From 7eb4d4ecd9f405b3f919477387e7734dd44164a9 Mon Sep 17 00:00:00 2001
From: Kai Lueke <kailuke@microsoft.com>
Date: Wed, 20 Dec 2023 11:20:39 +0100
Subject: [PATCH] SELinux: Label /usr and sysext image contents

So far we did not correctly label /usr because it broke certain things
like Docker. With the sysext Docker and new policies we should try
again.
First generate the policy before branching off the base squashfs (which
already misses a lot of things because they the most postprocessing is
done late in finish_image!). Then label /usr and also the sysext
contents in their folder - not in the overlay mount because this would
operate on the whole image.
---
 build_library/build_image_util.sh   | 35 +++++++++++++++++++++--------
 build_library/dev_container_util.sh |  2 ++
 build_library/prod_image_util.sh    | 15 +++++++++++++
 build_sysext                        |  1 +
 4 files changed, 44 insertions(+), 9 deletions(-)

diff --git a/build_library/build_image_util.sh b/build_library/build_image_util.sh
index a29470dc82..1ec826e163 100755
--- a/build_library/build_image_util.sh
+++ b/build_library/build_image_util.sh
@@ -580,6 +580,30 @@ start_image() {
     --board="${BOARD}"
 }
 
+# Actions common to the dev container and the image
+# but which should be run before the image branches off
+# the base squashfs (used for systemd-sysext image building)
+finish_image_common() {
+  local image_name="$1"
+  local disk_layout="$2"
+  local root_fs_dir="$3"
+  local image_contents="$4"
+  local image_contents_wtd="$5"
+  local image_kernel="$6"
+  local pcr_policy="$7"
+  local image_grub="$8"
+  local image_shim="$9"
+  local image_kconfig="${10}"
+  local image_initrd_contents="${11}"
+  local image_initrd_contents_wtd="${12}"
+  local image_disk_space_usage="${13}"
+
+  # Build the selinux policy
+  if pkg_use_enabled coreos-base/coreos selinux; then
+      sudo chroot "${root_fs_dir}" bash -c "cd /usr/share/selinux/mcs && semodule -s mcs -i *.pp"
+  fi
+}
+
 finish_image() {
   local image_name="$1"
   local disk_layout="$2"
@@ -694,11 +718,6 @@ EOF
         "${BUILD_DIR}/${image_kconfig}"
   fi
 
-  # Build the selinux policy
-  if pkg_use_enabled coreos-base/coreos selinux; then
-      sudo chroot "${root_fs_dir}" bash -c "cd /usr/share/selinux/mcs && semodule -s mcs -i *.pp"
-  fi
-
   # Run tmpfiles once to make sure that /etc has everything in place before
   # we freeze it in /usr/share/flatcar/etc as lowerdir in the overlayfs.
 
@@ -731,10 +750,8 @@ EOF
   # The labeling has to be done before moving /etc to /usr/share/flatcar/etc to prevent wrong labels for these files and as
   # the relabeling on boot would cause upcopies in the overlay.
   if pkg_use_enabled coreos-base/coreos selinux; then
-    # TODO: Breaks the system:
-    # sudo setfiles -Dv -r "${root_fs_dir}" "${root_fs_dir}"/etc/selinux/mcs/contexts/files/file_contexts "${root_fs_dir}"
-    # sudo setfiles -Dv -r "${root_fs_dir}" "${root_fs_dir}"/etc/selinux/mcs/contexts/files/file_contexts "${root_fs_dir}"/usr
-    # For now we only try it with /etc
+    sudo setfiles -Dv -r "${root_fs_dir}" "${root_fs_dir}"/etc/selinux/mcs/contexts/files/file_contexts "${root_fs_dir}"
+    sudo setfiles -Dv -r "${root_fs_dir}" "${root_fs_dir}"/etc/selinux/mcs/contexts/files/file_contexts "${root_fs_dir}"/usr
     sudo setfiles -Dv -r "${root_fs_dir}" "${root_fs_dir}"/etc/selinux/mcs/contexts/files/file_contexts "${root_fs_dir}"/etc
   fi
 
diff --git a/build_library/dev_container_util.sh b/build_library/dev_container_util.sh
index f87bd1235a..227471c1df 100755
--- a/build_library/dev_container_util.sh
+++ b/build_library/dev_container_util.sh
@@ -112,6 +112,8 @@ create_dev_container() {
   # The remount services are provided by coreos-base/coreos-init
   systemd_enable "${root_fs_dir}" "multi-user.target" "remount-usr.service"
 
+  finish_image_common "${image_name}" "${disk_layout}" "${root_fs_dir}" "${image_contents}" "${image_contents_wtd}"
+
   finish_image "${image_name}" "${disk_layout}" "${root_fs_dir}" "${image_contents}" "${image_contents_wtd}"
 
   declare -a files_to_evaluate
diff --git a/build_library/prod_image_util.sh b/build_library/prod_image_util.sh
index 561766aa21..3af2c9a562 100755
--- a/build_library/prod_image_util.sh
+++ b/build_library/prod_image_util.sh
@@ -92,6 +92,21 @@ create_prod_image() {
   run_ldconfig "${root_fs_dir}"
   run_localedef "${root_fs_dir}"
 
+  finish_image_common \
+      "${image_name}" \
+      "${disk_layout}" \
+      "${root_fs_dir}" \
+      "${image_contents}" \
+      "${image_contents_wtd}" \
+      "${image_kernel}" \
+      "${image_pcr_policy}" \
+      "${image_grub}" \
+      "${image_shim}" \
+      "${image_kconfig}" \
+      "${image_initrd_contents}" \
+      "${image_initrd_contents_wtd}" \
+      "${image_disk_usage}"
+
   local root_with_everything="${root_fs_dir}"
 
   # Call helper script for adding sysexts to the base OS.
diff --git a/build_sysext b/build_sysext
index ed05390732..00eb7754fe 100755
--- a/build_sysext
+++ b/build_sysext
@@ -237,6 +237,7 @@ export SOURCE_DATE_EPOCH=$(stat -c '%Y' "${BUILD_DIR}/fs-root/usr/lib/os-release
 
 # Unmount in order to get rid of the overlay
 umount "${BUILD_DIR}/install-root"
+sudo setfiles -Dv -r "${BUILD_DIR}/install-root" "${BUILD_DIR}/fs-root"/etc/selinux/mcs/contexts/files/file_contexts "${BUILD_DIR}/install-root"/usr
 umount "${BUILD_DIR}/fs-root"
 
 if [[ "$FLAGS_generate_pkginfo" = "${FLAGS_TRUE}" ]] ; then