Skip to content

Commit

Permalink
Relabel / and /rw if needed
Browse files Browse the repository at this point in the history
Creating /.autorelabel must cause a Qubes OS VM to relabel everything,
as otherwise users will not be able to troubleshoot their systems and
upstream packages that create it will break.  However, it was ignored,
so fix that.

Furthermore, relabel the filesystem of a TemplateBasedVM whenever its
TemplateVM has been relabeled since the TemplateBasedVM was.  This
ensures that policy changes propagate to TemplateBasedVMs too.
  • Loading branch information
DemiMarie committed Jan 8, 2025
1 parent 74d07bb commit 93141bd
Show file tree
Hide file tree
Showing 6 changed files with 21 additions and 6 deletions.
1 change: 1 addition & 0 deletions Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -130,6 +130,7 @@ install-init:
install -m 0644 init/functions $(DESTDIR)$(LIBDIR)/qubes/init/
ifneq ($(ENABLE_SELINUX),1)
rm -f $(DESTDIR)$(LIBDIR)/qubes/init/relabel-root.sh
rm -f $(DESTDIR)$(LIBDIR)/qubes/init/relabel-rw.sh
endif

# Systemd service files
Expand Down
2 changes: 2 additions & 0 deletions init/fake-selinux-config
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
#!/bin/sh
SELINUXTYPE=targeted
12 changes: 12 additions & 0 deletions init/relabel-rw.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
#!/bin/bash --
set -eu
unset SELINUXTYPE
if [ -f /etc/selinux/config ]; then
# shellcheck source=fake-selinux-config
. /etc/selinux/config
fi
ctx_file=/etc/selinux/${SELINUXTYPE:-targeted}/contexts/files/file_contexts
if [ "$ctx_file" -nt /rw/.autorelabel ]; then
restorecon -R /rw
touch "--reference=$ctx_file" /rw/.autorelabel
fi
1 change: 1 addition & 0 deletions rpm_spec/core-agent.spec.in
Original file line number Diff line number Diff line change
Expand Up @@ -426,6 +426,7 @@ a VM with SELinux enforcing, as is the default on Red Hat-family distributions.
%dir %_unitdir/selinux-autorelabel.service.d
%_unitdir/selinux-autorelabel.service.d/30_qubes.conf
/usr/lib/qubes/init/relabel-root.sh
/usr/lib/qubes/init/relabel-rw.sh

%postun selinux
if [ "$1" -eq 0 ]; then
Expand Down
3 changes: 2 additions & 1 deletion vm-systemd/qubes-relabel-root.service
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,8 @@ Description=Relabel /
After=qubes-sysinit.service
Requires=qubes-sysinit.service
ConditionSecurity=selinux
ConditionPathExists=!/.qubes-relabeled
ConditionPathExists=|/.autorelabel
ConditionPathExists=|!/.qubes-relabeled
ConditionPathExists=/run/qubes/persistent-full
DefaultDependencies=no
Conflicts=shutdown.target
Expand Down
8 changes: 3 additions & 5 deletions vm-systemd/qubes-relabel-rw.service
Original file line number Diff line number Diff line change
@@ -1,18 +1,16 @@
[Unit]
Description=Relabel /rw and /home
After=qubes-mount-dirs.service qubes-sysinit.service
Requires=qubes-mount-dirs.service qubes-sysinit.service
After=qubes-mount-dirs.service qubes-sysinit.service qubes-relabel-root.service
Requires=qubes-mount-dirs.service qubes-sysinit.service qubes-relabel-root.service
ConditionSecurity=selinux
ConditionPathExists=!/rw/.autorelabel
DefaultDependencies=no
Conflicts=selinux-autorelabel.service
Before=local-fs.target rw.mount home.mount qubes-gui-agent.service qubes-qrexec-agent.service

[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/usr/sbin/restorecon -RF /rw /home /usr/local
ExecStart=/bin/touch /rw/.autorelabel
ExecStart=/usr/lib/qubes/init/relabel-rw.sh

[Install]
WantedBy=multi-user.target

0 comments on commit 93141bd

Please sign in to comment.