From 292a4d2268e3f279cf6770e61d82b124743fe417 Mon Sep 17 00:00:00 2001
From: "Dustin C. Hatch" <dustin@hatch.name>
Date: Tue, 14 Mar 2023 14:39:22 -0500
Subject: [PATCH] init-storage: Copy file contexts from rootfs

Apparently, BusyBox's `cp` does NOT copy SELinux contexts when the `-a`
argument is specified.  This differs from GNU coreutils's `cp`, and
explains why the files copied from the rootfs image to the persistent
storage volume were not being labelled correctly.  The `-c` argument is
required.

Now that files are labelled correctly when they are copied, the step to
run `restorecon` is no longer necessary.
---
 .../usr/lib/systemd/system/restorecon.service | 15 ---------
 overlay/usr/libexec/init-storage              |  2 +-
 .../selinux-aimee-os/files/aimee-os.te        | 31 +++++++++++++++++++
 3 files changed, 32 insertions(+), 16 deletions(-)
 delete mode 100644 overlay/usr/lib/systemd/system/restorecon.service

diff --git a/overlay/usr/lib/systemd/system/restorecon.service b/overlay/usr/lib/systemd/system/restorecon.service
deleted file mode 100644
index 1b2fa45..0000000
--- a/overlay/usr/lib/systemd/system/restorecon.service
+++ /dev/null
@@ -1,15 +0,0 @@
-[Unit]
-Description=Restore SELinux file contexts in /var
-ConditionNeedsUpdate=/var
-DefaultDependencies=no
-After=local-fs.target
-Before=sysinit.target
-Before=systemd-tmpfiles-setup.service
-Before=systemd-update-done.service
-
-[Service]
-Type=oneshot
-ExecStart=/usr/sbin/restorecon -RFv /var
-
-[Install]
-WantedBy=sysinit.target
diff --git a/overlay/usr/libexec/init-storage b/overlay/usr/libexec/init-storage
index e54f75a..3cca98c 100755
--- a/overlay/usr/libexec/init-storage
+++ b/overlay/usr/libexec/init-storage
@@ -16,7 +16,7 @@ copy_var() {
 
     echo 'Copying /var contents to data volume'
     mount -o subvol=var "${dev}" "${tmpdir}" || exit
-    cp -auv /var/. "${tmpdir}" || exit
+    cp -acuv /var/. "${tmpdir}" || exit
     umount "${tmpdir}"
 }
 
diff --git a/repos/aimee-os/sec-policy/selinux-aimee-os/files/aimee-os.te b/repos/aimee-os/sec-policy/selinux-aimee-os/files/aimee-os.te
index 7ccf9d1..7fcf7d6 100644
--- a/repos/aimee-os/sec-policy/selinux-aimee-os/files/aimee-os.te
+++ b/repos/aimee-os/sec-policy/selinux-aimee-os/files/aimee-os.te
@@ -30,6 +30,7 @@ init_daemon_domain(aimee_factory_reset_t, aimee_factory_reset_exec_t)
 
 allow aimee_storinit_t self:fifo_file rw_fifo_file_perms;
 allow aimee_storinit_t self:capability { chown fsetid sys_admin };
+allow aimee_storinit_t self:process { setfscreate };
 
 manage_dirs_pattern(aimee_storinit_t, aimee_storinit_runtime_t, aimee_storinit_runtime_t)
 manage_files_pattern(aimee_storinit_t, aimee_storinit_runtime_t, aimee_storinit_runtime_t)
@@ -55,7 +56,13 @@ gen_require(`
 ')
 dontaudit aimee_storinit_t mount_runtime_t:dir write;
 
+seutil_read_config(aimee_storinit_t)
+seutil_read_file_contexts(aimee_storinit_t)
+
+kernel_rw_unlabeled_dirs(aimee_storinit_t)
+kernel_relabelfrom_unlabeled_dirs(aimee_storinit_t)
 files_manage_var_dirs(aimee_storinit_t)
+files_relabel_var_dirs(aimee_storinit_t)
 files_manage_var_files(aimee_storinit_t)
 files_manage_var_symlinks(aimee_storinit_t)
 
@@ -70,29 +77,53 @@ gen_require(`
 	attribute logfile;
 ')
 manage_dirs_pattern(aimee_storinit_t, var_lib_t, var_lib_t)
+relabel_dirs_pattern(aimee_storinit_t, var_lib_t, var_lib_t)
 manage_files_pattern(aimee_storinit_t, var_lib_t, var_lib_t)
+relabel_files_pattern(aimee_storinit_t, var_lib_t, var_lib_t)
 manage_lnk_files_pattern(aimee_storinit_t, var_lib_t, var_lib_t)
+relabel_lnk_files_pattern(aimee_storinit_t, var_lib_t, var_lib_t)
 manage_lnk_files_pattern(aimee_storinit_t, var_lock_t, var_lock_t)
+relabel_lnk_files_pattern(aimee_storinit_t, var_lock_t, var_lock_t)
 manage_dirs_pattern(aimee_storinit_t, var_run_t, var_run_t)
+relabel_dirs_pattern(aimee_storinit_t, var_run_t, var_run_t)
 manage_files_pattern(aimee_storinit_t, var_run_t, var_run_t)
+relabel_files_pattern(aimee_storinit_t, var_run_t, var_run_t)
 manage_lnk_files_pattern(aimee_storinit_t, var_run_t, var_run_t)
+relabel_lnk_files_pattern(aimee_storinit_t, var_run_t, var_run_t)
 manage_dirs_pattern(aimee_storinit_t, semanage_store_t, semanage_store_t)
+relabel_dirs_pattern(aimee_storinit_t, semanage_store_t, semanage_store_t)
 manage_files_pattern(aimee_storinit_t, semanage_store_t, semanage_store_t)
+relabel_files_pattern(aimee_storinit_t, semanage_store_t, semanage_store_t)
 manage_dirs_pattern(aimee_storinit_t, semanage_read_lock_t, semanage_read_lock_t)
+relabel_dirs_pattern(aimee_storinit_t, semanage_read_lock_t, semanage_read_lock_t)
 manage_files_pattern(aimee_storinit_t, semanage_read_lock_t, semanage_read_lock_t)
+relabel_files_pattern(aimee_storinit_t, semanage_read_lock_t, semanage_read_lock_t)
 manage_dirs_pattern(aimee_storinit_t, semanage_trans_lock_t, semanage_trans_lock_t)
+relabel_dirs_pattern(aimee_storinit_t, semanage_trans_lock_t, semanage_trans_lock_t)
 manage_files_pattern(aimee_storinit_t, semanage_trans_lock_t, semanage_trans_lock_t)
+relabel_files_pattern(aimee_storinit_t, semanage_trans_lock_t, semanage_trans_lock_t)
 manage_dirs_pattern(aimee_storinit_t, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
+relabel_dirs_pattern(aimee_storinit_t, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
 manage_files_pattern(aimee_storinit_t, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
+relabel_files_pattern(aimee_storinit_t, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
 manage_lnk_files_pattern(aimee_storinit_t, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
+relabel_lnk_files_pattern(aimee_storinit_t, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
 manage_dirs_pattern(aimee_storinit_t, init_var_lib_t, init_var_lib_t)
+relabel_dirs_pattern(aimee_storinit_t, init_var_lib_t, init_var_lib_t)
 manage_files_pattern(aimee_storinit_t, init_var_lib_t, init_var_lib_t)
+relabel_files_pattern(aimee_storinit_t, init_var_lib_t, init_var_lib_t)
 manage_dirs_pattern(aimee_storinit_t, logfile, logfile)
+relabel_dirs_pattern(aimee_storinit_t, logfile, logfile)
 manage_files_pattern(aimee_storinit_t, logfile, logfile)
+relabel_files_pattern(aimee_storinit_t, logfile, logfile)
 manage_dirs_pattern(aimee_storinit_t, auditd_log_t, auditd_log_t)
+relabel_dirs_pattern(aimee_storinit_t, auditd_log_t, auditd_log_t)
 manage_files_pattern(aimee_storinit_t, auditd_log_t, auditd_log_t)
+relabel_files_pattern(aimee_storinit_t, auditd_log_t, auditd_log_t)
 manage_dirs_pattern(aimee_storinit_t, tmp_t, tmp_t)
+relabel_dirs_pattern(aimee_storinit_t, tmp_t, tmp_t)
 manage_files_pattern(aimee_storinit_t, tmp_t, tmp_t)
+relabel_files_pattern(aimee_storinit_t, tmp_t, tmp_t)
 
 ########################################
 #