composepost: Add SELinux equivalency rule for /usr/lib/opt → /opt

When `/opt` packages get moved to `/usr/lib/opt`, they're not being labeled properly; they get the `lib_t` label instead of `usr_t` (or e.g. `bin_t` for `/opt/bin`). This apparently works for e.g. Google Chrome (for which the `/usr/lib/opt` translation was added). But with state overlays, the goal is to support all `/opt` packages and things will break without proper labeling. Add an equivalency rule so that `/usr/lib/opt` is labeled like `/opt. This fixes the SELinux issues that occur when layering Puppet in coreos#233 (comment). This should probably be upstreamed to SELinux (along with the `/usr/etc` equivalency rule just above). Side note: in the status quo model where `/opt` is a symlink to `/var/opt`, everything is *also* mislabeled (it gets `var_t`). To be conservative, we don't fix this since presumably this works right now for people writing files there via e.g. Ignition/cloud-init and anyway all that would go away if we move over to state overlays by default in the future.
jlebon · Feb 6, 2024 · c2b5c2a · c2b5c2a
1 parent 3e3cbd5
commit c2b5c2a
Show file tree

Hide file tree

Showing 3 changed files with 12 additions and 2 deletions.
diff --git a/rust/src/composepost.rs b/rust/src/composepost.rs
@@ -381,6 +381,8 @@ fn postprocess_subs_dist(rootfs_dfd: &Dir) -> Result<()> {
             writeln!(w, "/home /var/home")?;
             writeln!(w, "# https://github.com/coreos/rpm-ostree/pull/4640")?;
             writeln!(w, "/usr/etc /etc")?;
+            writeln!(w, "# https://github.com/coreos/rpm-ostree/pull/1795")?;
+            writeln!(w, "/usr/lib/opt /opt")?;
             Ok(())
         })?;
     }

diff --git a/tests/kolainst/destructive/state-overlays b/tests/kolainst/destructive/state-overlays
@@ -68,6 +68,7 @@ EOF
     /tmp/autopkgtest-reboot 1
     ;;
   1)
+    test -f /opt/bin/test-opt
     test -f /opt/megacorp/bin/test-opt
     test -f /opt/megacorp/lib/mylib
     test -d /opt/megacorp/state
@@ -76,6 +77,11 @@ EOF
     assert_file_has_content /tmp/out.txt 'test-opt'
     assert_file_has_content /opt/megacorp/lib/mylib 'lib1'
 
+    stat -c '%C' /opt/bin/test-opt > /tmp/out.txt
+    assert_file_has_content /tmp/out.txt ':bin_t:'
+    stat -c '%C' /opt/megacorp > /tmp/out.txt
+    assert_file_has_content /tmp/out.txt ':usr_t:'
+
     # add some state files
     echo 'foobar' > /opt/megacorp/state/mystate
 

diff --git a/tests/kolainst/kolainst-build.sh b/tests/kolainst/kolainst-build.sh
@@ -98,10 +98,12 @@ build_rpm zincati version 99.99 release 3
 
 # An RPM that installs in /opt
 build_rpm test-opt \
-             install "mkdir -p %{buildroot}/opt/megacorp/{bin,lib,state}
+             install "mkdir -p %{buildroot}/opt/megacorp/{bin,lib,state} %{buildroot}/opt/bin
+                      install %{name} %{buildroot}/opt/bin
                       install %{name} %{buildroot}/opt/megacorp/bin
                       echo lib1 > %{buildroot}/opt/megacorp/lib/mylib" \
-             files "/opt/megacorp"
+             files "/opt/megacorp
+                    /opt/bin/test-opt"
 
 mv ${test_tmpdir}/yumrepo/* ${test_tmpdir}/rpm-repos/${repover}