From b6ef8d9a027650515b6a16a7938ba366938e9824 Mon Sep 17 00:00:00 2001
From: Colin Walters <walters@verbum.org>
Date: Tue, 19 Mar 2024 12:35:07 -0400
Subject: [PATCH] lsm/install: Use csum(), not name() from SELinux policy

There's a bug in the ostree API here around nullability.

Closes https://github.com/containers/bootc/issues/403

Signed-off-by: Colin Walters <walters@verbum.org>
---
 lib/src/install.rs | 5 ++++-
 lib/src/lsm.rs     | 4 ++--
 2 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/lib/src/install.rs b/lib/src/install.rs
index 3e8fca148..2a133205e 100644
--- a/lib/src/install.rs
+++ b/lib/src/install.rs
@@ -309,7 +309,10 @@ impl State {
         // We always use the physical container root to bootstrap policy
         let rootfs = &Dir::open_ambient_dir("/", cap_std::ambient_authority())?;
         let r = ostree::SePolicy::new_at(rootfs.as_raw_fd(), gio::Cancellable::NONE)?;
-        tracing::debug!("Loaded SELinux policy: {}", r.name());
+        let csum = r
+            .csum()
+            .ok_or_else(|| anyhow::anyhow!("SELinux enabled, but no policy found in root"))?;
+        tracing::debug!("Loaded SELinux policy: {csum}");
         Ok(Some(r))
     }
 }
diff --git a/lib/src/lsm.rs b/lib/src/lsm.rs
index b5eb7ecba..1d56eb456 100644
--- a/lib/src/lsm.rs
+++ b/lib/src/lsm.rs
@@ -175,8 +175,8 @@ pub(crate) fn require_label(
         .label(destname.as_str(), mode, ostree::gio::Cancellable::NONE)?
         .ok_or_else(|| {
             anyhow::anyhow!(
-                "No label found in policy '{}' for {destname})",
-                policy.name()
+                "No label found in policy '{:?}' for {destname})",
+                policy.csum()
             )
         })
 }