From 62a3ffcb42d9af23715f21a8c9b5d688c31c999d Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Fri, 2 Nov 2018 11:46:26 -0400
Subject: [PATCH] compose: Don't require SELinux policy in legacy path
In #1630, we lowered SELinux policy loading into the core. However, this
also enabled SELinux policy loading from the host system even in the
legacy (non-unified) compose path. This meant that compose systems now
needed to have the policy installed even though we didn't need it at
all. This caused regressions in pungi:
https://pagure.io/dusty/failed-composes/issue/956
Just make the binding of the "selinux" member conditional on whether or
not we're in unified mode (which is really when we even care about
having it loaded from the start for pkgcache purposes).
Closes: #1656
Approved by: cgwalters
---
src/app/rpmostree-compose-builtin-tree.c | 1 +
src/app/rpmostree-composeutil.c | 16 ++++++++++++++--
src/app/rpmostree-composeutil.h | 1 +
3 files changed, 16 insertions(+), 2 deletions(-)
diff --git a/src/app/rpmostree-compose-builtin-tree.c b/src/app/rpmostree-compose-builtin-tree.c
index 620fa36..4e9d45c 100644
--- a/src/app/rpmostree-compose-builtin-tree.c
+++ b/src/app/rpmostree-compose-builtin-tree.c
@@ -576,6 +576,7 @@ rpm_ostree_compose_context_new (const char *treefile_pathstr,
self->treespec = rpmostree_composeutil_get_treespec (self->corectx,
self->treefile_rs,
self->treefile,
+ opt_unified_core,
error);
if (!self->treespec)
return FALSE;
diff --git a/src/app/rpmostree-composeutil.c b/src/app/rpmostree-composeutil.c
index 820ecfd..621bc85 100644
--- a/src/app/rpmostree-composeutil.c
+++ b/src/app/rpmostree-composeutil.c
@@ -241,6 +241,7 @@ RpmOstreeTreespec *
rpmostree_composeutil_get_treespec (RpmOstreeContext *ctx,
RORTreefile *treefile_rs,
JsonObject *treedata,
+ gboolean bind_selinux,
GError **error)
{
GLNX_AUTO_PREFIX_ERROR ("Parsing treefile", error);
@@ -255,8 +256,6 @@ rpmostree_composeutil_get_treespec (RpmOstreeContext *ctx,
return FALSE;
if (!treespec_bind_bool (treedata, treespec, "recommends", TRUE, error))
return FALSE;
- if (!treespec_bind_bool (treedata, treespec, "selinux", TRUE, error))
- return FALSE;
if (!treespec_bind_array (treedata, treespec, "install-langs", "instlangs", FALSE, error))
return FALSE;
{ const char *releasever;
@@ -267,6 +266,19 @@ rpmostree_composeutil_get_treespec (RpmOstreeContext *ctx,
g_key_file_set_string (treespec, "tree", "releasever", releasever);
}
+ if (bind_selinux)
+ {
+ if (!treespec_bind_bool (treedata, treespec, "selinux", TRUE, error))
+ return FALSE;
+ }
+ else
+ {
+ /* In the legacy compose path, we don't want to use any of the core's selinux stuff,
+ * e.g. importing, relabeling, etc... so just disable it. We do still set the policy
+ * to the final one right before commit as usual. */
+ g_key_file_set_boolean (treespec, "tree", "selinux", FALSE);
+ }
+
const char *input_ref = NULL;
if (!_rpmostree_jsonutil_object_get_optional_string_member (treedata, "ref", &input_ref, error))
return FALSE;
diff --git a/src/app/rpmostree-composeutil.h b/src/app/rpmostree-composeutil.h
index e3e64c6..3d91f58 100644
--- a/src/app/rpmostree-composeutil.h
+++ b/src/app/rpmostree-composeutil.h
@@ -47,6 +47,7 @@ RpmOstreeTreespec *
rpmostree_composeutil_get_treespec (RpmOstreeContext *ctx,
RORTreefile *treefile_rs,
JsonObject *treedata,
+ gboolean bind_selinux,
GError **error);
GHashTable *
--
2.17.1