From 1114c7cd2e766f1dc57b9ca4085f0cdae67e1b99 Mon Sep 17 00:00:00 2001
From: Benjamin Sherman <benjamin@holyarmy.org>
Date: Sat, 26 Oct 2024 14:47:59 -0500
Subject: [PATCH] fix: handle new F41 selinux policies for sulogin-generator

Remove our in-repo copy of `ublue-sulogin-generator` and replace with
the current version from CoreOS. This way we will stay in sync with that
as an upstream, and comply with new Fedora 41 SElinux policy.

Safe for F39/F40 as well.

Fixes: #653
---
 install.sh                                    |  6 ++
 .../system-generators/ublue-sulogin-generator | 65 -------------------
 2 files changed, 6 insertions(+), 65 deletions(-)
 delete mode 100755 sys_files/usr/lib/systemd/system-generators/ublue-sulogin-generator

diff --git a/install.sh b/install.sh
index 6f511ed7..d09d96ed 100755
--- a/install.sh
+++ b/install.sh
@@ -66,6 +66,12 @@ fi
 ## install packages direct from github
 /ctx/github-release-install.sh sigstore/cosign x86_64
 
+# use CoreOS' generator for emergency/rescue boot
+# see detail: https://github.com/ublue-os/main/issues/653
+CSFG=/usr/lib/systemd/system-generators/coreos-sulogin-force-generator
+curl -sSLo ${CSFG} https://raw.githubusercontent.com/coreos/fedora-coreos-config/refs/heads/stable/overlay.d/05core/usr/lib/systemd/system-generators/coreos-sulogin-force-generator
+chmod +x ${CSFG}
+
 if [[ "${KERNEL_VERSION}" == "${QUALIFIED_KERNEL}" ]]; then
     /ctx/initramfs.sh
 fi
diff --git a/sys_files/usr/lib/systemd/system-generators/ublue-sulogin-generator b/sys_files/usr/lib/systemd/system-generators/ublue-sulogin-generator
deleted file mode 100755
index ebee5d35..00000000
--- a/sys_files/usr/lib/systemd/system-generators/ublue-sulogin-generator
+++ /dev/null
@@ -1,65 +0,0 @@
-#!/usr/bin/bash
-
-# This systemd.generator(7) detects if rescue or emergency targets were
-# requested from the kernel cmdline; if so, it overrides the respective
-# target to set force sulogin, allowing use of rescue/emergency targets
-# on systems with locked root password (as is Fedora default).
-#
-# This does NOT bypass locked root password on a fsck failure, but WILL
-# bypass when rescue/emergency targets are chosen from kernel cmdline.
-# Since this requires console/grub access, it is assumed to be at least
-# as secure as a user reset of the root password using grub to modify
-# the kernel cmdline with init=/bin/bash .
-#
-# NOTE: the SYSTEMD_SULOGIN_FORCE method used here does not bypass any
-# assigned password; root password is only bypassed when locked/unset.
-
-export PATH="/usr/bin:/usr/sbin:${PATH}"
-if [ -n "$1" ]; then
-    # If invoked with arguments (not testing) log to kmsg
-    # https://github.com/systemd/systemd/issues/15638
-    exec 1>/dev/kmsg; exec 2>&1
-fi
-
-# If invoked with no arguments (for testing) write to /tmp
-UNIT_DIR="${1:-/tmp}"
-
-set -euo pipefail
-
-have_some_karg() {
-    local args=("$@")
-    IFS=" " read -r -a cmdline <<< "$(</proc/cmdline)"
-    local i
-    for i in "${cmdline[@]}"; do
-        for a in "${args[@]}"; do
-        if [[ "$i" == "$a" ]]; then
-            return 0
-        fi
-        done
-    done
-    return 1
-}
-
-write_dropin() {
-    local service="$1"
-
-    local out_dir="${UNIT_DIR}/${service}.service.d"
-    mkdir -p "${out_dir}"
-
-    # /tmp isn't r/w yet, and the shell needs to cache the here-document
-    TMPDIR=/run
-    cat > "${out_dir}/sulogin-force.conf" <<EOF
-[Service]
-Environment=SYSTEMD_SULOGIN_FORCE=1
-EOF
-    echo "$(basename ${0}): set SYSTEMD_SULOGIN_FORCE=1 for ${service}.service"
-}
-
-# Match kernel command line targets for systemd(1) rescue/emergency
-# Ignores 'rd.' prefixed targets since they enter the dracut ramdisk
-# environment which does not interact with installed system root user.
-if have_some_karg 'systemd.unit=rescue.target' rescue single s S 1; then
-    write_dropin rescue
-elif have_some_karg 'systemd.unit=emergency.target' emergency '-b' ; then
-    write_dropin emergency
-fi
\ No newline at end of file