From 31bb12ac6abc088dad1f1f3087dc9f1877737177 Mon Sep 17 00:00:00 2001 From: Demi Marie Obenour Date: Sun, 22 Dec 2024 19:23:47 -0500 Subject: [PATCH] Relabel / and /rw if needed Creating /.autorelabel must cause a Qubes OS VM to relabel everything, as otherwise users will not be able to troubleshoot their systems and upstream packages that create it will break. However, it was ignored, so fix that. Furthermore, relabel the filesystem of a TemplateBasedVM whenever its TemplateVM has been relabeled since the TemplateBasedVM was. This ensures that policy changes propagate to TemplateBasedVMs too. --- Makefile | 1 + init/relabel-rw.sh | 12 ++++++++++++ rpm_spec/core-agent.spec.in | 1 + vm-systemd/qubes-relabel-root.service | 3 ++- vm-systemd/qubes-relabel-rw.service | 8 +++----- 5 files changed, 19 insertions(+), 6 deletions(-) create mode 100755 init/relabel-rw.sh diff --git a/Makefile b/Makefile index 9848a8e83..c42255395 100644 --- a/Makefile +++ b/Makefile @@ -130,6 +130,7 @@ install-init: install -m 0644 init/functions $(DESTDIR)$(LIBDIR)/qubes/init/ ifneq ($(ENABLE_SELINUX),1) rm -f $(DESTDIR)$(LIBDIR)/qubes/init/relabel-root.sh + rm -f $(DESTDIR)$(LIBDIR)/qubes/init/relabel-rw.sh endif # Systemd service files diff --git a/init/relabel-rw.sh b/init/relabel-rw.sh new file mode 100755 index 000000000..da71d9b1f --- /dev/null +++ b/init/relabel-rw.sh @@ -0,0 +1,12 @@ +#!/bin/bash -- +set -eu +unset SELINUXTYPE +if [ -f /etc/selinux/config ]; then + # shellcheck disable=SC1091 + . /etc/selinux/config +fi +ctx_file=/etc/selinux/${SELINUXTYPE:-targeted}/contexts/files/file_contexts +if [ "$ctx_file" -nt /rw/.autorelabel ]; then + restorecon -R /rw + touch "--reference=$ctx_file" /rw/.autorelabel +fi diff --git a/rpm_spec/core-agent.spec.in b/rpm_spec/core-agent.spec.in index 143dc02f0..fbfd397f8 100644 --- a/rpm_spec/core-agent.spec.in +++ b/rpm_spec/core-agent.spec.in @@ -426,6 +426,7 @@ a VM with SELinux enforcing, as is the default on Red Hat-family distributions. %dir %_unitdir/selinux-autorelabel.service.d %_unitdir/selinux-autorelabel.service.d/30_qubes.conf /usr/lib/qubes/init/relabel-root.sh +/usr/lib/qubes/init/relabel-rw.sh %postun selinux if [ "$1" -eq 0 ]; then diff --git a/vm-systemd/qubes-relabel-root.service b/vm-systemd/qubes-relabel-root.service index c1611cc3f..a79e6b116 100644 --- a/vm-systemd/qubes-relabel-root.service +++ b/vm-systemd/qubes-relabel-root.service @@ -3,7 +3,8 @@ Description=Relabel / After=qubes-sysinit.service Requires=qubes-sysinit.service ConditionSecurity=selinux -ConditionPathExists=!/.qubes-relabeled +ConditionPathExists=|/.autorelabel +ConditionPathExists=|!/.qubes-relabeled ConditionPathExists=/run/qubes/persistent-full DefaultDependencies=no Conflicts=shutdown.target diff --git a/vm-systemd/qubes-relabel-rw.service b/vm-systemd/qubes-relabel-rw.service index 2e4d42037..cbffb991b 100644 --- a/vm-systemd/qubes-relabel-rw.service +++ b/vm-systemd/qubes-relabel-rw.service @@ -1,9 +1,8 @@ [Unit] Description=Relabel /rw and /home -After=qubes-mount-dirs.service qubes-sysinit.service -Requires=qubes-mount-dirs.service qubes-sysinit.service +After=qubes-mount-dirs.service qubes-sysinit.service qubes-relabel-root.service +Requires=qubes-mount-dirs.service qubes-sysinit.service qubes-relabel-root.service ConditionSecurity=selinux -ConditionPathExists=!/rw/.autorelabel DefaultDependencies=no Conflicts=selinux-autorelabel.service Before=local-fs.target rw.mount home.mount qubes-gui-agent.service qubes-qrexec-agent.service @@ -11,8 +10,7 @@ Before=local-fs.target rw.mount home.mount qubes-gui-agent.service qubes-qrexec- [Service] Type=oneshot RemainAfterExit=yes -ExecStart=/usr/sbin/restorecon -RF /rw /home /usr/local -ExecStart=/bin/touch /rw/.autorelabel +ExecStart=/usr/lib/qubes/init/relabel-rw.sh [Install] WantedBy=multi-user.target