Create subvolumes in init-storage

It turns out that we cannot use `systemd-tmpfiles` to create our Btrfs subvolumes. Since the directories we are interested in, specifically `/var/log` and `/var/tmp` already exist in the rootfs image and are therefore copied into the mutable filesystem, `systemd-tmpfiles` ignores them. To avoid having to explicitly specify the SELinux context for each subvolume created on the persistent filesystem, `init-storage` now executes `setfiles` to set the appropriate labels.
2023-03-15 18:59:25 -05:00 · 2023-03-15 18:59:25 -05:00 · b38f48b72f
parent 7c3738d067
commit b38f48b72f
3 changed files with 27 additions and 7 deletions
--- a/build-rootfs.sh
+++ b/build-rootfs.sh
@ -68,7 +68,6 @@ if [ -f /mnt/gentoo/etc/udev/hwdb.bin ]; then
 fi

 rm -f /mnt/gentoo/lib/tmpfiles.d/provision.conf
-sed -i 's:d /var/log :v /var/log :' /mnt/gentoo/lib/tmpfiles.d/var.conf
 systemd-tmpfiles --root=/mnt/gentoo -E --exclude-prefix=/var --create

 systemctl preset-all --root=/mnt/gentoo
--- a/overlay/usr/libexec/init-storage
+++ b/overlay/usr/libexec/init-storage
@ -1,6 +1,13 @@
 #!/bin/sh
 # vim: set sw=4 ts=4 sts=4 et :

+SUBVOLUMES='
+    /var
+    /var/log
+    /var/tmp
+    /etc
+'
+
 cleanup() {
    if [ -n "${tmpdir}" ] && [ "${tmpdir}" != / ]; then
        if mountpoint -q "${tmpdir}"; then
@ -26,10 +33,11 @@ format_dev() {
    mkfs.btrfs "${dev}" || exit

    mount "${dev}" "${tmpdir}" || exit
-    btrfs subvolume create "${tmpdir}"/var || exit
-    chcon -t var_t "${tmpdir}"/var || exit
-    btrfs subvolume create "${tmpdir}"/etc || exit
-    chcon -t etc_t "${tmpdir}"/etc || exit
+    for vol in ${SUBVOLUMES}; do
+        mkdir -p "${tmpdir}${vol%/*}" || exit
+        btrfs subvolume create "${tmpdir}${vol}" || exit
+    done
+    relabel_all
    umount "${dev}" || exit
 }

@ -39,6 +47,18 @@ has_fs() {
    [ -n "${fstype}" ]
 }

+relabel_all() {
+    selinuxtype=$(. /etc/selinux/config && echo ${SELINUXTYPE})
+    find "${tmpdir}" | \
+    setfiles \
+        -v \
+        -F \
+        -m \
+        -r "${tmpdir}" \
+        -s \
+        /etc/selinux/${selinuxtype}/contexts/files/file_contexts
+}
+
 setup_etc() {
    dev="$1"

--- a/repos/aimee-os/sec-policy/selinux-aimee-os/files/aimee-os.te
+++ b/repos/aimee-os/sec-policy/selinux-aimee-os/files/aimee-os.te
@ -65,9 +65,10 @@ dontaudit aimee_storinit_t mount_runtime_t:dir write;

 seutil_read_config(aimee_storinit_t)
 seutil_read_file_contexts(aimee_storinit_t)
+seutil_read_bin_policy(aimee_storinit_t)
+seutil_domtrans_setfiles(aimee_storinit_t)

-kernel_rw_unlabeled_dirs(aimee_storinit_t)
-kernel_relabelfrom_unlabeled_dirs(aimee_storinit_t)
+kernel_manage_unlabeled_dirs(aimee_storinit_t)

 auth_manage_shadow(aimee_storinit_t)
 auth_relabel_shadow(aimee_storinit_t)