Merge pull request #96 from cgwalters/selinux-disabled

install: Only invoke `chcon` if SELinux enabled in the source

Author: jmarrero

lib/src/install.rs

@@ -32,7 +32,6 @@ use serde::{Deserialize, Serialize};
 
 use self::baseline::InstallBlockDeviceOpts;
 use crate::containerenv::ContainerExecutionInfo;
-use crate::lsm::lsm_label;
 use crate::task::Task;
 use crate::utils::run_in_host_mountns;
 
@@ -185,6 +184,21 @@ pub(crate) struct State {
     pub(crate) install_config: config::InstallConfiguration,
 }
 
+impl State {
+    // Wraps core lsm labeling functionality, conditionalizing based on source state
+    pub(crate) fn lsm_label(
+        &self,
+        target: &Utf8Path,
+        as_path: &Utf8Path,
+        recurse: bool,
+    ) -> Result<()> {
+        if !self.source.selinux {
+            return Ok(());
+        }
+        crate::lsm::lsm_label(target, as_path, recurse)
+    }
+}
+
 /// Path to initially deployed version information
 const BOOTC_ALEPH_PATH: &str = ".bootc-aleph.json";
 
@@ -438,7 +452,7 @@ async fn initialize_ostree_root_from_self(
         .run()?;
 
     // Ensure everything in the ostree repo is labeled
-    lsm_label(&rootfs.join("ostree"), "/usr".into(), true)?;
+    state.lsm_label(&rootfs.join("ostree"), "/usr".into(), true)?;
 
     let sysroot = ostree::Sysroot::new(Some(&gio::File::for_path(rootfs)));
     sysroot.load(cancellable)?;

lib/src/install/baseline.rs

@@ -26,7 +26,6 @@ use super::RootSetup;
 use super::State;
 use super::RUN_BOOTC;
 use super::RW_KARG;
-use crate::lsm::lsm_label;
 use crate::mount;
 use crate::task::Task;
 
@@ -346,15 +345,15 @@ pub(crate) fn install_create_rootfs(
         .collect::<Vec<_>>();
 
     mount::mount(&rootdev, &rootfs)?;
-    lsm_label(&rootfs, "/".into(), false)?;
+    state.lsm_label(&rootfs, "/".into(), false)?;
     let rootfs_fd = Dir::open_ambient_dir(&rootfs, cap_std::ambient_authority())?;
     let bootfs = rootfs.join("boot");
     std::fs::create_dir(&bootfs).context("Creating /boot")?;
     // The underlying directory on the root should be labeled
-    lsm_label(&bootfs, "/boot".into(), false)?;
+    state.lsm_label(&bootfs, "/boot".into(), false)?;
     mount::mount(bootdev, &bootfs)?;
     // And we want to label the root mount of /boot
-    lsm_label(&bootfs, "/boot".into(), false)?;
+    state.lsm_label(&bootfs, "/boot".into(), false)?;
 
     // Create the EFI system partition, if applicable
     if let Some(espdev) = espdev {