Merge pull request #20806 from fbuihuu/test-make-debug-tools-optional

test: make the installation of the debug tools optional in the image

hwdb.d/60-autosuspend-fingerprint-reader.hwdb

@@ -8,6 +8,7 @@
 # Supported by libfprint driver aes1610
 usb:v08FFp1600*
  ID_AUTOSUSPEND=1
+ ID_PERSIST=0
 
 # Supported by libfprint driver aes1660
 usb:v08FFp1660*
@@ -28,16 +29,19 @@ usb:v08FFp168D*
 usb:v08FFp168E*
 usb:v08FFp168F*
  ID_AUTOSUSPEND=1
+ ID_PERSIST=0
 
 # Supported by libfprint driver aes2501
 usb:v08FFp2500*
 usb:v08FFp2580*
  ID_AUTOSUSPEND=1
+ ID_PERSIST=0
 
 # Supported by libfprint driver aes2550
 usb:v08FFp2550*
 usb:v08FFp2810*
  ID_AUTOSUSPEND=1
+ ID_PERSIST=0
 
 # Supported by libfprint driver aes2660
 usb:v08FFp2660*
@@ -59,19 +63,23 @@ usb:v08FFp268E*
 usb:v08FFp268F*
 usb:v08FFp2691*
  ID_AUTOSUSPEND=1
+ ID_PERSIST=0
 
 # Supported by libfprint driver aes3500
 usb:v08FFp5731*
  ID_AUTOSUSPEND=1
+ ID_PERSIST=0
 
 # Supported by libfprint driver aes4000
 usb:v5501p08FF*
  ID_AUTOSUSPEND=1
+ ID_PERSIST=0
 
 # Supported by libfprint driver egis0570
 usb:v1C7Ap0570*
 usb:v1C7Ap0571*
  ID_AUTOSUSPEND=1
+ ID_PERSIST=0
 
 # Supported by libfprint driver elan
 usb:v04F3p0903*
@@ -133,15 +141,19 @@ usb:v04F3p0C4D*
 usb:v04F3p0C4F*
 usb:v04F3p0C63*
 usb:v04F3p0C6E*
+usb:v04F3p0C58*
  ID_AUTOSUSPEND=1
+ ID_PERSIST=0
 
 # Supported by libfprint driver elanmoc
 usb:v04F3p0C7E*
  ID_AUTOSUSPEND=1
+ ID_PERSIST=0
 
 # Supported by libfprint driver etes603
 usb:v1C7Ap0603*
  ID_AUTOSUSPEND=1
+ ID_PERSIST=0
 
 # Supported by libfprint driver goodixmoc
 usb:v27C6p5840*
@@ -149,6 +161,7 @@ usb:v27C6p609C*
 usb:v27C6p60A2*
 usb:v27C6p639C*
 usb:v27C6p63AC*
+usb:v27C6p63BC*
 usb:v27C6p6496*
 usb:v27C6p6584*
 usb:v27C6p658C*
@@ -157,10 +170,12 @@ usb:v27C6p6594*
 usb:v27C6p659C*
 usb:v27C6p6A94*
  ID_AUTOSUSPEND=1
+ ID_PERSIST=0
 
 # Supported by libfprint driver nb1010
 usb:v298Dp1010*
  ID_AUTOSUSPEND=1
+ ID_PERSIST=0
 
 # Supported by libfprint driver synaptics
 usb:v06CBp00BD*
@@ -172,22 +187,29 @@ usb:v06CBp00C9*
 usb:v06CBp0100*
 usb:v06CBp00F0*
 usb:v06CBp0103*
+usb:v06CBp0123*
+usb:v06CBp0126*
+usb:v06CBp0129*
  ID_AUTOSUSPEND=1
+ ID_PERSIST=0
 
 # Supported by libfprint driver upeksonly
 usb:v147Ep2016*
 usb:v147Ep1000*
 usb:v147Ep1001*
  ID_AUTOSUSPEND=1
+ ID_PERSIST=0
 
 # Supported by libfprint driver upektc
 usb:v0483p2015*
 usb:v147Ep3001*
  ID_AUTOSUSPEND=1
+ ID_PERSIST=0
 
 # Supported by libfprint driver upektc_img
 usb:v147Ep2020*
  ID_AUTOSUSPEND=1
+ ID_PERSIST=0
 
 # Supported by libfprint driver uru4000
 usb:v045Ep00BC*
@@ -197,23 +219,28 @@ usb:v05BAp0007*
 usb:v05BAp0008*
 usb:v05BAp000A*
  ID_AUTOSUSPEND=1
+ ID_PERSIST=0
 
 # Supported by libfprint driver vcom5s
 usb:v061Ap0110*
  ID_AUTOSUSPEND=1
+ ID_PERSIST=0
 
 # Supported by libfprint driver vfs0050
 usb:v138Ap0050*
  ID_AUTOSUSPEND=1
+ ID_PERSIST=0
 
 # Supported by libfprint driver vfs101
 usb:v138Ap0001*
  ID_AUTOSUSPEND=1
+ ID_PERSIST=0
 
 # Supported by libfprint driver vfs301
 usb:v138Ap0005*
 usb:v138Ap0008*
  ID_AUTOSUSPEND=1
+ ID_PERSIST=0
 
 # Supported by libfprint driver vfs5011
 usb:v138Ap0010*
@@ -222,10 +249,12 @@ usb:v138Ap0015*
 usb:v138Ap0017*
 usb:v138Ap0018*
  ID_AUTOSUSPEND=1
+ ID_PERSIST=0
 
 # Supported by libfprint driver vfs7552
 usb:v138Ap0091*
  ID_AUTOSUSPEND=1
+ ID_PERSIST=0
 
 # Known unsupported devices
 usb:v04F3p036B*
@@ -248,6 +277,7 @@ usb:v06CBp00C4*
 usb:v06CBp00CB*
 usb:v06CBp00D8*
 usb:v06CBp00DA*
+usb:v06CBp00E7*
 usb:v06CBp00E9*
 usb:v0A5Cp5801*
 usb:v0A5Cp5805*
@@ -256,6 +286,7 @@ usb:v0A5Cp5840*
 usb:v0A5Cp5841*
 usb:v0A5Cp5842*
 usb:v0A5Cp5843*
+usb:v0A5Cp5844*
 usb:v0A5Cp5845*
 usb:v10A5p0007*
 usb:v1188p9545*
@@ -298,3 +329,4 @@ usb:v2808p9338*
 usb:v298Dp2033*
 usb:v3538p0930*
  ID_AUTOSUSPEND=1
+ ID_PERSIST=0

hwdb.d/60-autosuspend.hwdb

@@ -24,6 +24,13 @@
 #
 # Allowed properties are:
 #    ID_AUTOSUSPEND=1
+#    ID_PERSIST=0
+#
+# ID_PERSIST=0 allows disabling the kernels USB "persist" feature, which allows
+# the continued use of devices after a power loss (due to suspend). Disable it
+# if the device will loose state without a USB power session and the driver
+# is unable to recover the state when resuming. See
+#   https://www.kernel.org/doc/html/latest/driver-api/usb/persist.html
 
 # Sort by brand, model
 

hwdb.d/70-mouse.hwdb

@@ -523,6 +523,10 @@ mouse:usb:v046dpc016:name:Logitech Optical USB Mouse:*
 mouse:usb:v046dpc01b:name:Logitech USB-PS/2 Optical Mouse:*
  MOUSE_DPI=400@125
 
+# Logitech USB-PS/2 M-BT96A
+mouse:usb:v046dpc03d:name:Logitech USB-PS/2 Optical Mouse:*
+ MOUSE_DPI=400@125
+
 # Logitech USB-PS/2 M-BT58
 mouse:usb:v046dpc03e:name:Logitech USB-PS/2 Optical Mouse:*
  MOUSE_DPI=400@125

hwdb.d/parse_hwdb.py

@@ -134,6 +134,7 @@ def property_grammar():
              ('MOUSE_WHEEL_CLICK_COUNT', INTEGER),
              ('MOUSE_WHEEL_CLICK_COUNT_HORIZONTAL', INTEGER),
              ('ID_AUTOSUSPEND', Or((Literal('0'), Literal('1')))),
+             ('ID_PERSIST', Or((Literal('0'), Literal('1')))),
              ('ID_INPUT', Or((Literal('0'), Literal('1')))),
              ('ID_INPUT_ACCELEROMETER', Or((Literal('0'), Literal('1')))),
              ('ID_INPUT_JOYSTICK', Or((Literal('0'), Literal('1')))),

man/systemd.netdev.xml

@@ -317,11 +317,12 @@
         <listitem>
           <para>The MAC address to use for the device. For <literal>tun</literal> or <literal>tap</literal>
           devices, setting <varname>MACAddress=</varname> in the [NetDev] section is not
-          supported. Please specify it in [Link] section of the corresponding
+          supported. Please specify it in the [Link] section of the corresponding
           <citerefentry><refentrytitle>systemd.network</refentrytitle><manvolnum>5</manvolnum></citerefentry>
-          file. If this option is not set, <literal>vlan</literal> devices inherit the MAC address of the
-          physical interface. For other kind of netdevs, if this option is not set, then MAC address is
-          generated based on the interface name and the
+          file. If this option is not set, <literal>bridge</literal> and <literal>vlan</literal> devices
+          inherit the MAC address of the first slave device or the physical interface, respectively. For other
+          kind of netdevs, if this option is not set, then the MAC address is generated based on the interface
+          name and the
           <citerefentry><refentrytitle>machine-id</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
           </para>
         </listitem>

meson.build

@@ -1024,8 +1024,11 @@ else
 endif
 conf.set10('HAVE_APPARMOR', have)
 
-conf.set10('HAVE_SMACK_RUN_LABEL', get_option('smack-run-label') != '')
+have = get_option('smack') and get_option('smack-run-label') != ''
+conf.set10('HAVE_SMACK_RUN_LABEL', have)
+if have
         conf.set_quoted('SMACK_RUN_LABEL', get_option('smack-run-label'))
+endif
 
 want_polkit = get_option('polkit')
 install_polkit = false
@@ -2293,7 +2296,7 @@ if conf.get('ENABLE_PORTABLED') == 1
                 systemd_portabled_sources,
                 include_directories : includes,
                 link_with : [libshared],
-                dependencies : [threads],
+                dependencies : [threads, libselinux],
                 install_rpath : rootlibexecdir,
                 install : true,
                 install_dir : rootlibexecdir)

rules.d/60-autosuspend.rules

@@ -11,4 +11,8 @@ SUBSYSTEM=="i2c", ATTR{name}=="cyapa", \
 ENV{ID_AUTOSUSPEND}=="1", TEST=="power/control", \
   ATTR{power/control}="auto"
 
+# Disable USB persist if hwdb says so.
+ENV{ID_PERSIST}=="0", TEST=="power/persist", \
+  ATTR{power/persist}="0"
+
 LABEL="autosuspend_end"

src/basic/fileio.c

@@ -1434,16 +1434,3 @@ int warn_file_is_world_accessible(const char *filename, struct stat *st, const c
                             filename, st->st_mode & 07777);
         return 0;
 }
-
-int rename_and_apply_smack_floor_label(const char *from, const char *to) {
-        int r = 0;
-        if (rename(from, to) < 0)
-                return -errno;
-
-#if HAVE_SMACK_RUN_LABEL
-        r = mac_smack_apply(to, SMACK_ATTR_ACCESS, SMACK_FLOOR_LABEL);
-        if (r < 0)
-                return r;
-#endif
-        return r;
-}

src/basic/fileio.h

@@ -124,5 +124,3 @@ static inline int read_nul_string(FILE *f, size_t limit, char **ret) {
 int safe_fgetc(FILE *f, char *ret);
 
 int warn_file_is_world_accessible(const char *filename, struct stat *st, const char *unit, unsigned line);
-
-int rename_and_apply_smack_floor_label(const char *temp_path, const char *dest_path);

src/basic/socket-util.c

@@ -921,7 +921,7 @@ int getpeergroups(int fd, gid_t **ret) {
 ssize_t send_one_fd_iov_sa(
                 int transport_fd,
                 int fd,
-                struct iovec *iov, size_t iovlen,
+                const struct iovec *iov, size_t iovlen,
                 const struct sockaddr *sa, socklen_t len,
                 int flags) {
 
@@ -929,7 +929,7 @@ ssize_t send_one_fd_iov_sa(
         struct msghdr mh = {
                 .msg_name = (struct sockaddr*) sa,
                 .msg_namelen = len,
-                .msg_iov = iov,
+                .msg_iov = (struct iovec *)iov,
                 .msg_iovlen = iovlen,
         };
         ssize_t k;

src/basic/socket-util.h

@@ -154,7 +154,7 @@ int getpeergroups(int fd, gid_t **ret);
 ssize_t send_one_fd_iov_sa(
                 int transport_fd,
                 int fd,
-                struct iovec *iov, size_t iovlen,
+                const struct iovec *iov, size_t iovlen,
                 const struct sockaddr *sa, socklen_t len,
                 int flags);
 int send_one_fd_sa(int transport_fd,

src/core/smack-setup.c

@@ -322,7 +322,7 @@ int mac_smack_setup(bool *loaded_policy) {
                 return 0;
         }
 
-#ifdef SMACK_RUN_LABEL
+#if HAVE_SMACK_RUN_LABEL
         r = write_string_file("/proc/self/attr/current", SMACK_RUN_LABEL, WRITE_STRING_FILE_DISABLE_BUFFER);
         if (r < 0)
                 log_warning_errno(r, "Failed to set SMACK label \"" SMACK_RUN_LABEL "\" on self: %m");

src/firstboot/firstboot.c

@@ -32,6 +32,7 @@
 #include "proc-cmdline.h"
 #include "pwquality-util.h"
 #include "random-util.h"
+#include "smack-util.h"
 #include "string-util.h"
 #include "strv.h"
 #include "terminal-util.h"

src/portable/portable.c

@@ -28,6 +28,7 @@
 #include "path-lookup.h"
 #include "portable.h"
 #include "process-util.h"
+#include "selinux-util.h"
 #include "set.h"
 #include "signal-util.h"
 #include "socket-util.h"
@@ -78,7 +79,7 @@ static bool unit_match(const char *unit, char **matches) {
         return false;
 }
 
-static PortableMetadata *portable_metadata_new(const char *name, const char *path, int fd) {
+static PortableMetadata *portable_metadata_new(const char *name, const char *path, const char *selinux_label, int fd) {
         PortableMetadata *m;
 
         m = malloc0(offsetof(PortableMetadata, name) + strlen(name) + 1);
@@ -92,6 +93,15 @@ static PortableMetadata *portable_metadata_new(const char *name, const char *pat
                         return mfree(m);
         }
 
+        /* The metadata file might have SELinux labels, we need to carry them and reapply them */
+        if (!isempty(selinux_label)) {
+                m->selinux_label = strdup(selinux_label);
+                if (!m->selinux_label) {
+                        free(m->image_path);
+                        return mfree(m);
+                }
+        }
+
         strcpy(m->name, name);
         m->fd = fd;
 
@@ -105,6 +115,7 @@ PortableMetadata *portable_metadata_unref(PortableMetadata *i) {
         safe_close(i->fd);
         free(i->source);
         free(i->image_path);
+        free(i->selinux_label);
 
         return mfree(i);
 }
@@ -134,96 +145,23 @@ int portable_metadata_hashmap_to_sorted_array(Hashmap *unit_files, PortableMetad
         return 0;
 }
 
-static int send_item(
+static int send_one_fd_iov_with_data_fd(
                 int socket_fd,
-                const char *name,
+                const struct iovec *iov,
+                size_t iovlen,
                 int fd) {
 
-        CMSG_BUFFER_TYPE(CMSG_SPACE(sizeof(int))) control = {};
-        struct iovec iovec;
-        struct msghdr mh = {
-                .msg_control = &control,
-                .msg_controllen = sizeof(control),
-                .msg_iov = &iovec,
-                .msg_iovlen = 1,
-        };
-        struct cmsghdr *cmsg;
         _cleanup_close_ int data_fd = -1;
 
+        assert(iov || iovlen == 0);
         assert(socket_fd >= 0);
-        assert(name);
         assert(fd >= 0);
 
         data_fd = copy_data_fd(fd);
         if (data_fd < 0)
                 return data_fd;
 
-        cmsg = CMSG_FIRSTHDR(&mh);
-        cmsg->cmsg_level = SOL_SOCKET;
-        cmsg->cmsg_type = SCM_RIGHTS;
-        cmsg->cmsg_len = CMSG_LEN(sizeof(int));
-        memcpy(CMSG_DATA(cmsg), &data_fd, sizeof(int));
-
-        iovec = IOVEC_MAKE_STRING(name);
-
-        if (sendmsg(socket_fd, &mh, MSG_NOSIGNAL) < 0)
-                return -errno;
-
-        return 0;
-}
-
-static int recv_item(
-                int socket_fd,
-                char **ret_name,
-                int *ret_fd) {
-
-        CMSG_BUFFER_TYPE(CMSG_SPACE(sizeof(int))) control;
-        char buffer[PATH_MAX+2];
-        struct iovec iov = IOVEC_INIT(buffer, sizeof(buffer)-1);
-        struct msghdr mh = {
-                .msg_control = &control,
-                .msg_controllen = sizeof(control),
-                .msg_iov = &iov,
-                .msg_iovlen = 1,
-        };
-        struct cmsghdr *cmsg;
-        _cleanup_close_ int found_fd = -1;
-        char *copy;
-        ssize_t n;
-
-        assert(socket_fd >= 0);
-        assert(ret_name);
-        assert(ret_fd);
-
-        n = recvmsg_safe(socket_fd, &mh, MSG_CMSG_CLOEXEC);
-        if (n < 0)
-                return (int) n;
-
-        CMSG_FOREACH(cmsg, &mh) {
-                if (cmsg->cmsg_level == SOL_SOCKET &&
-                    cmsg->cmsg_type == SCM_RIGHTS) {
-
-                        if (cmsg->cmsg_len == CMSG_LEN(sizeof(int))) {
-                                assert(found_fd < 0);
-                                found_fd = *(int*) CMSG_DATA(cmsg);
-                                break;
-                        }
-
-                        cmsg_close_all(&mh);
-                        return -EIO;
-                }
-        }
-
-        buffer[n] = 0;
-
-        copy = strdup(buffer);
-        if (!copy)
-                return -ENOMEM;
-
-        *ret_name = copy;
-        *ret_fd = TAKE_FD(found_fd);
-
-        return 0;
+        return send_one_fd_iov(socket_fd, data_fd, iov, iovlen, 0);
 }
 
 DEFINE_PRIVATE_HASH_OPS_WITH_VALUE_DESTRUCTOR(portable_metadata_hash_ops, char, string_hash_func, string_compare_func,
@@ -272,13 +210,18 @@ static int extract_now(
                                 path_is_extension ? "extension-release " : "os-release");
         else {
                 if (socket_fd >= 0) {
-                        r = send_item(socket_fd, os_release_id, os_release_fd);
+                        struct iovec iov[] = {
+                                IOVEC_MAKE_STRING(os_release_id),
+                                IOVEC_MAKE((char *)"\0", sizeof(char)),
+                        };
+
+                        r = send_one_fd_iov_with_data_fd(socket_fd, iov, ELEMENTSOF(iov), os_release_fd);
                         if (r < 0)
                                 return log_debug_errno(r, "Failed to send os-release file: %m");
                 }
 
                 if (ret_os_release) {
-                        os_release = portable_metadata_new(os_release_id, NULL, os_release_fd);
+                        os_release = portable_metadata_new(os_release_id, NULL, NULL, os_release_fd);
                         if (!os_release)
                                 return -ENOMEM;
 
@@ -333,12 +276,27 @@ static int extract_now(
                         }
 
                         if (socket_fd >= 0) {
-                                r = send_item(socket_fd, de->d_name, fd);
+                                _cleanup_(mac_selinux_freep) char *con = NULL;
+#if HAVE_SELINUX
+                                /* The units will be copied on the host's filesystem, so if they had a SELinux label
+                                 * we have to preserve it. Copy it out so that it can be applied later. */
+
+                                r = fgetfilecon_raw(fd, &con);
+                                if (r < 0 && errno != ENODATA)
+                                        log_debug_errno(errno, "Failed to get SELinux file context from '%s', ignoring: %m", de->d_name);
+#endif
+                                struct iovec iov[] = {
+                                        IOVEC_MAKE_STRING(de->d_name),
+                                        IOVEC_MAKE((char *)"\0", sizeof(char)),
+                                        IOVEC_MAKE_STRING(strempty(con)),
+                                };
+
+                                r = send_one_fd_iov_with_data_fd(socket_fd, iov, ELEMENTSOF(iov), fd);
                                 if (r < 0)
                                         return log_debug_errno(r, "Failed to send unit metadata to parent: %m");
                         }
 
-                        m = portable_metadata_new(de->d_name, NULL, fd);
+                        m = portable_metadata_new(de->d_name, NULL, NULL, fd);
                         if (!m)
                                 return -ENOMEM;
                         fd = -1;
@@ -465,23 +423,37 @@ static int portable_extract_by_path(
 
                 for (;;) {
                         _cleanup_(portable_metadata_unrefp) PortableMetadata *add = NULL;
-                        _cleanup_free_ char *name = NULL;
                         _cleanup_close_ int fd = -1;
+                        /* We use NAME_MAX space for the SELinux label here. The kernel currently enforces no limit, but
+                         * according to suggestions from the SELinux people this will change and it will probably be
+                         * identical to NAME_MAX. For now we use that, but this should be updated one day when the final
+                         * limit is known. */
+                        char iov_buffer[PATH_MAX + NAME_MAX + 2];
+                        struct iovec iov = IOVEC_INIT(iov_buffer, sizeof(iov_buffer));
 
-                        r = recv_item(seq[0], &name, &fd);
-                        if (r < 0)
-                                return log_debug_errno(r, "Failed to receive item: %m");
+                        ssize_t n = receive_one_fd_iov(seq[0], &iov, 1, 0, &fd);
+                        if (n == -EIO)
+                                break;
+                        if (n < 0)
+                                return log_debug_errno(n, "Failed to receive item: %m");
+                        iov_buffer[n] = 0;
 
                         /* We can't really distinguish a zero-length datagram without any fds from EOF (both are signalled the
                          * same way by recvmsg()). Hence, accept either as end notification. */
-                        if (isempty(name) && fd < 0)
+                        if (isempty(iov_buffer) && fd < 0)
                                 break;
 
-                        if (isempty(name) || fd < 0)
+                        if (isempty(iov_buffer) || fd < 0)
                                 return log_debug_errno(SYNTHETIC_ERRNO(EINVAL),
                                                        "Invalid item sent from child.");
 
-                        add = portable_metadata_new(name, path, fd);
+                        /* Given recvmsg cannot be used with multiple io vectors if you don't know the size in advance,
+                         * use a marker to separate the name and the optional SELinux context. */
+                        char *selinux_label = memchr(iov_buffer, 0, n);
+                        assert(selinux_label);
+                        selinux_label++;
+
+                        add = portable_metadata_new(iov_buffer, path, selinux_label, fd);
                         if (!add)
                                 return -ENOMEM;
                         fd = -1;
@@ -1126,7 +1098,10 @@ static int attach_unit_file(
                 _cleanup_(unlink_and_freep) char *tmp = NULL;
                 _cleanup_close_ int fd = -1;
 
+                (void) mac_selinux_create_file_prepare_label(path, m->selinux_label);
+
                 fd = open_tmpfile_linkable(path, O_WRONLY|O_CLOEXEC, &tmp);
+                mac_selinux_create_file_clear(); /* Clear immediately in case of errors */
                 if (fd < 0)
                         return log_debug_errno(fd, "Failed to create unit file '%s': %m", path);
 

src/portable/portable.h

@@ -12,6 +12,7 @@ typedef struct PortableMetadata {
         int fd;
         char *source;
         char *image_path;
+        char *selinux_label;
         char name[];
 } PortableMetadata;
 

src/shared/mount-setup.c

@@ -278,7 +278,7 @@ static int symlink_controller(const char *target, const char *alias) {
         if (r < 0)
                 return log_error_errno(r, "Failed to create symlink %s: %m", a);
 
-#ifdef SMACK_RUN_LABEL
+#if HAVE_SMACK_RUN_LABEL
         const char *p;
 
         p = strjoina("/sys/fs/cgroup/", target);

src/shared/selinux-util.c

@@ -562,6 +562,21 @@ int mac_selinux_create_file_prepare(const char *path, mode_t mode) {
 #endif
 }
 
+int mac_selinux_create_file_prepare_label(const char *path, const char *label) {
+#if HAVE_SELINUX
+
+        if (!label)
+                return 0;
+
+        if (!mac_selinux_use())
+                return 0;
+
+        if (setfscreatecon_raw(label) < 0)
+                return log_enforcing_errno(errno, "Failed to set specified SELinux security context '%s' for '%s': %m", label, strna(path));
+#endif
+        return 0;
+}
+
 void mac_selinux_create_file_clear(void) {
 
 #if HAVE_SELINUX

src/shared/selinux-util.h

@@ -43,6 +43,7 @@ char* mac_selinux_free(char *label);
 
 int mac_selinux_create_file_prepare(const char *path, mode_t mode);
 int mac_selinux_create_file_prepare_at(int dirfd, const char *path, mode_t mode);
+int mac_selinux_create_file_prepare_label(const char *path, const char *label);
 void mac_selinux_create_file_clear(void);
 
 int mac_selinux_create_socket_prepare(const char *label);

src/shared/smack-util.c

@@ -284,3 +284,16 @@ int mac_smack_copy(const char *dest, const char *src) {
         return 0;
 }
 #endif
+
+int rename_and_apply_smack_floor_label(const char *from, const char *to) {
+        int r = 0;
+        if (rename(from, to) < 0)
+                return -errno;
+
+#if HAVE_SMACK_RUN_LABEL
+        r = mac_smack_apply(to, SMACK_ATTR_ACCESS, SMACK_FLOOR_LABEL);
+        if (r < 0)
+                return r;
+#endif
+        return r;
+}

src/shared/smack-util.h

@@ -44,3 +44,5 @@ int mac_smack_apply(const char *path, SmackAttr attr, const char *label);
 int mac_smack_apply_fd(int fd, SmackAttr attr, const char *label);
 int mac_smack_apply_pid(pid_t pid, const char *label);
 int mac_smack_copy(const char *dest, const char *src);
+
+int rename_and_apply_smack_floor_label(const char *temp_path, const char *dest_path);

test/test-functions

@@ -190,6 +190,7 @@ BASICTOOLS=(
     umount
     uname
     unshare
+    wc
     xargs
     xzcat
 )
@@ -1550,7 +1551,7 @@ install_basic_tools() {
 
 install_debug_tools() {
     dinfo "Install debug tools"
-    image_install "${DEBUGTOOLS[@]}"
+    image_install -o "${DEBUGTOOLS[@]}"
 
     if get_bool "$INTERACTIVE_DEBUG"; then
         # Set default TERM from vt220 to linux, so at least basic key shortcuts work