Relabel / and /rw if needed

DemiMarie · DemiMarie · commit 523b6d55158f · 2024-12-26T22:17:18.000-05:00
Creating /.autorelabel must cause a Qubes OS VM to relabel everything,
as otherwise users will not be able to troubleshoot their systems and
upstream packages that create it will break.  However, it was ignored,
so fix that.

Furthermore, relabel the filesystem of a TemplateBasedVM whenever its
TemplateVM has been relabeled since the TemplateBasedVM was.  This
ensures that policy changes propagate to TemplateBasedVMs too.
diff --git a/Makefile b/Makefile
@@ -130,6 +130,7 @@ install-init:
 	install -m 0644 init/functions $(DESTDIR)$(LIBDIR)/qubes/init/
 ifneq ($(ENABLE_SELINUX),1)
 	rm -f $(DESTDIR)$(LIBDIR)/qubes/init/relabel-root.sh
+	rm -f $(DESTDIR)$(LIBDIR)/qubes/init/relabel-rw.sh
 endif
 
 # Systemd service files
diff --git a/init/relabel-rw.sh b/init/relabel-rw.sh
@@ -0,0 +1,6 @@
+#!/bin/bash --
+set -eu
+if [ /.qubes-relabeled -nt /rw/.autorelabel ]; then
+    restorecon -RF /rw /home /usr/local
+    touch /rw/.autorelabel
+fi
diff --git a/rpm_spec/core-agent.spec.in b/rpm_spec/core-agent.spec.in
@@ -426,6 +426,7 @@ a VM with SELinux enforcing, as is the default on Red Hat-family distributions.
 %dir %_unitdir/selinux-autorelabel.service.d
 %_unitdir/selinux-autorelabel.service.d/30_qubes.conf
 /usr/lib/qubes/init/relabel-root.sh
+/usr/lib/qubes/init/relabel-rw.sh
 
 %postun selinux
 if [ "$1" -eq 0 ]; then
diff --git a/vm-systemd/qubes-relabel-root.service b/vm-systemd/qubes-relabel-root.service
@@ -3,7 +3,8 @@ Description=Relabel /
 After=qubes-sysinit.service
 Requires=qubes-sysinit.service
 ConditionSecurity=selinux
-ConditionPathExists=!/.qubes-relabeled
+ConditionPathExists=|/.autorelabel
+ConditionPathExists=|!/.qubes-relabeled
 ConditionPathExists=/run/qubes/persistent-full
 DefaultDependencies=no
 Conflicts=shutdown.target
diff --git a/vm-systemd/qubes-relabel-rw.service b/vm-systemd/qubes-relabel-rw.service
@@ -1,18 +1,16 @@
 [Unit]
 Description=Relabel /rw and /home
-After=qubes-mount-dirs.service qubes-sysinit.service
-Requires=qubes-mount-dirs.service qubes-sysinit.service
+After=qubes-mount-dirs.service qubes-sysinit.service qubes-relabel-root.service
+Requires=qubes-mount-dirs.service qubes-sysinit.service qubes-relabel-root.service
 ConditionSecurity=selinux
-ConditionPathExists=!/rw/.autorelabel
 DefaultDependencies=no
 Conflicts=selinux-autorelabel.service
 Before=local-fs.target rw.mount home.mount qubes-gui-agent.service qubes-qrexec-agent.service
 
 [Service]
 Type=oneshot
 RemainAfterExit=yes
-ExecStart=/usr/sbin/restorecon -RF /rw /home /usr/local
-ExecStart=/bin/touch /rw/.autorelabel
+ExecStart=/usr/lib/qubes/init/relabel-rw.sh
 
 [Install]
 WantedBy=multi-user.target
