Revert "fstools: remove SELinux restorecon hack"

Now that procd only relables the filesystem in case of the system
beging started with initramfs we will again need to take care of
labeling newly created /overlay.

This reverts commit 9e11b3723ce30b9b8c94ad7d15072a10cf13c0b4.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>

diff --git a/libfstools/libfstools.h b/libfstools/libfstools.h
index be20fadae28e63a0e05a67da5934352dd8411eba..340e2dca3a25440802aabbf3c77610dcaef3e200 100644 (file)
--- a/libfstools/libfstools.h
+++ b/libfstools/libfstools.h
@@ -62,5 +62,6 @@ extern void overlay_delete(const char *dir, bool keep_sysupgrade);
 
 enum fs_state fs_state_get(const char *dir);
 int fs_state_set(const char *dir, enum fs_state state);
+void selinux_restorecon(char *overlaydir);
 
 #endif

diff --git a/libfstools/mount.c b/libfstools/mount.c
index 8646c1959114f0ded691f90ecf5f592c8d94e459..3d4111fe6b58c7d46ba96038c7fc571005f308cd 100644 (file)
--- a/libfstools/mount.c
+++ b/libfstools/mount.c
@@ -86,6 +86,24 @@ pivot(char *new, char *old)
        return 0;
 }
 
+void
+selinux_restorecon(char *overlaydir)
+{
+       struct stat s;
+       pid_t restorecon_pid;
+       int status;
+
+       /* on non-SELinux system we don't have /sbin/restorecon, return */
+       if (stat("/sbin/restorecon", &s))
+               return;
+
+       restorecon_pid = fork();
+       if (!restorecon_pid)
+               exit(execl("/sbin/restorecon", "restorecon", overlaydir, (char *) NULL));
+       else if (restorecon_pid > 0)
+               waitpid(restorecon_pid, &status, 0);
+}
+
 /**
  * fopivot - switch to overlay using passed dir as upper one
  *
@@ -111,6 +129,13 @@ fopivot(char *rw_root, char *ro_root)
        snprintf(mount_options, sizeof(mount_options), "lowerdir=/,upperdir=%s,workdir=%s",
                 upperdir, workdir);
 
+       /*
+        * Initialize SELinux security label on newly created overlay
+        * filesystem where /upper doesn't yet exist
+        */
+       if (stat(upperdir, &st))
+               selinux_restorecon(rw_root);
+
        /*
         * Overlay FS v23 and later requires both a upper and
         * a work directory, both on the same filesystem, but

diff --git a/libfstools/overlay.c b/libfstools/overlay.c
index 4cc319e759a31680db883cae031b8b1fdb9b66f6..67903372d567602cac20fbab0fdc64cbabc1acde 100644 (file)
--- a/libfstools/overlay.c
+++ b/libfstools/overlay.c
@@ -195,6 +195,7 @@ switch2jffs(struct volume *v)
                ULOG_ERR("failed - mount -t jffs2 %s %s: %m\n", v->blk, OVERLAYDIR);
                return -1;
        }
+       selinux_restorecon(OVERLAYDIR);
 
        if (mount("none", "/", NULL, MS_NOATIME | MS_REMOUNT, 0)) {
                ULOG_ERR("failed - mount -o remount,ro none: %m\n");