build_packages: use setfiles to label the system

`setfiles` can be used to directly set the SELinux labels on a root filesystem based on the values in `file_contexts`. Signed-off-by: Mathieu Tortuyaux <mtortuyaux@microsoft.com>
2026-05-05 04:06:33 +02:00 · 2022-08-18 13:50:22 +02:00 · 2022-08-18 13:50:22 +02:00 · 759559f27d
commit 759559f27d
parent 27590c6b67
2 changed files with 23 additions and 6 deletions
--- a/build_library/build_image_util.sh
+++ b/build_library/build_image_util.sh
@ -732,6 +732,11 @@ EOF
        "${BUILD_DIR}/${image_kconfig}"
  fi

+  # Label the root filesystem using 'file_contexts'.
+  sudo chroot "${root_fs_dir}" bash -c "cd /usr/share/selinux/mcs && semodule -s mcs -i *.pp"
+  sudo setfiles -Dv -r "${root_fs_dir}" "${root_fs_dir}"/etc/selinux/mcs/contexts/files/file_contexts "${root_fs_dir}"
+  sudo setfiles -Dv -r "${root_fs_dir}" "${root_fs_dir}"/etc/selinux/mcs/contexts/files/file_contexts "${root_fs_dir}"/usr
+
  write_contents "${root_fs_dir}" "${BUILD_DIR}/${image_contents}"

  # Zero all fs free space to make it more compressible so auto-update
@ -741,11 +746,6 @@ EOF
    sudo fstrim "${root_fs_dir}/usr" || true
  fi

-  # Build the selinux policy
-  if pkg_use_enabled coreos-base/coreos selinux; then
-      sudo chroot "${root_fs_dir}" bash -c "cd /usr/share/selinux/mcs && semodule -s mcs -i *.pp"
-  fi
-
  # Make the filesystem un-mountable as read-write and setup verity.
  if [[ ${disable_read_write} -eq ${FLAGS_TRUE} ]]; then
    # Unmount /usr partition
--- a/19
+++ b/19
@ -188,7 +188,24 @@ function torcx_package() {
        fi

        tmpfile="${BUILD_DIR}/${name}:${version}.torcx.tgz"
-        tar --force-local --selinux --xattrs -C "${tmppkgroot}" -czf "${tmpfile}" .
+        # build the file_contexts and set labels on the Torcx image content.
+        sudo chroot "${BOARD_ROOT}" bash -c "cd /usr/share/selinux/mcs && semodule -s mcs -i *.pp"
+        # temporary move to relabel the torcx files, they can't be relabelled on overlay FS (operation not supported)
+        sudo mkdir -p /mnt/host/source/src/build/
+        sudo cp -r "${tmppkgroot}" /mnt/host/source/src/build/torcx
+        sudo setfiles -Dv -r /mnt/host/source/src/build/torcx "${BOARD_ROOT}/etc/selinux/mcs/contexts/files/file_contexts" /mnt/host/source/src/build/torcx
+
+        # this is a bit hacky: we need to copy the file_contexts and the compiled policies from the BOARD_ROOT
+        # to the SDK. Otherwise, 'tar' will lookup for SELinux labels from the SDK and it will result
+        # into a partially updated system.
+        sudo mkdir -p /etc/selinux/mcs/contexts/files/
+        sudo cp "${BOARD_ROOT}/etc/selinux/mcs/contexts/files/file_contexts" /etc/selinux/mcs/contexts/files/
+
+        # sed file_contexts to simulate the root
+        sudo sed -i "s#^#/mnt/host/source/src/build/torcx#" /etc/selinux/mcs/contexts/files/file_contexts
+        # debug:
+        cat /etc/selinux/mcs/contexts/files/file_contexts
+        tar --force-local --selinux --xattrs -C /mnt/host/source/src/build/torcx -czf "${tmpfile}" .
        sha512sum=$(sha512sum "${tmpfile}" | awk '{print $1}')

        # TODO(euank): this opaque digest, if it were reproducible, could save