From f1e4b37e659fb37ab72c8ecfd475535dd0fe036d Mon Sep 17 00:00:00 2001 From: Demi Marie Obenour Date: Fri, 30 Jun 2023 21:15:46 -0400 Subject: [PATCH] Set correct SELinux contexts on /rw This is needed for disposable sys-net to work properly. Without it /rw is not labeled correctly, causing SELinux to (correctly) block NetworkManager's writes to /rw/config/NM-system-connections. Fixes: QubesOS/qubes-issues#8242 --- init/functions | 17 +++++++++++++---- init/setup-rw.sh | 16 +++++++++++++--- network/network-manager-prepare-conf-dir | 5 +++-- 3 files changed, 29 insertions(+), 9 deletions(-) diff --git a/init/functions b/init/functions index 4a8ec0be2..27f97e379 100644 --- a/init/functions +++ b/init/functions @@ -178,19 +178,29 @@ initialize_home() { home_root="$1" mode="$2" - if [ -z "$home_root" ] ; then + case $home_root in + (/*) + ;; + ('') echo "initialize_home() needs a target home root directory, such as /rw/home, as first parameter" >&2 return 64 - fi + ;; + (*) + echo 'initialize_home target root home directory must be an absolute path' >&2 + return 64 + ;; + esac if [ "$mode" != "unconditionally" ] && [ "$mode" != "ifneeded" ] ; then echo "initialize_home() second parameter must be 'unconditionally' or 'ifneeded'" >&2 return 64 fi + if test -d /sys/fs/selinux; then enable_selinux="Z"; else enable_selinux=''; fi + if ! [ -d "$home_root" ] ; then echo "initialize_home: populating $home_root" >&2 - mkdir -p "$home_root" + mkdir "-${enable_selinux}m0755" -- "$home_root" || return 73 fi # Chown home if users' UIDs have changed - can be the case on template switch. @@ -202,7 +212,6 @@ initialize_home() { homedirwithouthome=${homedir#/home/} if ! test -d "$home_root/$homedirwithouthome" || [ "$mode" = "unconditionally" ] ; then echo "initialize_home: populating $mode $home_root/$homedirwithouthome from /etc/skel" >&2 - if test -d /sys/fs/selinux; then enable_selinux="Z"; else enable_selinux=''; fi if [ "$mode" = unconditionally ]; then mkdir "-p${enable_selinux}" -- "$home_root/$homedirwithouthome" || return 73 else diff --git a/init/setup-rw.sh b/init/setup-rw.sh index 3ee53c49f..0596cd37c 100755 --- a/init/setup-rw.sh +++ b/init/setup-rw.sh @@ -13,11 +13,17 @@ if mountpoint -q /rw ; then echo "Private device size management: resize2fs $dev failed:" >&2 echo "$content" >&2 fi + if [ -d /sys/fs/selinux ]; then + enable_selinux=-Z + chcon -t system_u:object_r:root_t:s0 /rw + else + enable_selinux= + fi if ! [ -d /rw/config ] ; then echo "Virgin boot of the VM: populating /rw/config" >&2 - mkdir -p /rw/config + mkdir /rw/config || exit touch /rw/config/rc.local cat > /rw/config/rc.local <&2 - cp -af /usr/local.orig /rw/usrlocal + cp ${enable_selinux:+-Z} -af -- /usr/local.orig /rw/usrlocal else echo "Virgin boot of the VM: creating /rw/usrlocal" >&2 - mkdir -p /rw/usrlocal + mkdir ${enable_selinux:+-Z} -- /rw/usrlocal fi fi diff --git a/network/network-manager-prepare-conf-dir b/network/network-manager-prepare-conf-dir index 79fb6e4fc..01f66aea6 100755 --- a/network/network-manager-prepare-conf-dir +++ b/network/network-manager-prepare-conf-dir @@ -4,10 +4,11 @@ # shellcheck source=init/functions . /usr/lib/qubes/init/functions +if test -d /sys/fs/selinux; then enable_selinux=Z; else enable_selinux=''; fi NM_CONFIG_DIR=/etc/NetworkManager/system-connections if [ -d $NM_CONFIG_DIR ] && [ ! -h $NM_CONFIG_DIR ]; then - mkdir -p /rw/config/NM-system-connections - mv $NM_CONFIG_DIR/* /rw/config/NM-system-connections/ 2> /dev/null || true + mkdir "-p$enable_selinux" /rw/config/NM-system-connections + mv ${enable_selinux:+-Z} $NM_CONFIG_DIR/* /rw/config/NM-system-connections/ 2> /dev/null || true rmdir $NM_CONFIG_DIR ln -s /rw/config/NM-system-connections $NM_CONFIG_DIR fi