From 3210c5e11d71aad5ccf51971cd20e06a914221e9 Mon Sep 17 00:00:00 2001
From: Michael Vogt <michael.vogt@gmail.com>
Date: Tue, 12 Mar 2024 13:06:30 +0100
Subject: [PATCH] install: manually label
 {/etc/fstab,tmpfile.d/bootc-root-ssh.conf}

Right now bootc supports an experimental install from a non-selinux
host when using the `BOOTC_SKIP_SELINUX_HOST_CHECK=1` option.

This is nice and works relatively well. However files written
during the install like /etc/fstab or the tmpfiles.dfile
in /etc/tmpfile.d/bootc-root-ssh.conf must be labeled too.

This commit adds a (rather crude) manual way to do this.

Closes https://github.com/containers/bootc/issues/362

Signed-off-by: Michael Vogt <michael.vogt@gmail.com>
---
 lib/src/install.rs          |  5 ++++-
 lib/src/install/osconfig.rs | 17 +++++++++++++++--
 2 files changed, 19 insertions(+), 3 deletions(-)

diff --git a/lib/src/install.rs b/lib/src/install.rs
index 06044434..022acb29 100644
--- a/lib/src/install.rs
+++ b/lib/src/install.rs
@@ -644,8 +644,11 @@ async fn initialize_ostree_root_from_self(
     }
     f.flush()?;
 
+    let fstab_path = Utf8PathBuf::from("/").join(path.as_str()).join("etc/fstab");
+    state.lsm_label(&fstab_path, "/etc/fstab".into(), false)?;
+
     if let Some(contents) = state.root_ssh_authorized_keys.as_deref() {
-        osconfig::inject_root_ssh_authorized_keys(&root, contents)?;
+        osconfig::inject_root_ssh_authorized_keys(&root, &path.as_str(), &state, contents)?;
     }
 
     let uname = rustix::system::uname();
diff --git a/lib/src/install/osconfig.rs b/lib/src/install/osconfig.rs
index 6bddc640..b7a7f9b5 100644
--- a/lib/src/install/osconfig.rs
+++ b/lib/src/install/osconfig.rs
@@ -1,5 +1,5 @@
 use anyhow::Result;
-use camino::Utf8Path;
+use camino::{Utf8Path, Utf8PathBuf};
 use cap_std::fs::Dir;
 use cap_std_ext::{cap_std, dirext::CapStdExtDirExt};
 use fn_error_context::context;
@@ -8,7 +8,12 @@ const ETC_TMPFILES: &str = "etc/tmpfiles.d";
 const ROOT_SSH_TMPFILE: &str = "bootc-root-ssh.conf";
 
 #[context("Injecting root authorized_keys")]
-pub(crate) fn inject_root_ssh_authorized_keys(root: &Dir, contents: &str) -> Result<()> {
+pub(crate) fn inject_root_ssh_authorized_keys(
+    root: &Dir,
+    root_path: &str,
+    state: &crate::install::State,
+    contents: &str,
+) -> Result<()> {
     // While not documented right now, this one looks like it does not newline wrap
     let b64_encoded = ostree_ext::glib::base64_encode(contents.as_bytes());
     // See the example in https://systemd.io/CREDENTIALS/
@@ -18,6 +23,14 @@ pub(crate) fn inject_root_ssh_authorized_keys(root: &Dir, contents: &str) -> Res
     root.create_dir_all(tmpfiles_dir)?;
     let target = tmpfiles_dir.join(ROOT_SSH_TMPFILE);
     root.atomic_write(&target, &tmpfiles_content)?;
+
+    let as_path = Utf8Path::new(ETC_TMPFILES).join(ROOT_SSH_TMPFILE);
+    state.lsm_label(
+        &Utf8PathBuf::from("/").join(root_path).join(&as_path),
+        &Utf8PathBuf::from("/").join(&as_path),
+        false,
+    )?;
+
     println!("Injected: {target}");
     Ok(())
 }