new()?; + let st = Command::new("chcon") + .args(["-t", "invalid_bootcinstall_testlabel_t"]) + .arg(tmpf.path()) + .status()?; + Ok(st.success()) +} + #[context("Ensuring selinux install_t type")] -pub(crate) fn selinux_ensure_install() -> Result<()> { +pub(crate) fn selinux_ensure_install() -> Result { let guardenv = "_bootc_selinuxfs_mounted"; let current = get_current_security_context()?; tracing::debug!("Current security context is {current}"); @@ -54,9 +64,13 @@ pub(crate) fn selinux_ensure_install() -> Result<()> { } else { tracing::debug!("Assuming we now have a privileged (e.g. install_t) label"); } - return Ok(()); + return test_install_t(); + } + if test_install_t()? { + tracing::debug!("We have install_t"); + return Ok(true); } - tracing::debug!("Copying self to temporary file for re-exec"); + tracing::debug!("Lacking install_t capabilities; copying self to temporary file for re-exec"); // OK now, we always copy our binary to a tempfile, set its security context // to match that of /usr/bin/ostree, and then re-exec. This is really a gross // hack; we can't always rely on https://github.com/fedora-selinux/selinux-policy/pull/1500/commits/67eb283c46d35a722636d749e5b339615fe5e7f5 @@ -102,18 +116,16 @@ pub(crate) fn selinux_ensure_install_or_setenforce() -> Result