overlay coreos-base/misc-files: Recreate a symlink on filesystem wipe

The path where the SELinux policy modules are built is normally /var/lib/selinux. In our case we want to have those policies to be installed somewhere under /usr. So we have a setup where /var/lib/selinux is a symlink to /usr/lib/selinux/policy. The /var/lib/selinux directory is normally created by sys-apps/policycoreutils directory and we don't want to change it in order to pursue the goal of putting the package back to portage-stable. On the other hand, the override of modules directory location can't happen in the coreos-base/misc-files package, because sys-apps/policycoreutils needs that directory to be already set up in the package post installation time. The override of the SELinux policy modules directory needs to be done in the bashrc hook unfortunately. This will come in the follow-up commit. So the only thing left is to set up tmpfiles configuration file to recreate the /var/lib/selinux symlink, since it can be removed when wiping the filesystem.
2025-09-24 23:21:17 +02:00 · 2024-02-21 16:11:50 +01:00 · 2024-02-21 16:11:50 +01:00 · 49fb14d782
commit 49fb14d782
parent d7c32b1cb0
2 changed files with 18 additions and 5 deletions
--- a/sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/10-var-lib-selinux.conf
+++ b/sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/10-var-lib-selinux.conf
@ -0,0 +1,2 @@
+#Type	Path			Mode	UID 	GID 	Age	Argument
+L	/var/lib/selinux/	-	-	-	-	../../usr/lib/selinux/policy
--- a/sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/misc-files-0-r4.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/misc-files-0-r4.ebuild
@ -12,7 +12,7 @@ HOMEPAGE='https://www.flatcar.org/'
 LICENSE='Apache-2.0'
 SLOT='0'
 KEYWORDS='amd64 arm64'
-IUSE="openssh ntp"
+IUSE="openssh ntp policycoreutils"

 # No source directory.
 S="${WORKDIR}"
@ -23,15 +23,16 @@ S="${WORKDIR}"
 # net-misc/openssh must be installed on host for enabling its unit to
 # work during installation.
 DEPEND="
-	openssh? ( >=net-misc/openssh-9.4_p1 )
+        openssh? ( >=net-misc/openssh-9.4_p1 )
 "

 # Versions listed below are version of packages that shedded the
 # modifications in their ebuilds.
 RDEPEND="
-	${DEPEND}
-	>=app-shells/bash-5.2_p15-r2
-	ntp? ( >=net-misc/ntp-4.2.8_p17 )
+        ${DEPEND}
+        >=app-shells/bash-5.2_p15-r2
+        ntp? ( >=net-misc/ntp-4.2.8_p17 )
+        policycoreutils? ( >=sys-apps/policycoreutils-3.6 )
 "

 declare -A CORE_BASH_SYMLINKS
@ -171,6 +172,16 @@ src_install() {
        misc_files_install_dropin sntp.service "${FILESDIR}/ntp-environment.conf"
    fi

+    if use policycoreutils; then
+        # Exceptionally, the location for policy definitions is set up
+        # in profiles/coreos/base/profile.bashrc. See the comment for
+        # cros_post_src_install_set_up_var_lib_selinux for reasoning.
+        #
+        # Recreate the symlink in /var in case of wiping the root
+        # filesystem.
+        dotmpfiles "${FILESDIR}/10-var-lib-selinux.conf"
+    fi
+
    # Create a symlink for Kubernetes to redirect writes from /usr/libexec/... to /var/kubernetes/...
    # (The below keepdir will result in a tmpfiles entry in base_image_var.conf)
    keepdir /var/kubernetes/kubelet-plugins/volume/exec