Implement SELinux labeling support in EtcFileController, label both squashfs and runtime-created files in /etc and /system/etc.
Add corresponding test cases.
Signed-off-by: Dmitry Sharshakov <dmitry.sharshakov@siderolabs.com>
Label mounted filesystems like ephemeral, overlay mounts, as well as data directories (going to become volumes later).
Signed-off-by: Dmitry Sharshakov <dmitry.sharshakov@siderolabs.com>
Do not do string lookups in repetitive calls. We do not support changing SELinux status during runtime, so once we read this we can assume status does not change.
Also avoid unneeded FS writes when appropriate label is already set on file.
Signed-off-by: Dmitry Sharshakov <dmitry.sharshakov@siderolabs.com>
I added those in the early days of the current policy development, yet there was no use for them. This change simplifies the policy and handling of labels.
Signed-off-by: Dmitry Sharshakov <dmitry.sharshakov@siderolabs.com>
Part of: #9127
Label executables and processes, build, load and manage SELinux policy, enable audit support.
Labeling filesystems, devices and runtime files will be done in further changes, see the full PR.
Signed-off-by: Dmitry Sharshakov <dmitry.sharshakov@siderolabs.com>
