diff --git a/lib/src/install.rs b/lib/src/install.rs index 9d2ca8589..ffb01b1af 100644 --- a/lib/src/install.rs +++ b/lib/src/install.rs @@ -644,8 +644,16 @@ async fn initialize_ostree_root_from_self( } f.flush()?; + let fstab_path = rootfs.join("etc/fstab"); + state.lsm_label(&fstab_path, "/etc/fstab".into(), false)?; + if let Some(contents) = state.root_ssh_authorized_keys.as_deref() { - osconfig::inject_root_ssh_authorized_keys(&root, contents)?; + let tmpf_path = osconfig::inject_root_ssh_authorized_keys(&root, contents)?; + state.lsm_label( + &rootfs.join(tmpf_path.clone()), + &Utf8PathBuf::from("/").join(tmpf_path), + false, + )?; } let uname = rustix::system::uname(); diff --git a/lib/src/install/osconfig.rs b/lib/src/install/osconfig.rs index 6bddc6400..c8ba72b3a 100644 --- a/lib/src/install/osconfig.rs +++ b/lib/src/install/osconfig.rs @@ -1,5 +1,5 @@ use anyhow::Result; -use camino::Utf8Path; +use camino::{Utf8Path, Utf8PathBuf}; use cap_std::fs::Dir; use cap_std_ext::{cap_std, dirext::CapStdExtDirExt}; use fn_error_context::context; @@ -8,7 +8,7 @@ const ETC_TMPFILES: &str = "etc/tmpfiles.d"; const ROOT_SSH_TMPFILE: &str = "bootc-root-ssh.conf"; #[context("Injecting root authorized_keys")] -pub(crate) fn inject_root_ssh_authorized_keys(root: &Dir, contents: &str) -> Result<()> { +pub(crate) fn inject_root_ssh_authorized_keys(root: &Dir, contents: &str) -> Result { // While not documented right now, this one looks like it does not newline wrap let b64_encoded = ostree_ext::glib::base64_encode(contents.as_bytes()); // See the example in https://systemd.io/CREDENTIALS/ @@ -18,8 +18,10 @@ pub(crate) fn inject_root_ssh_authorized_keys(root: &Dir, contents: &str) -> Res root.create_dir_all(tmpfiles_dir)?; let target = tmpfiles_dir.join(ROOT_SSH_TMPFILE); root.atomic_write(&target, &tmpfiles_content)?; + + let as_path = Utf8Path::new(ETC_TMPFILES).join(ROOT_SSH_TMPFILE); println!("Injected: {target}"); - Ok(()) + Ok(as_path) } #[test]