From b38f48b72f1941b51b61ad2cfde4e1d5e018e634 Mon Sep 17 00:00:00 2001 From: "Dustin C. Hatch" Date: Wed, 15 Mar 2023 18:59:25 -0500 Subject: [PATCH] Create subvolumes in init-storage It turns out that we cannot use `systemd-tmpfiles` to create our Btrfs subvolumes. Since the directories we are interested in, specifically `/var/log` and `/var/tmp` already exist in the rootfs image and are therefore copied into the mutable filesystem, `systemd-tmpfiles` ignores them. To avoid having to explicitly specify the SELinux context for each subvolume created on the persistent filesystem, `init-storage` now executes `setfiles` to set the appropriate labels. --- build-rootfs.sh | 1 - overlay/usr/libexec/init-storage | 28 ++++++++++++++++--- .../selinux-aimee-os/files/aimee-os.te | 5 ++-- 3 files changed, 27 insertions(+), 7 deletions(-) diff --git a/build-rootfs.sh b/build-rootfs.sh index 14024c1..1a6b00d 100755 --- a/build-rootfs.sh +++ b/build-rootfs.sh @@ -68,7 +68,6 @@ if [ -f /mnt/gentoo/etc/udev/hwdb.bin ]; then fi rm -f /mnt/gentoo/lib/tmpfiles.d/provision.conf -sed -i 's:d /var/log :v /var/log :' /mnt/gentoo/lib/tmpfiles.d/var.conf systemd-tmpfiles --root=/mnt/gentoo -E --exclude-prefix=/var --create systemctl preset-all --root=/mnt/gentoo diff --git a/overlay/usr/libexec/init-storage b/overlay/usr/libexec/init-storage index 8141047..bbb8726 100755 --- a/overlay/usr/libexec/init-storage +++ b/overlay/usr/libexec/init-storage @@ -1,6 +1,13 @@ #!/bin/sh # vim: set sw=4 ts=4 sts=4 et : +SUBVOLUMES=' + /var + /var/log + /var/tmp + /etc +' + cleanup() { if [ -n "${tmpdir}" ] && [ "${tmpdir}" != / ]; then if mountpoint -q "${tmpdir}"; then @@ -26,10 +33,11 @@ format_dev() { mkfs.btrfs "${dev}" || exit mount "${dev}" "${tmpdir}" || exit - btrfs subvolume create "${tmpdir}"/var || exit - chcon -t var_t "${tmpdir}"/var || exit - btrfs subvolume create "${tmpdir}"/etc || exit - chcon -t etc_t "${tmpdir}"/etc || exit + for vol in ${SUBVOLUMES}; do + mkdir -p "${tmpdir}${vol%/*}" || exit + btrfs subvolume create "${tmpdir}${vol}" || exit + done + relabel_all umount "${dev}" || exit } @@ -39,6 +47,18 @@ has_fs() { [ -n "${fstype}" ] } +relabel_all() { + selinuxtype=$(. /etc/selinux/config && echo ${SELINUXTYPE}) + find "${tmpdir}" | \ + setfiles \ + -v \ + -F \ + -m \ + -r "${tmpdir}" \ + -s \ + /etc/selinux/${selinuxtype}/contexts/files/file_contexts +} + setup_etc() { dev="$1" diff --git a/repos/aimee-os/sec-policy/selinux-aimee-os/files/aimee-os.te b/repos/aimee-os/sec-policy/selinux-aimee-os/files/aimee-os.te index 6f16f7d..a26fb35 100644 --- a/repos/aimee-os/sec-policy/selinux-aimee-os/files/aimee-os.te +++ b/repos/aimee-os/sec-policy/selinux-aimee-os/files/aimee-os.te @@ -65,9 +65,10 @@ dontaudit aimee_storinit_t mount_runtime_t:dir write; seutil_read_config(aimee_storinit_t) seutil_read_file_contexts(aimee_storinit_t) +seutil_read_bin_policy(aimee_storinit_t) +seutil_domtrans_setfiles(aimee_storinit_t) -kernel_rw_unlabeled_dirs(aimee_storinit_t) -kernel_relabelfrom_unlabeled_dirs(aimee_storinit_t) +kernel_manage_unlabeled_dirs(aimee_storinit_t) auth_manage_shadow(aimee_storinit_t) auth_relabel_shadow(aimee_storinit_t)