Merge remote-tracking branch 'origin/pr/541'

marmarek · marmarek · commit e1d1a5ed40b4 · 2025-01-26T03:28:19.000+01:00
* origin/pr/541:
  Relabel / and /rw if needed
diff --git a/Makefile b/Makefile
@@ -130,6 +130,7 @@ install-init:
 	install -m 0644 init/functions $(DESTDIR)$(LIBDIR)/qubes/init/
 ifneq ($(ENABLE_SELINUX),1)
 	rm -f $(DESTDIR)$(LIBDIR)/qubes/init/relabel-root.sh
+	rm -f $(DESTDIR)$(LIBDIR)/qubes/init/relabel-rw.sh
 endif
 
 # Systemd service files
diff --git a/init/relabel-rw.sh b/init/relabel-rw.sh
@@ -0,0 +1,12 @@
+#!/bin/bash --
+set -eu
+unset SELINUXTYPE
+if [ -f /etc/selinux/config ]; then
+    # shellcheck disable=SC1091
+    . /etc/selinux/config
+fi
+ctx_file=/etc/selinux/${SELINUXTYPE:-targeted}/contexts/files/file_contexts
+if [ "$ctx_file" -nt /rw/.autorelabel ]; then
+    restorecon -R /rw
+    touch "--reference=$ctx_file" /rw/.autorelabel
+fi
diff --git a/rpm_spec/core-agent.spec.in b/rpm_spec/core-agent.spec.in
@@ -426,6 +426,7 @@ a VM with SELinux enforcing, as is the default on Red Hat-family distributions.
 %dir %_unitdir/selinux-autorelabel.service.d
 %_unitdir/selinux-autorelabel.service.d/30_qubes.conf
 /usr/lib/qubes/init/relabel-root.sh
+/usr/lib/qubes/init/relabel-rw.sh
 
 %postun selinux
 if [ "$1" -eq 0 ]; then
diff --git a/vm-systemd/qubes-relabel-root.service b/vm-systemd/qubes-relabel-root.service
@@ -3,7 +3,8 @@ Description=Relabel /
 After=qubes-sysinit.service
 Requires=qubes-sysinit.service
 ConditionSecurity=selinux
-ConditionPathExists=!/.qubes-relabeled
+ConditionPathExists=|/.autorelabel
+ConditionPathExists=|!/.qubes-relabeled
 ConditionPathExists=/run/qubes/persistent-full
 DefaultDependencies=no
 Conflicts=shutdown.target
diff --git a/vm-systemd/qubes-relabel-rw.service b/vm-systemd/qubes-relabel-rw.service
@@ -1,18 +1,16 @@
 [Unit]
 Description=Relabel /rw and /home
-After=qubes-mount-dirs.service qubes-sysinit.service
-Requires=qubes-mount-dirs.service qubes-sysinit.service
+After=qubes-mount-dirs.service qubes-sysinit.service qubes-relabel-root.service
+Requires=qubes-mount-dirs.service qubes-sysinit.service qubes-relabel-root.service
 ConditionSecurity=selinux
-ConditionPathExists=!/rw/.autorelabel
 DefaultDependencies=no
 Conflicts=selinux-autorelabel.service
 Before=local-fs.target rw.mount home.mount qubes-gui-agent.service qubes-qrexec-agent.service
 
 [Service]
 Type=oneshot
 RemainAfterExit=yes
-ExecStart=/usr/sbin/restorecon -RF /rw /home /usr/local
-ExecStart=/bin/touch /rw/.autorelabel
+ExecStart=/usr/lib/qubes/init/relabel-rw.sh
 
 [Install]
 WantedBy=multi-user.target
