From c2b5c2a173699b301916d9df75893ba4fc8b9d45 Mon Sep 17 00:00:00 2001
From: Jonathan Lebon <jonathan@jlebon.com>
Date: Tue, 6 Feb 2024 10:28:35 -0500
Subject: [PATCH 1/3] =?UTF-8?q?composepost:=20Add=20SELinux=20equivalency?=
 =?UTF-8?q?=20rule=20for=20/usr/lib/opt=20=E2=86=92=20/opt?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

When `/opt` packages get moved to `/usr/lib/opt`, they're not being
labeled properly; they get the `lib_t` label instead of `usr_t` (or e.g.
`bin_t` for `/opt/bin`).

This apparently works for e.g. Google Chrome (for which the
`/usr/lib/opt` translation was added). But with state overlays, the goal
is to support all `/opt` packages and things will break without proper
labeling.

Add an equivalency rule so that `/usr/lib/opt` is labeled like `/opt.
This fixes the SELinux issues that occur when layering Puppet in
https://github.com/coreos/rpm-ostree/issues/233#issuecomment-1856720559.

This should probably be upstreamed to SELinux (along with the `/usr/etc`
equivalency rule just above).

Side note: in the status quo model where `/opt` is a symlink to
`/var/opt`, everything is *also* mislabeled (it gets `var_t`). To be
conservative, we don't fix this since presumably this works right now
for people writing files there via e.g. Ignition/cloud-init and anyway
all that would go away if we move over to state overlays by default in
the future.
---
 rust/src/composepost.rs                   | 2 ++
 tests/kolainst/destructive/state-overlays | 6 ++++++
 tests/kolainst/kolainst-build.sh          | 6 ++++--
 3 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/rust/src/composepost.rs b/rust/src/composepost.rs
index ddd4a4c088..5f2e3229e5 100644
--- a/rust/src/composepost.rs
+++ b/rust/src/composepost.rs
@@ -381,6 +381,8 @@ fn postprocess_subs_dist(rootfs_dfd: &Dir) -> Result<()> {
             writeln!(w, "/home /var/home")?;
             writeln!(w, "# https://github.com/coreos/rpm-ostree/pull/4640")?;
             writeln!(w, "/usr/etc /etc")?;
+            writeln!(w, "# https://github.com/coreos/rpm-ostree/pull/1795")?;
+            writeln!(w, "/usr/lib/opt /opt")?;
             Ok(())
         })?;
     }
diff --git a/tests/kolainst/destructive/state-overlays b/tests/kolainst/destructive/state-overlays
index c2aac0d1c5..468b96b871 100755
--- a/tests/kolainst/destructive/state-overlays
+++ b/tests/kolainst/destructive/state-overlays
@@ -68,6 +68,7 @@ EOF
     /tmp/autopkgtest-reboot 1
     ;;
   1)
+    test -f /opt/bin/test-opt
     test -f /opt/megacorp/bin/test-opt
     test -f /opt/megacorp/lib/mylib
     test -d /opt/megacorp/state
@@ -76,6 +77,11 @@ EOF
     assert_file_has_content /tmp/out.txt 'test-opt'
     assert_file_has_content /opt/megacorp/lib/mylib 'lib1'
 
+    stat -c '%C' /opt/bin/test-opt > /tmp/out.txt
+    assert_file_has_content /tmp/out.txt ':bin_t:'
+    stat -c '%C' /opt/megacorp > /tmp/out.txt
+    assert_file_has_content /tmp/out.txt ':usr_t:'
+
     # add some state files
     echo 'foobar' > /opt/megacorp/state/mystate
 
diff --git a/tests/kolainst/kolainst-build.sh b/tests/kolainst/kolainst-build.sh
index 8ed020f163..fed0f8655d 100755
--- a/tests/kolainst/kolainst-build.sh
+++ b/tests/kolainst/kolainst-build.sh
@@ -98,10 +98,12 @@ build_rpm zincati version 99.99 release 3
 
 # An RPM that installs in /opt
 build_rpm test-opt \
-             install "mkdir -p %{buildroot}/opt/megacorp/{bin,lib,state}
+             install "mkdir -p %{buildroot}/opt/megacorp/{bin,lib,state} %{buildroot}/opt/bin
+                      install %{name} %{buildroot}/opt/bin
                       install %{name} %{buildroot}/opt/megacorp/bin
                       echo lib1 > %{buildroot}/opt/megacorp/lib/mylib" \
-             files "/opt/megacorp"
+             files "/opt/megacorp
+                    /opt/bin/test-opt"
 
 mv ${test_tmpdir}/yumrepo/* ${test_tmpdir}/rpm-repos/${repover}
 

From e7cbe651c67982f37d2af4d9878320a166415daa Mon Sep 17 00:00:00 2001
From: Jonathan Lebon <jonathan@jlebon.com>
Date: Tue, 6 Feb 2024 15:15:31 -0500
Subject: [PATCH 2/3] ci/prow: Build rpm instead

Let's match CoreOS CI and also build RPMs here to not fall into issues
relating to supermin relying on the rpmdb:

https://github.com/coreos/rpm-ostree/pull/4763#issuecomment-1883686187

This implicitly reverts 1451675.
---
 ci/prow/Dockerfile  | 6 ++----
 ci/prow/fcos-e2e.sh | 2 +-
 2 files changed, 3 insertions(+), 5 deletions(-)

diff --git a/ci/prow/Dockerfile b/ci/prow/Dockerfile
index eadd78d39c..24d659fdf4 100644
--- a/ci/prow/Dockerfile
+++ b/ci/prow/Dockerfile
@@ -1,7 +1,7 @@
 FROM registry.ci.openshift.org/coreos/fcos-buildroot:testing-devel as builder
 WORKDIR /src
 COPY . .
-RUN ./ci/build.sh && make install DESTDIR=/cosa/component-install
+RUN ./ci/coreosci-rpmbuild.sh  && mkdir -p /cosa/component-rpms && mv rpm-ostree{,-libs}-20*.rpm /cosa/component-rpms
 RUN make -C tests/kolainst install DESTDIR=/cosa/component-tests
 # Uncomment this to fake a build to test the code below
 #RUN mkdir -p /cosa/component-install/usr/bin && echo foo > /cosa/component-install/usr/bin/foo
@@ -12,9 +12,7 @@ USER root
 # Copy binaries from the build
 COPY --from=builder /cosa /cosa
 # Merge them to the real root since we're used at compose time
-# XXX: disabled for now
-# https://github.com/coreos/rpm-ostree/pull/4763#issuecomment-1883686187
-# RUN rsync -rlv /cosa/component-install/ /
+RUN dnf install -y /cosa/component-rpms/*.rpm
 # Merge installed tests
 RUN rsync -rlv /cosa/component-tests/ /
 # Grab all of our ci scripts
diff --git a/ci/prow/fcos-e2e.sh b/ci/prow/fcos-e2e.sh
index 6365ad84e8..2aaef627f4 100755
--- a/ci/prow/fcos-e2e.sh
+++ b/ci/prow/fcos-e2e.sh
@@ -9,7 +9,7 @@ ls -al /usr/bin/rpm-ostree
 rpm-ostree --version
 cd $(mktemp -d)
 cosa init https://github.com/coreos/fedora-coreos-config/
-rsync -rlv /cosa/component-install/ overrides/rootfs/
+cp /cosa/component-rpms/*.rpm overrides/rpm
 cosa fetch
 cosa build
 cosa kola run 'ext.rpm-ostree.*'

From ab58750caa3363f6a791f03bdb35ea51b27efe51 Mon Sep 17 00:00:00 2001
From: Jonathan Lebon <jonathan@jlebon.com>
Date: Tue, 6 Feb 2024 15:29:15 -0500
Subject: [PATCH 3/3] .copr/Makefile: Allow building RPM without git remote

The Prow CI build job we have doesn't seem to keep the git remote
around.
---
 .copr/Makefile | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/.copr/Makefile b/.copr/Makefile
index c7ef647daf..8c74891884 100644
--- a/.copr/Makefile
+++ b/.copr/Makefile
@@ -2,8 +2,9 @@ srpm:
 	./ci/installdeps.sh
 	# similar to https://github.com/actions/checkout/issues/760, but for COPR
 	git config --global --add safe.directory '*'
-	# fetch tags so `git describe` gives a nice NEVRA when building the RPM
-	git fetch origin --tags
+	# if we have a git repo with remotes, fetch tags so `git describe` gives a nice NEVRA when
+	# building the RPM
+	if git remote | grep origin; then git fetch origin --tags; fi
 	git submodule update --init --recursive
 	# Our primary CI build goes via RPM rather than direct to binaries
 	# to better test that path, including our vendored spec file, etc.