From c2b5c2a173699b301916d9df75893ba4fc8b9d45 Mon Sep 17 00:00:00 2001
From: Jonathan Lebon <jonathan@jlebon.com>
Date: Tue, 6 Feb 2024 10:28:35 -0500
Subject: [PATCH] =?UTF-8?q?composepost:=20Add=20SELinux=20equivalency=20ru?=
 =?UTF-8?q?le=20for=20/usr/lib/opt=20=E2=86=92=20/opt?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

When `/opt` packages get moved to `/usr/lib/opt`, they're not being
labeled properly; they get the `lib_t` label instead of `usr_t` (or e.g.
`bin_t` for `/opt/bin`).

This apparently works for e.g. Google Chrome (for which the
`/usr/lib/opt` translation was added). But with state overlays, the goal
is to support all `/opt` packages and things will break without proper
labeling.

Add an equivalency rule so that `/usr/lib/opt` is labeled like `/opt.
This fixes the SELinux issues that occur when layering Puppet in
https://github.com/coreos/rpm-ostree/issues/233#issuecomment-1856720559.

This should probably be upstreamed to SELinux (along with the `/usr/etc`
equivalency rule just above).

Side note: in the status quo model where `/opt` is a symlink to
`/var/opt`, everything is *also* mislabeled (it gets `var_t`). To be
conservative, we don't fix this since presumably this works right now
for people writing files there via e.g. Ignition/cloud-init and anyway
all that would go away if we move over to state overlays by default in
the future.
---
 rust/src/composepost.rs                   | 2 ++
 tests/kolainst/destructive/state-overlays | 6 ++++++
 tests/kolainst/kolainst-build.sh          | 6 ++++--
 3 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/rust/src/composepost.rs b/rust/src/composepost.rs
index ddd4a4c088..5f2e3229e5 100644
--- a/rust/src/composepost.rs
+++ b/rust/src/composepost.rs
@@ -381,6 +381,8 @@ fn postprocess_subs_dist(rootfs_dfd: &Dir) -> Result<()> {
             writeln!(w, "/home /var/home")?;
             writeln!(w, "# https://github.com/coreos/rpm-ostree/pull/4640")?;
             writeln!(w, "/usr/etc /etc")?;
+            writeln!(w, "# https://github.com/coreos/rpm-ostree/pull/1795")?;
+            writeln!(w, "/usr/lib/opt /opt")?;
             Ok(())
         })?;
     }
diff --git a/tests/kolainst/destructive/state-overlays b/tests/kolainst/destructive/state-overlays
index c2aac0d1c5..468b96b871 100755
--- a/tests/kolainst/destructive/state-overlays
+++ b/tests/kolainst/destructive/state-overlays
@@ -68,6 +68,7 @@ EOF
     /tmp/autopkgtest-reboot 1
     ;;
   1)
+    test -f /opt/bin/test-opt
     test -f /opt/megacorp/bin/test-opt
     test -f /opt/megacorp/lib/mylib
     test -d /opt/megacorp/state
@@ -76,6 +77,11 @@ EOF
     assert_file_has_content /tmp/out.txt 'test-opt'
     assert_file_has_content /opt/megacorp/lib/mylib 'lib1'
 
+    stat -c '%C' /opt/bin/test-opt > /tmp/out.txt
+    assert_file_has_content /tmp/out.txt ':bin_t:'
+    stat -c '%C' /opt/megacorp > /tmp/out.txt
+    assert_file_has_content /tmp/out.txt ':usr_t:'
+
     # add some state files
     echo 'foobar' > /opt/megacorp/state/mystate
 
diff --git a/tests/kolainst/kolainst-build.sh b/tests/kolainst/kolainst-build.sh
index 8ed020f163..fed0f8655d 100755
--- a/tests/kolainst/kolainst-build.sh
+++ b/tests/kolainst/kolainst-build.sh
@@ -98,10 +98,12 @@ build_rpm zincati version 99.99 release 3
 
 # An RPM that installs in /opt
 build_rpm test-opt \
-             install "mkdir -p %{buildroot}/opt/megacorp/{bin,lib,state}
+             install "mkdir -p %{buildroot}/opt/megacorp/{bin,lib,state} %{buildroot}/opt/bin
+                      install %{name} %{buildroot}/opt/bin
                       install %{name} %{buildroot}/opt/megacorp/bin
                       echo lib1 > %{buildroot}/opt/megacorp/lib/mylib" \
-             files "/opt/megacorp"
+             files "/opt/megacorp
+                    /opt/bin/test-opt"
 
 mv ${test_tmpdir}/yumrepo/* ${test_tmpdir}/rpm-repos/${repover}