Handle SELinux policy recompilation

[cgwalters]

Migrating from https://bugzilla.gnome.org/show_bug.cgi?id=761620

OSTree basically encourages systems to move away from %post for systems management tasks. However, SELinux policy is very special as it gets loaded in the initramfs.
We need to recompile the policy after creating a new deployment. This will actually need to involve using e.g. systemd-nspawn -D /path/to/new-deployment semodule.
Need to work out:

• Can we detect "is the policy changed"? Probably cmp /{usr/,}etc/selinux/targeted/policy/policy.29 - but is there an API for that?
• Can we efficiently detect the case where on upgrade, the base policy version didn't change, so we don't need to recompile, and just propagate forward our modified policy from /etc?

Basically we need to use bwrap or so to rebuild policy in the new root right after we do the /etc merge.

More details in: http://marc.info/?l=selinux&m=145677940526857&w=2

[miabbott]

Also related https://bugzilla.redhat.com/show_bug.cgi?id=1465650

[jlebon]

Totally missed this ticket before. But definitely worth cross-linking to coreos/rpm-ostree#27 and coreos/fedora-coreos-tracker#368.

I think we're on the same wavelength re. recompiling the policy though: coreos/fedora-coreos-tracker#368 (comment). (The suggestion I have is to make it an explicit opt-in instead of dynamically doing this -- that would require moving the binary policy under /usr, though I guess it already is, just /usr/etc :) ).

One note re.

However, SELinux policy is very special as it gets loaded in the initramfs.

This is not true today at least for Fedora and RHEL (and IIUC most other distros).

[jlebon]

This is fixed by #2569. 🎉