Do SELinux checks (#123)

* Do SELinux checks * Add improved error message with issue link * Improve SELinux error message * Correct lint
2022-12-19 07:30:45 -08:00 · 2022-12-19 07:30:45 -08:00 · 1e6d7d75c9
commit 1e6d7d75c9
parent c4274c93fb
4 changed files with 32 additions and 14 deletions
--- a/README.md
+++ b/README.md
@ -16,13 +16,15 @@ Harmonic is **pre-release and experimental**. It is not ready for you to use! *P

 Planned support:

-* [x] Multi-user x86_64 Linux with systemd init
-* [x] Multi-user aarch64 Linux with systemd init
+* [x] Multi-user x86_64 Linux with systemd init, no SELinux
+* [x] Multi-user aarch64 Linux with systemd init, no SELinux
 * [x] Multi-user x86_64 MacOS
    + Note: User deletion is currently unimplemented, you need to use a user with a secure token and `dscl . -delete /Users/_nixbuild*` where `*` is each user number.
 * [x] Multi-user aarch64 MacOS
    + Note: User deletion is currently unimplemented, you need to use a user with a secure token and `dscl . -delete /Users/_nixbuild*` where `*` is each user number.
 * [x] Valve Steam Deck
+* [ ] Multi-user x86_64 Linux with systemd init, with SELinux
+* [ ] Multi-user aarch64 Linux with systemd init, with SELinux
 * [ ] Single-user x86_64 Linux
 * [ ] Single-user aarch64 Linux
 * [ ] Others...
--- a/src/error.rs
+++ b/src/error.rs
@ -55,7 +55,7 @@ pub enum HarmonicError {
    ),
 }

-pub(crate) trait HasExpectedErrors {
+pub(crate) trait HasExpectedErrors: std::error::Error + Sized + Send + Sync {
    fn expected<'a>(&'a self) -> Option<Box<dyn std::error::Error + 'a>>;
 }

--- a/src/planner/linux/multi.rs
+++ b/src/planner/linux/multi.rs
@ -37,6 +37,24 @@ impl Planner for LinuxMulti {
            return Err(PlannerError::NixOs);
        }

+        // We currently do not support SELinux
+        match Command::new("getenforce").output().await {
+            Ok(output) => {
+                let stdout_string = String::from_utf8(output.stdout).map_err(PlannerError::Utf8)?;
+                tracing::trace!(getenforce_stdout = stdout_string, "SELinux detected");
+                match stdout_string.trim() {
+                    "Enforcing" => return Err(PlannerError::SelinuxEnforcing),
+                    _ => (),
+                }
+            },
+            // The device doesn't have SELinux set up
+            Err(e) if e.kind() == std::io::ErrorKind::NotFound => (),
+            // Some unknown error
+            Err(e) => {
+                tracing::warn!(error = ?e, "Got an error checking for SELinux setting, this install may fail if SELinux is set to `Enforcing`")
+            },
+        }
+
        // For now, we don't try to repair the user's Nix install or anything special.
        if let Ok(_) = Command::new("nix-env")
            .arg("--version")
@ -82,13 +100,3 @@ impl Into<BuiltinPlanner> for LinuxMulti {
        BuiltinPlanner::LinuxMulti(self)
    }
 }
-
-#[derive(thiserror::Error, Debug)]
-enum LinuxMultiError {
-    #[error("Error planning action")]
-    Action(
-        #[source]
-        #[from]
-        Box<dyn std::error::Error + Send + Sync>,
-    ),
-}
--- a/src/planner/mod.rs
+++ b/src/planner/mod.rs
@ -77,7 +77,7 @@ match plan.install(None).await {
 pub mod darwin;
 pub mod linux;

-use std::collections::HashMap;
+use std::{collections::HashMap, string::FromUtf8Error};

 use crate::{
    action::{ActionError, StatefulAction},
@ -189,6 +189,12 @@ pub enum PlannerError {
    /// A MacOS (Darwin) plist related error
    #[error(transparent)]
    Plist(#[from] plist::Error),
+    /// A Linux SELinux related error
+    #[error("This installer doesn't yet support SELinux in `Enforcing` mode. If SELinux is important to you, please see https://github.com/DeterminateSystems/harmonic/issues/124. You can also try again after setting SELinux to `Permissive` mode with `setenforce Permissive`")]
+    SelinuxEnforcing,
+    /// A UTF-8 related error
+    #[error("UTF-8 error")]
+    Utf8(#[from] FromUtf8Error),
    /// Custom planner error
    #[error("Custom planner error")]
    Custom(#[source] Box<dyn std::error::Error + Send + Sync>),
@ -205,6 +211,8 @@ impl HasExpectedErrors for PlannerError {
            PlannerError::Action(_) => None,
            PlannerError::InstallSettings(_) => None,
            PlannerError::Plist(_) => None,
+            PlannerError::Utf8(_) => None,
+            PlannerError::SelinuxEnforcing => Some(Box::new(self)),
            PlannerError::Custom(_) => None,
            this @ PlannerError::NixOs => Some(Box::new(this)),
            this @ PlannerError::NixExists => Some(Box::new(this)),