ostreedev · cgwalters · Oct 1, 2021 · jlebon · Oct 4, 2021 · jlebon
diff --git a/src/libostree/ostree-repo-libarchive.c b/src/libostree/ostree-repo-libarchive.c
@@ -27,6 +27,7 @@
 #include "ostree.h"
 #include "ostree-core-private.h"
 #include "ostree-repo-private.h"
+#include "ostree-sepolicy-private.h"
 
 #ifdef HAVE_LIBARCHIVE
 #include <archive.h>
@@ -167,8 +168,8 @@ builder_add_label (GVariantBuilder  *builder,
   if (!sepolicy)
     return TRUE;
 
-  if (!ostree_sepolicy_get_label (sepolicy, path, mode, &label,
-                                  cancellable, error))
+  if (!_ostree_sepolicy_require_label (sepolicy, path, mode, &label,
+                                       cancellable, error))
     return FALSE;
 
   if (label)

diff --git a/src/libostree/ostree-sepolicy-private.h b/src/libostree/ostree-sepolicy-private.h
@@ -38,6 +38,11 @@ gboolean _ostree_sepolicy_preparefscreatecon (OstreeSepolicyFsCreatecon *con,
                                               guint32           mode,
                                               GError          **error);
 
+gboolean
+_ostree_sepolicy_require_label (OstreeSePolicy *policy, const char *relpath,
+                                guint32 unix_mode, char **out_label, 
+                                GCancellable *cancellable, GError **error);
+
 GVariant *_ostree_filter_selinux_xattr (GVariant *xattrs);
 
 G_END_DECLS
diff --git a/src/libostree/ostree-sepolicy.c b/src/libostree/ostree-sepolicy.c
@@ -599,6 +599,25 @@ ostree_sepolicy_get_label (OstreeSePolicy    *self,
   return TRUE;
 }
 
+// If policy doesn't specify a label, try a fallback.
+gboolean
+_ostree_sepolicy_require_label (OstreeSePolicy *policy, const char *relpath,
+                                guint32 unix_mode, char **out_label, 
+                                GCancellable *cancellable, GError **error)
+{
+  char *label = NULL;
+  if (!ostree_sepolicy_get_label (policy, relpath, unix_mode, &label, cancellable, error))
+    return FALSE;
+  if (!label)
+    {
+      if (!ostree_sepolicy_get_label (policy, "/usr/share/some-generic-thing", unix_mode, &label, cancellable, error))
+        return FALSE;
+    }
+  *out_label = label;
+  return TRUE;
+}
+
+
 /**
  * ostree_sepolicy_restorecon:
  * @self: Self

diff --git a/tests/kolainst/destructive/itest-label-selinux.sh b/tests/kolainst/destructive/itest-label-selinux.sh
@@ -107,7 +107,9 @@ echo "ok commit --selinux-policy-from-base"
 
 rm rootfs -rf
 mkdir rootfs
-mkdir -p rootfs/usr/{bin,lib,etc}
+mkdir -p rootfs/usr/{bin,lib,etc} rootfs/var/tmp
+# Fedora's SELinux policy doesn't give whiteouts a label, so this tests our force-labeling
+touch rootfs/var/tmp/.wh..wh..opq
 echo 'somebinary' > rootfs/usr/bin/somebinary
 ls -Z rootfs/usr/bin/somebinary > lsz.txt
 assert_not_file_has_content lsz.txt ':bin_t:'
@@ -116,4 +118,5 @@ tar -C rootfs -cf rootfs.tar .
 ostree commit -b newbase --selinux-policy / --tree=tar=rootfs.tar
 ostree ls -X newbase /usr/bin/somebinary > newls.txt
 assert_file_has_content newls.txt ':bin_t:'
+ostree fsck
 echo "ok commit --selinux-policy with --tree=tar"