fix(-dx): Workaround swtpm SELinux issues (#764)

Co-authored-by: Brian Ketelsen <[email protected]>
ublue-os · Jan 1, 2024 · f8dabd4 · f8dabd4
1 parent 075e32c
commit f8dabd4
Show file tree

Hide file tree

Showing 3 changed files with 23 additions and 0 deletions.
diff --git a/Containerfile b/Containerfile
@@ -158,6 +158,7 @@ RUN wget https://raw.githubusercontent.com/ahmetb/kubectx/master/kubectx -O /usr
 # Set up services
 RUN systemctl enable docker.service && \
     systemctl enable podman.socket && \
+    systemctl enable swtpm-workaround.service && \
     systemctl enable --global bluefin-dx-user-vscode.service && \
     systemctl disable pmie.service && \
     systemctl disable pmlogger.service

diff --git a/dx/usr/lib/systemd/system/swtpm-workaround.service b/dx/usr/lib/systemd/system/swtpm-workaround.service
@@ -0,0 +1,20 @@
+[Unit]
+Description=Workaround swtpm not having the correct label
+ConditionFileIsExecutable=/usr/bin/swtpm
+After=local-fs.target
+
+[Service]
+Type=oneshot
+# Copy if it doens't exist
+ExecStartPre=/usr/bin/bash -c "[ -x /usr/local/bin/.swtpm ] || /usr/bin/cp /usr/bin/swtpm /usr/local/bin/.swtpm"
+# This is faster than using .mount unit. Also allows for the previous line/cleanup
+ExecStartPre=/usr/bin/mount --bind /usr/local/bin/.swtpm /usr/bin/swtpm
+# Fix SELinux label
+ExecStart=/usr/sbin/restorecon /usr/bin/swtpm
+# Clean-up after ourselves
+ExecStop=/usr/bin/umount /usr/bin/swtpm
+ExecStop=/usr/bin/rm /usr/local/bin/.swtpm
+RemainAfterExit=yes
+
+[Install]
+WantedBy=multi-user.target
diff --git a/dx/usr/lib/tmpfiles.d/swtpm-workaround.conf b/dx/usr/lib/tmpfiles.d/swtpm-workaround.conf
@@ -0,0 +1,2 @@
+C /usr/local/bin/.swtpm - - - - /usr/bin/swtpm
+d /var/lib/swtpm-localca 0750 tss tss - -
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		C /usr/local/bin/.swtpm - - - - /usr/bin/swtpm
		d /var/lib/swtpm-localca 0750 tss tss - -