Universal Blue•2mo ago

systemd PR

int write_string_file_full(int dir_fd, const char *fn, const char *line, WriteStringFileFlags flags, const struct timespec *ts, const char *label_fn);
static inline int write_string_file(const char *fn, const char *line, WriteStringFileFlags flags) {
        return write_string_file_full(AT_FDCWD, fn, line, flags, /* ts= */ NULL, /*label_fn=*/ NULL);
}
static inline int write_string_file_label(const char *fn, const char *line, WriteStringFileFlags flags, const char *label_fn) {
        return write_string_file_full(AT_FDCWD, fn, line, flags, /* ts= */ NULL, label_fn);
}

int write_string_file_full(int dir_fd, const char *fn, const char *line, WriteStringFileFlags flags, const struct timespec *ts, const char *label_fn);
static inline int write_string_file(const char *fn, const char *line, WriteStringFileFlags flags) {
        return write_string_file_full(AT_FDCWD, fn, line, flags, /* ts= */ NULL, /*label_fn=*/ NULL);
}
static inline int write_string_file_label(const char *fn, const char *line, WriteStringFileFlags flags, const char *label_fn) {
        return write_string_file_full(AT_FDCWD, fn, line, flags, /* ts= */ NULL, label_fn);
}

36 Replies

tulip•2mo ago

sys systemd pr gaming

GerbleshOP•2mo ago

:true: yeah so I'm not sure on the name of write_string_file_label as it's really assuming file creation, and it's specific to relabling on creation so I think it should include the flags???

tulip•2mo ago

but like thats the point why dont we just use WRITE_STRING_FILE_LABEL instead of having a dedicated function? it should set up everything by default

GerbleshOP•2mo ago

so just use the write_string_file_full function raw without an abraction in the header?

tulip•2mo ago

check this patch out

tulip•2mo ago

0002-amogus-boogaloo...

tulip•2mo ago

this kinda looks what pottering wants

GerbleshOP•2mo ago

issue the heirachy variable isn't used for SELinux lookup but yeah that looks good

tulip•2mo ago

idk exactly what to do with it tho...

GerbleshOP•2mo ago

it's what they use to fix the SELinux label are you able to join VC?

tulip•2mo ago

yup git rebase main

GerbleshOP•2mo ago

0002-sysext-extend-f...

tulip•2mo ago

Co-authored-by: NAME <[email protected]>

GerbleshOP•2mo ago

update for anyone wondering, code lives here now: https://github.com/systemd/systemd/compare/main...gerblesh:systemd:main-sysexts-selinux-labels

GitHub

Comparing systemd:main...gerblesh:main-sysexts-selinux-labels · sys...

The systemd System and Service Manager . Contribute to systemd/systemd development by creating an account on GitHub.

GerbleshOP•2mo ago

@tulip things are actually way easier to test there's a sysext binary artifact from compiling systemd we could just use that no need to compile and install the entirety of systemd https://systemd.io/HACKING/ this page is SUPER helpful ok so the args work idk why this is broke

int mac_selinux_create_file_prepare_at(
                int dir_fd,
                const char *path,
                mode_t mode) {

#if HAVE_SELINUX
        _cleanup_free_ char *abspath = NULL;
        int r;

        assert(dir_fd >= 0 || dir_fd == AT_FDCWD);

        r = selinux_init(/* force= */ false);
        if (r <= 0)
                return r;

        if (!label_hnd)
                return 0;

        if (isempty(path) || !path_is_absolute(path)) {
                if (dir_fd == AT_FDCWD)
                        r = safe_getcwd(&abspath);
                else
                        r = fd_get_path(dir_fd, &abspath);
                if (r < 0)
                        return r;

                if (!isempty(path) && !path_extend(&abspath, path))
                        return -ENOMEM;

                path = abspath;
        }

        return selinux_create_file_prepare_abspath(path, mode);
#else
        return 0;
#endif
}

int mac_selinux_create_file_prepare_at(
                int dir_fd,
                const char *path,
                mode_t mode) {

#if HAVE_SELINUX
        _cleanup_free_ char *abspath = NULL;
        int r;

        assert(dir_fd >= 0 || dir_fd == AT_FDCWD);

        r = selinux_init(/* force= */ false);
        if (r <= 0)
                return r;

        if (!label_hnd)
                return 0;

        if (isempty(path) || !path_is_absolute(path)) {
                if (dir_fd == AT_FDCWD)
                        r = safe_getcwd(&abspath);
                else
                        r = fd_get_path(dir_fd, &abspath);
                if (r < 0)
                        return r;

                if (!isempty(path) && !path_extend(&abspath, path))
                        return -ENOMEM;

                path = abspath;
        }

        return selinux_create_file_prepare_abspath(path, mode);
#else
        return 0;
#endif
}

this is the whole label_ops_pre function well at least I think @tulip looks like it works the labels are preserved with our sysext as well when using the normal sysext merge it bricks my PC lmao thank god I masked the service now time to look at the tests basically idk if you installed the right stuff because the SELinux context works like sudo n all that on a more positive note I learned a lot about systemd

GerbleshOP•2mo ago

https://github.com/gerblesh/systemd/actions/runs/11763390093/job/32767299616?pr=1

GitHub

Main sysexts selinux labels · gerblesh/systemd@7d2d2f9

The systemd System and Service Manager . Contribute to gerblesh/systemd development by creating an account on GitHub.

tulip•2mo ago

but like, we actually need the entire systemd stuff on runtime reading that HACKING page i ended up figuring out that mkosi -d fedora makes the RPMs for me! mkosi is kinda crazy god damn

GerbleshOP•2mo ago

we don't the proper labels happen when mounting the sysext just using the binary in the build dir

tulip•2mo ago

oh! nice soooo what was it that wasnt working? like on the code that we modified

GerbleshOP•2mo ago

nothing, our changes work just the same as timothees

tulip•2mo ago

LOL i wonder why it didnt work on the VM then?

GerbleshOP•2mo ago

when using the normal sysext merge /usr doesn't get the proper labels

tulip•2mo ago

maybe i did something wrong

GerbleshOP•2mo ago

I think the sysext tool might not have been upgraded to ours? Idk

tulip•2mo ago

probably! but like how did you compile just systemd-sysext?

GerbleshOP•2mo ago

I just did the meson build all the binaries are in the build/ dir

tulip•2mo ago

yeah! i just thought you could compile just sysext yeyey all the binaries are there

GerbleshOP•2mo ago

may or may not have fixed the issue with the tests

GerbleshOP•2mo ago

https://github.com/gerblesh/systemd/actions/runs/11771656095/job/32785895169

GitHub

Main sysexts selinux labels · gerblesh/systemd@bc6568c

The systemd System and Service Manager . Contribute to gerblesh/systemd development by creating an account on GitHub.

GerbleshOP•2mo ago

🤞 @tulip TESTS PASS!!!!

GerbleshOP•2mo ago

https://github.com/systemd/systemd/pull/34414#issuecomment-2469612940

GitHub

sysext: Set SELinux context for overlay hierarchies mountpoints by ...

See: coreos/fedora-coreos-tracker#1744 See: #31404 Fixes: #34387 With this change, I get the correct SELinux label for /usr with sysexts: ls -alhZd /etc /usr /opt drwxr-xr-x. 86 root root system...

GerbleshOP•2mo ago

looks like my PR is doesn't solve some previous issues with the SELinux labeling

tulip•2mo ago

this is still a huge improvement tho you are doing a great job!

GerbleshOP•2mo ago

https://github.com/systemd/systemd/pull/35132

GitHub

sysext: Set SELinux context for hierarchies and workdir by gerblesh...

Based on: #34387 Fixes: #34387 This PR fixes issues with labeling the workdir and the files under /usr/.systemd-sysext. ❯ sudo ls -laFZ /usr/.systemd-sysext/ total 12 drwxr-xr-x. 2 root root system...

GerbleshOP•2mo ago

is anybody able to sanity check my SELinux changes for fileio.c?

GerbleshOP•2mo ago

@tulip I'm confused because Poettering reviewed my PR but it looks like he looked at an older commit? https://github.com/systemd/systemd/pull/35132

GitHub

sysext: Set SELinux context for hierarchies and workdir by gerblesh...

Gaming

Programming

systemd PR