Set correct SELinux contexts on /rw

This is needed for disposable sys-net to work properly.  Without it
/rw is not labeled correctly, causing SELinux to (correctly) block
NetworkManager's writes to /rw/config/NM-system-connections.

Fixes: QubesOS/qubes-issues#8242

init/functions

@@ -178,19 +178,29 @@ initialize_home() {
     home_root="$1"
     mode="$2"
 
-    if [ -z "$home_root" ] ; then
+    case $home_root in
+    (/*)
+        ;;
+    ('')
         echo "initialize_home() needs a target home root directory, such as /rw/home, as first parameter" >&2
         return 64
-    fi
+        ;;
+    (*)
+        echo 'initialize_home target root home directory must be an absolute path' >&2
+        return 64
+        ;;
+    esac
 
     if [ "$mode" != "unconditionally" ] && [ "$mode" != "ifneeded" ] ; then
         echo "initialize_home() second parameter must be 'unconditionally' or 'ifneeded'" >&2
         return 64
     fi
 
+    if test -d /sys/fs/selinux; then enable_selinux="Z"; else enable_selinux=''; fi
+
     if ! [ -d "$home_root" ] ; then
         echo "initialize_home: populating $home_root" >&2
-        mkdir -p "$home_root"
+        mkdir "-${enable_selinux}m0755" -- "$home_root" || return 73
     fi
 
     # Chown home if users' UIDs have changed - can be the case on template switch.
@@ -202,7 +212,6 @@ initialize_home() {
         homedirwithouthome=${homedir#/home/}
         if ! test -d "$home_root/$homedirwithouthome" || [ "$mode" = "unconditionally" ] ; then
             echo "initialize_home: populating $mode $home_root/$homedirwithouthome from /etc/skel" >&2
-            if test -d /sys/fs/selinux; then enable_selinux="Z"; else enable_selinux=''; fi
             if [ "$mode" = unconditionally ]; then
                 mkdir "-p${enable_selinux}" -- "$home_root/$homedirwithouthome" || return 73
             else

init/setup-rw.sh

@@ -13,11 +13,17 @@ if mountpoint -q /rw ; then
         echo "Private device size management: resize2fs $dev failed:" >&2
         echo "$content" >&2
     fi
+    if [ -d /sys/fs/selinux ]; then
+        enable_selinux=-Z
+        chcon -t system_u:object_r:root_t:s0 /rw
+    else
+        enable_selinux=
+    fi
 
     if ! [ -d /rw/config ] ; then
         echo "Virgin boot of the VM: populating /rw/config" >&2
 
-        mkdir -p /rw/config
+        mkdir /rw/config || exit
         touch /rw/config/rc.local
         cat > /rw/config/rc.local <<EOF
 #!/bin/sh
@@ -55,15 +61,19 @@ EOF
 # file is used only if the VM has any PCI device assigned. Modules will be
 # automatically re-loaded after resume.
 EOF
+        if [ -n "$enable_selinux" ] && [ -d /rw/usrlocal ]; then
+            restorecon -RF /rw/config
+        fi
     fi
 
     if ! [ -d /rw/usrlocal ] ; then
+        if [ -n "$enable_selinux" ]; then restorecon -RF /rw; touch /rw/.autorelabel; fi
         if [ -d /usr/local.orig ] ; then
             echo "Virgin boot of the VM: populating /rw/usrlocal from /usr/local.orig" >&2
-            cp -af /usr/local.orig /rw/usrlocal
+            cp ${enable_selinux:+-Z} -af -- /usr/local.orig /rw/usrlocal
         else
             echo "Virgin boot of the VM: creating /rw/usrlocal" >&2
-            mkdir -p /rw/usrlocal
+            mkdir ${enable_selinux:+-Z} -- /rw/usrlocal
         fi
     fi
 

network/network-manager-prepare-conf-dir

@@ -4,10 +4,11 @@
 # shellcheck source=init/functions
 . /usr/lib/qubes/init/functions
 
+if test -d /sys/fs/selinux; then enable_selinux=Z; else enable_selinux=''; fi
 NM_CONFIG_DIR=/etc/NetworkManager/system-connections
 if [ -d $NM_CONFIG_DIR ] && [ ! -h $NM_CONFIG_DIR ]; then
-    mkdir -p /rw/config/NM-system-connections
-    mv $NM_CONFIG_DIR/* /rw/config/NM-system-connections/ 2> /dev/null || true
+    mkdir "-p$enable_selinux" /rw/config/NM-system-connections
+    mv ${enable_selinux:+-Z} $NM_CONFIG_DIR/* /rw/config/NM-system-connections/ 2> /dev/null || true
     rmdir $NM_CONFIG_DIR
     ln -s /rw/config/NM-system-connections $NM_CONFIG_DIR
 fi