From fb007ee9ac7f2c0698471a3fbb88b9e83a4df7b6 Mon Sep 17 00:00:00 2001
From: Colin Walters <walters@verbum.org>
Date: Fri, 14 May 2021 14:13:01 -0400
Subject: [PATCH] BZ 1956836: overlay: Add rhcos-usrlocal-selinux-fixup.service

A fix is inbound for policy, but we really should fixup existing
systems in place.
---
 .../system-preset/43-manifest-rhcos.preset    |  2 ++
 .../rhcos-usrlocal-selinux-fixup.service      | 19 +++++++++++++++++++
 tests/kola/misc-ro/misc-ro.sh                 |  8 ++++++++
 3 files changed, 29 insertions(+)
 create mode 100644 overlay.d/05rhcos/usr/lib/systemd/system/rhcos-usrlocal-selinux-fixup.service

diff --git a/overlay.d/05rhcos/usr/lib/systemd/system-preset/43-manifest-rhcos.preset b/overlay.d/05rhcos/usr/lib/systemd/system-preset/43-manifest-rhcos.preset
index d9e1bd265..7070feba8 100644
--- a/overlay.d/05rhcos/usr/lib/systemd/system-preset/43-manifest-rhcos.preset
+++ b/overlay.d/05rhcos/usr/lib/systemd/system-preset/43-manifest-rhcos.preset
@@ -3,6 +3,8 @@
 # live in the manifest and some of them from the redhat-release-coreos
 # package.
 
+# Upgrade fixes
+enable rhcos-usrlocal-selinux-fixup.service
 # Enable the iscsi workaround
 enable coreos-generate-iscsi-initiatorname.service
 # Enable GCP routes
diff --git a/overlay.d/05rhcos/usr/lib/systemd/system/rhcos-usrlocal-selinux-fixup.service b/overlay.d/05rhcos/usr/lib/systemd/system/rhcos-usrlocal-selinux-fixup.service
new file mode 100644
index 000000000..3e356499e
--- /dev/null
+++ b/overlay.d/05rhcos/usr/lib/systemd/system/rhcos-usrlocal-selinux-fixup.service
@@ -0,0 +1,19 @@
+[Unit]
+Description=RHCOS Fix SELinux Labeling For /usr/local/sbin
+Documentation=https://bugzilla.redhat.com/1956836
+DefaultDependencies=false
+After=systemd-tmpfiles-setup.service local-fs.target
+Before=sysinit.target
+ConditionPathExists=/var/usrlocal/sbin
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+# Run every time because systemd-tmpfiles will reset it to the incorrect
+# context on each boot.
+ExecStart=chcon -v --reference=/usr/sbin /usr/local/sbin
+# Only do this recursive relabeling once.
+ExecStart=/bin/sh -c 'if ! test -f /var/lib/.coreos-usrlocal-fixup.stamp; then find /var/usrlocal/sbin -executable -mount -exec chcon -v --reference=/usr/sbin {} \; && touch /var/lib/.coreos-usrlocal-fixup.stamp; fi'
+
+[Install]
+WantedBy=sysinit.target
diff --git a/tests/kola/misc-ro/misc-ro.sh b/tests/kola/misc-ro/misc-ro.sh
index 3a3277135..1d7201762 100755
--- a/tests/kola/misc-ro/misc-ro.sh
+++ b/tests/kola/misc-ro/misc-ro.sh
@@ -133,6 +133,14 @@ echo "ok iSCSI initiator name"
 systemctl is-enabled logrotate.timer
 echo "ok logrotate"
 
+bin_ctx=$(stat -c %C /usr/sbin)
+usrlocal_sbin_ctx=$(stat -c %C /var/usrlocal/sbin)
+if test "${bin_ctx}" != "${usrlocal_sbin_ctx}"; then
+  fatal "/usr/sbin is ${bin_ctx} but /var/usrlocal/sbin is ${usrlocal_sbin_ctx}"
+fi
+test -f /var/lib/.coreos-usrlocal-fixup.stamp
+echo "ok usr/local/sbin fixup"
+
 rpm -q conntrack-tools
 test ! -f /usr/lib/systemd/system/conntrackd.service
 echo "ok conntrack tools without daemon"