SELinux: Label /usr and sysext image contents

build_library/build_image_util.sh

@@ -601,6 +601,30 @@ start_image() {
     --board="${BOARD}"
 }
 
+# Actions common to the dev container and the image
+# but which should be run before the image branches off
+# the base squashfs (used for systemd-sysext image building)
+finish_image_common() {
+  local image_name="$1"
+  local disk_layout="$2"
+  local root_fs_dir="$3"
+  local image_contents="$4"
+  local image_contents_wtd="$5"
+  local image_kernel="$6"
+  local pcr_policy="$7"
+  local image_grub="$8"
+  local image_shim="$9"
+  local image_kconfig="${10}"
+  local image_initrd_contents="${11}"
+  local image_initrd_contents_wtd="${12}"
+  local image_disk_space_usage="${13}"
+
+  # Build the selinux policy
+  if pkg_use_enabled coreos-base/coreos selinux; then
+      sudo chroot "${root_fs_dir}" bash -c "cd /usr/share/selinux/mcs && semodule -s mcs -i *.pp"
+  fi
+}
+
 finish_image() {
   local image_name="$1"
   local disk_layout="$2"
@@ -715,11 +739,6 @@ EOF
         "${BUILD_DIR}/${image_kconfig}"
   fi
 
-  # Build the selinux policy
-  if pkg_use_enabled coreos-base/coreos selinux; then
-      sudo chroot "${root_fs_dir}" bash -c "cd /usr/share/selinux/mcs && semodule -s mcs -i *.pp"
-  fi
-
   # Run tmpfiles once to make sure that /etc has everything in place before
   # we freeze it in /usr/share/flatcar/etc as lowerdir in the overlayfs.
 
@@ -752,10 +771,8 @@ EOF
   # The labeling has to be done before moving /etc to /usr/share/flatcar/etc to prevent wrong labels for these files and as
   # the relabeling on boot would cause upcopies in the overlay.
   if pkg_use_enabled coreos-base/coreos selinux; then
-    # TODO: Breaks the system:
-    # sudo setfiles -Dv -r "${root_fs_dir}" "${root_fs_dir}"/etc/selinux/mcs/contexts/files/file_contexts "${root_fs_dir}"
-    # sudo setfiles -Dv -r "${root_fs_dir}" "${root_fs_dir}"/etc/selinux/mcs/contexts/files/file_contexts "${root_fs_dir}"/usr
-    # For now we only try it with /etc
+    sudo setfiles -Dv -r "${root_fs_dir}" "${root_fs_dir}"/etc/selinux/mcs/contexts/files/file_contexts "${root_fs_dir}"
+    sudo setfiles -Dv -r "${root_fs_dir}" "${root_fs_dir}"/etc/selinux/mcs/contexts/files/file_contexts "${root_fs_dir}"/usr
     sudo setfiles -Dv -r "${root_fs_dir}" "${root_fs_dir}"/etc/selinux/mcs/contexts/files/file_contexts "${root_fs_dir}"/etc
   fi
 

build_library/dev_container_util.sh

@@ -110,6 +110,8 @@ create_dev_container() {
   # The remount services are provided by coreos-base/coreos-init
   systemd_enable "${root_fs_dir}" "multi-user.target" "remount-usr.service"
 
+  finish_image_common "${image_name}" "${disk_layout}" "${root_fs_dir}" "${image_contents}" "${image_contents_wtd}"
+
   finish_image "${image_name}" "${disk_layout}" "${root_fs_dir}" "${image_contents}" "${image_contents_wtd}"
 
   declare -a files_to_evaluate

build_library/prod_image_util.sh

@@ -91,6 +91,21 @@ create_prod_image() {
   run_ldconfig "${root_fs_dir}"
   run_localedef "${root_fs_dir}"
 
+  finish_image_common \
+      "${image_name}" \
+      "${disk_layout}" \
+      "${root_fs_dir}" \
+      "${image_contents}" \
+      "${image_contents_wtd}" \
+      "${image_kernel}" \
+      "${image_pcr_policy}" \
+      "${image_grub}" \
+      "${image_shim}" \
+      "${image_kconfig}" \
+      "${image_initrd_contents}" \
+      "${image_initrd_contents_wtd}" \
+      "${image_disk_usage}"
+
   local root_with_everything="${root_fs_dir}"
 
   # Call helper script for adding sysexts to the base OS.

build_sysext

@@ -219,6 +219,7 @@ done
 
 # Unmount in order to get rid of the overlay
 umount "${BUILD_DIR}/install-root"
+sudo setfiles -Dv -r "${BUILD_DIR}/install-root" "${BUILD_DIR}/fs-root"/etc/selinux/mcs/contexts/files/file_contexts "${BUILD_DIR}/install-root"/usr
 umount "${BUILD_DIR}/fs-root"
 
 if [[ "$FLAGS_generate_pkginfo" = "${FLAGS_TRUE}" ]] ; then