05core: relabel /var from initrd

Now that the kernel supports relabeling from the initrd, we can clean up some hacks here. After running `systemd-tmpfiles`, immediately relabel what we just wrote using `setfiles`. This allows us to drop the `Z /var` tmpfiles.d dropin, and hacking around `systemd-random-seed.service` ordering. For compatibility with RHCOS, I added a fallback in `coreos-relabel` so that if initrd relabeling isn't supported, we just use tmpfiles.d dropins. (RHCOS today sources the `05core` overlay directly, and I think doing it this way is cleaner than splitting things out into a separate overlay). I've also snuck in a fix for the live case with persistent `/var` so we don't always relabel everything in there.
coreos · Nov 29, 2019 · 6fcc31d · 6fcc31d
1 parent 4b19c0b
commit 6fcc31d
Show file tree

Hide file tree

Showing 3 changed files with 82 additions and 28 deletions.
diff --git a/overlay.d/05core/usr/lib/dracut/modules.d/40ignition-ostree/coreos-relabel b/overlay.d/05core/usr/lib/dracut/modules.d/40ignition-ostree/coreos-relabel
@@ -0,0 +1,57 @@
+#!/bin/bash
+set -euo pipefail
+
+err() {
+    echo "$@" >&2
+}
+
+fatal() {
+    err "$@"
+    exit 1
+}
+
+if [ $# -eq 0 ]; then
+    err "Usage: $0 [PATTERN...]"
+    err " e.g.: $0 /etc/passwd '/etc/group*'"
+fi
+
+source /sysroot/etc/selinux/config
+
+if [ -z "${SELINUXTYPE:-}" ]; then
+    fatal "Couldn't find SELINUXTYPE in /sysroot/etc/selinux/config"
+fi
+
+file_contexts="/sysroot/etc/selinux/${SELINUXTYPE}/contexts/files/file_contexts"
+
+# feature detection until RHEL8 kernel has
+# https://lore.kernel.org/selinux/20190912133007.27545-1-jlebon@redhat.com/T/#m5f950ca9fc3ed374cb793fc9aed0435602b1b6ad
+can_setfiles() {
+    CAN_SETFILES_STAMP=/run/.coreos-relabel-can-setfiles
+    if [ ! -f ${CAN_SETFILES_STAMP} ]; then
+        touch /sysroot/etc/.setfiles-test
+        trap 'rm /sysroot/etc/.setfiles-test' EXIT
+        if setfiles -Fr /sysroot "$file_contexts" /sysroot/etc/.setfiles-test &>/dev/null; then
+            echo 1 > ${CAN_SETFILES_STAMP}
+        else
+            echo 0 > ${CAN_SETFILES_STAMP}
+        fi
+    fi
+    grep 1 ${CAN_SETFILES_STAMP}
+}
+
+if can_setfiles; then
+    prefixed_patterns=()
+    while [ $# -ne 0 ]; do
+        pattern=$1; shift
+        prefixed_patterns+=("/sysroot/$pattern")
+    done
+    setfiles -vFi0 -r /sysroot "$file_contexts" "${prefixed_patterns[@]}"
+else
+    while [ $# -ne 0 ]; do
+        pattern=$1; shift
+        # Really, we could handle /etc files here earlier by spitting out a
+        # separate unit service like ignition-relabel.service was. But let's not
+        # do that until the need arises.
+        echo "Z $pattern - - -" >> /run/tmpfiles.d/var-relabel.conf
+    done
+fi
diff --git a/overlay.d/05core/usr/lib/dracut/modules.d/40ignition-ostree/ignition-ostree-populate-var.sh b/overlay.d/05core/usr/lib/dracut/modules.d/40ignition-ostree/ignition-ostree-populate-var.sh
@@ -14,34 +14,28 @@ fi
 # Host and Silverblue:
 # https://github.com/rhinstaller/anaconda/blob/b9ea8ce4e68196b30a524c1cc5680dcdc4b89371/pyanaconda/payload/rpmostreepayload.py#L332
 
-# Simply manually mkdir /var/{lib,log}; the tmpfiles.d entries otherwise reference
-# users/groups which we don't have access to from here (though... we *could*
-# import them from the sysroot, and have nss-altfiles in the initrd, but meh...
-# let's just wait for systemd-sysusers which will make this way easier:
-# https://github.com/coreos/fedora-coreos-config/pull/56/files#r262592361).
-mkdir -p /sysroot/var/lib /sysroot/var/log
-
-systemd-tmpfiles --create --boot --root=/sysroot \
-    --prefix=/var/home \
-    --prefix=/var/roothome \
-    --prefix=/var/opt \
-    --prefix=/var/srv \
-    --prefix=/var/usrlocal \
-    --prefix=/var/mnt \
-    --prefix=/var/media
-
-# Ask for /var to be relabeled.
-# See also: https://github.com/coreos/ignition/issues/635.
-mkdir -p /run/tmpfiles.d
-echo "Z /var - - -" > /run/tmpfiles.d/var-relabel.conf
-
-# XXX: https://github.com/systemd/systemd/pull/11903
-for unit in systemd-{journal-catalog-update,random-seed}.service; do
-    mkdir -p /run/systemd/system/${unit}.d
-    cat > /run/systemd/system/${unit}.d/after-tmpfiles.conf <<EOF
-[Unit]
-After=systemd-tmpfiles-setup.service
-EOF
+for varsubdir in lib log home roothome opt srv usrlocal mnt media; do
+
+    # If the directory already existed, just ignore. This addresses the live
+    # image case with persistent `/var`; we don't want to relabel all the files
+    # there on each boot.
+    if [ -d "/sysroot/var/${varsubdir}" ]; then
+        continue
+    fi
+
+    if [[ $varsubdir == lib ]] || [[ $varsubdir == log ]]; then
+        # Simply manually mkdir /var/{lib,log}; the tmpfiles.d entries otherwise
+        # reference users/groups which we don't have access to from here
+        # (though... we *could* import them from the sysroot, and have
+        # nss-altfiles in the initrd, but meh...  let's just wait for
+        # systemd-sysusers which will make this way easier:
+        # https://github.com/coreos/fedora-coreos-config/pull/56/files#r262592361).
+        mkdir -p /sysroot/var/${varsubdir}
+    else
+        systemd-tmpfiles --create --boot --root=/sysroot --prefix="/var/${varsubdir}"
+    fi
+
+    coreos-relabel "/var/${varsubdir}"
 done
 
 # TODO move this to tmpfiles.d once systemd-tmpfiles handles C! with --root correctly.

diff --git a/overlay.d/05core/usr/lib/dracut/modules.d/40ignition-ostree/module-setup.sh b/overlay.d/05core/usr/lib/dracut/modules.d/40ignition-ostree/module-setup.sh
@@ -18,6 +18,7 @@ install_ignition_unit() {
 install() {
     inst_multiple \
         realpath \
+        setfiles \
         systemd-sysusers \
         systemd-tmpfiles \
         sort \
@@ -38,4 +39,6 @@ install() {
 
     install_ignition_unit ignition-ostree-growfs.service
     inst_script "$moddir/coreos-growpart" /usr/libexec/coreos-growpart
+
+    inst_script "$moddir/coreos-relabel" /usr/bin/coreos-relabel
 }