[Rpm-maint] [rpm-software-management/rpm] If existent, apply SELinux label from full non-chroot path (PR #3967)

Cathy Hu notifications at github.com
Thu Sep 25 11:52:53 UTC 2025 

What?

Add chroot handling to the SELinux plugin as follows:
- If there is a label in the policy for the full non-chroot path, apply it.
- If the policy specifies <<none>> for the full non-chroot-path, apply the labels that are in the policy assuming the chroot is like the main root dir. This is what the rpm plugin did before this change.

Non-chroot transactions should stay exactly the same.

Why?

Currently, there is no proper way to specify in the SELinux policy if the target chroot path of a rpm installation should be labelled the same as the main root dir, or if it should use the label that is defined in the policy.

For example, if we install a package with `/var/lib/machines/openqa1` as chroot directory, rpm will set the labels as if it was the topmost root directory. If the user runs `restorecon -Rv /var/lib/machines/openqa1`, the labels get reset to the label defined for that path, instead of the chroot environment it was set to by rpm.

This can lead to issues, as the labels on the file systems set by rpm and that of policy mismatch. Issues include things like permission being denied, transactions not being complete, etc.
For example: https://bugzilla.suse.com/show_bug.cgi?id=1248857

With this commit it is now possible to specify in the SELinux policy, if the target path shall be SELinux confined as usual (e.g. regular chroot environment on the host), or if the target path confinement shall be handled by another user space application (e.g. containers, systemd-machined)

To do that, users or policy writers can set `<<none>>` in the policy for a chroot path to specify they want to have the same labels as in the rootdir, and if they don't want it, they can set the label to a specific one.

Example:

This would tell the rpm plugin to use the same labels in the chroot `/var/lib/machines/openqa1` as it would in the rootdir.
```
semanage fcontext -a '/var/lib/machines/openqa1(/.*)?' -t '<<none>>'
// afterwards, run rpm with the path as chroot
```
With that, `restorecon` will also skip this directory, since there is no default label for it defined.

While setting a fixed label, would result in the plugin to use the fixed label:
```
semanage fcontext -a '/var/lib/machines/openqa1(/.*)?' -t 'systemd_machined_var_lib_t'
// afterwards, run rpm with the path as chroot, it will set the
// labels of the files as systemd_machined_var_lib_t
```
You can view, comment on, or merge this pull request online at:

  https://github.com/rpm-software-management/rpm/pull/3967

-- Commit Summary --

  * If existent, apply SELinux label from full non-chroot path

-- File Changes --

    M plugins/selinux.c (67)

-- Patch Links --

https://github.com/rpm-software-management/rpm/pull/3967.patch
https://github.com/rpm-software-management/rpm/pull/3967.diff

-- 
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/pull/3967
You are receiving this because you are subscribed to this thread.

Message ID: <rpm-software-management/rpm/pull/3967 at github.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rpm.org/pipermail/rpm-maint/attachments/20250925/71939268/attachment-0001.htm>

More information about the Rpm-maint mailing list