Skip to content

Commit

Permalink
osbuild: use SELinux policy when setting labels on mountpoints
Browse files Browse the repository at this point in the history 
This allows us to use the policy rather than hardcoding labels to set
on the mountpoints. The unfortunate thing here is that in order to
pick up a policy easily we have to use the `build` pipeline where
the files are written out plainly and we don't have to find where
the OSTree deployment is. I say unfortunate because right now for
FCOS the `build` pipeline was getting skipped because we weren't using
it for anything else, but now we'll be forced to build it.

That's OK I think, because we really want to start using a non-host
(i.e. non-COSA) buildroot for FCOS too if we can ever convince the
team/community to get python into it.

This commit also adds a comment to explain the "why" for the mkdir
and two selinux stages.
  • Loading branch information
@dustymabe
dustymabe committed Oct 30, 2024
1 parent 8f73baf commit 5376f91
Show file tree
Hide file tree
Showing 4 changed files with 355 additions and 48 deletions.
102 changes: 89 additions & 13 deletions src/osbuild-manifests/coreos.osbuild.aarch64.mpp.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -110,7 +110,9 @@ pipelines:
else:
type: org.osbuild.noop
# Construct a buildroot here from the input container reference (either
# ociarchive or registry/tag). Note that it won't actually be built
# ociarchive or registry/tag). Note that this is only used as a buildroot
# on RHCOS (FCOS doesn't ship python), but it is used everywhere as
# file_context input to the org.osbuild.selinux stages.
# unless used somewhere later in the manifest.
- name: build
stages:
Expand Down Expand Up @@ -143,8 +145,14 @@ pipelines:
# https://github.com/coreos/fedora-coreos-tracker/issues/1772
- type: org.osbuild.selinux
options:
labels:
/: system_u:object_r:root_t:s0
file_contexts: input://tree/etc/selinux/targeted/contexts/files/file_contexts
target: tree:///
inputs:
tree:
type: org.osbuild.tree
origin: org.osbuild.pipeline
references:
- name:build
- type: org.osbuild.ostree.init-fs
- type: org.osbuild.ostree.os-init
options:
Expand Down Expand Up @@ -317,6 +325,12 @@ pipelines:
mpp-format-string: '{root_fs_uuid}'
label:
mpp-format-string: '{root_fs_label}'
# We've created the filesystems. Now let's create the mountpoints (directories)
# on the filesystems and label them with appropriate SELinux labels. This also
# covers things like filesystem autogenerated files like 'lost+found'. The labeling
# will happen once with just the root filesystem mounted and once with the boot
# filesystem mounted too (to make sure we get all potentially hidden mountpoints).
# https://github.com/coreos/fedora-coreos-tracker/issues/1771
- type: org.osbuild.mkdir
options:
paths:
Expand Down Expand Up @@ -345,10 +359,37 @@ pipelines:
target: /boot-mount-point
- type: org.osbuild.selinux
options:
labels:
mount://root/boot: system_u:object_r:boot_t:s0
mount://boot/efi: system_u:object_r:boot_t:s0
mount://boot/lost+found: system_u:object_r:lost_found_t:s0
file_contexts: input://tree/etc/selinux/targeted/contexts/files/file_contexts
target: mount://root/
inputs:
tree:
type: org.osbuild.tree
origin: org.osbuild.pipeline
references:
- name:build
devices:
disk:
type: org.osbuild.loopback
options:
filename: disk.img
partscan: true
mounts:
- name: root
type: org.osbuild.xfs
source: disk
partition:
mpp-format-int: '{image.layout[''root''].partnum}'
target: /
- type: org.osbuild.selinux
options:
file_contexts: input://tree/etc/selinux/targeted/contexts/files/file_contexts
target: mount://root/boot/
inputs:
tree:
type: org.osbuild.tree
origin: org.osbuild.pipeline
references:
- name:build
devices:
disk:
type: org.osbuild.loopback
Expand All @@ -361,7 +402,7 @@ pipelines:
source: disk
partition:
mpp-format-int: '{image.layout[''root''].partnum}'
target: /sysroot
target: /
- name: boot
type: org.osbuild.ext4
source: disk
Expand Down Expand Up @@ -534,6 +575,12 @@ pipelines:
mpp-format-string: '{root_fs_uuid}'
label:
mpp-format-string: '{root_fs_label}'
# We've created the filesystems. Now let's create the mountpoints (directories)
# on the filesystems and label them with appropriate SELinux labels. This also
# covers things like filesystem autogenerated files like 'lost+found'. The labeling
# will happen once with just the root filesystem mounted and once with the boot
# filesystem mounted too (to make sure we get all potentially hidden mountpoints).
# https://github.com/coreos/fedora-coreos-tracker/issues/1771
- type: org.osbuild.mkdir
options:
paths:
Expand Down Expand Up @@ -564,10 +611,14 @@ pipelines:
target: /boot-mount-point
- type: org.osbuild.selinux
options:
labels:
mount://root/boot: system_u:object_r:boot_t:s0
mount://boot/efi: system_u:object_r:boot_t:s0
mount://boot/lost+found: system_u:object_r:lost_found_t:s0
file_contexts: input://tree/etc/selinux/targeted/contexts/files/file_contexts
target: mount://root/
inputs:
tree:
type: org.osbuild.tree
origin: org.osbuild.pipeline
references:
- name:build
devices:
disk:
type: org.osbuild.loopback
Expand All @@ -582,7 +633,32 @@ pipelines:
source: disk
partition:
mpp-format-int: '{image4k.layout[''root''].partnum}'
target: /sysroot
target: /
- type: org.osbuild.selinux
options:
file_contexts: input://tree/etc/selinux/targeted/contexts/files/file_contexts
target: mount://root/boot/
inputs:
tree:
type: org.osbuild.tree
origin: org.osbuild.pipeline
references:
- name:build
devices:
disk:
type: org.osbuild.loopback
options:
filename: disk.img
partscan: true
sector-size:
mpp-format-int: "{four_k_sector_size}"
mounts:
- name: root
type: org.osbuild.xfs
source: disk
partition:
mpp-format-int: '{image4k.layout[''root''].partnum}'
target: /
- name: boot
type: org.osbuild.ext4
source: disk
Expand Down
99 changes: 88 additions & 11 deletions src/osbuild-manifests/coreos.osbuild.ppc64le.mpp.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -112,7 +112,9 @@ pipelines:
else:
type: org.osbuild.noop
# Construct a buildroot here from the input container reference (either
# ociarchive or registry/tag). Note that it won't actually be built
# ociarchive or registry/tag). Note that this is only used as a buildroot
# on RHCOS (FCOS doesn't ship python), but it is used everywhere as
# file_context input to the org.osbuild.selinux stages.
# unless used somewhere later in the manifest.
- name: build
stages:
Expand Down Expand Up @@ -145,8 +147,14 @@ pipelines:
# https://github.com/coreos/fedora-coreos-tracker/issues/1772
- type: org.osbuild.selinux
options:
labels:
/: system_u:object_r:root_t:s0
file_contexts: input://tree/etc/selinux/targeted/contexts/files/file_contexts
target: tree:///
inputs:
tree:
type: org.osbuild.tree
origin: org.osbuild.pipeline
references:
- name:build
- type: org.osbuild.ostree.init-fs
- type: org.osbuild.ostree.os-init
options:
Expand Down Expand Up @@ -310,6 +318,12 @@ pipelines:
mpp-format-string: '{root_fs_uuid}'
label:
mpp-format-string: '{root_fs_label}'
# We've created the filesystems. Now let's create the mountpoints (directories)
# on the filesystems and label them with appropriate SELinux labels. This also
# covers things like filesystem autogenerated files like 'lost+found'. The labeling
# will happen once with just the root filesystem mounted and once with the boot
# filesystem mounted too (to make sure we get all potentially hidden mountpoints).
# https://github.com/coreos/fedora-coreos-tracker/issues/1771
- type: org.osbuild.mkdir
options:
paths:
Expand All @@ -330,9 +344,37 @@ pipelines:
target: /root-mount-point
- type: org.osbuild.selinux
options:
labels:
mount://root/boot: system_u:object_r:boot_t:s0
mount://boot/lost+found: system_u:object_r:lost_found_t:s0
file_contexts: input://tree/etc/selinux/targeted/contexts/files/file_contexts
target: mount://root/
inputs:
tree:
type: org.osbuild.tree
origin: org.osbuild.pipeline
references:
- name:build
devices:
disk:
type: org.osbuild.loopback
options:
filename: disk.img
partscan: true
mounts:
- name: root
type: org.osbuild.xfs
source: disk
partition:
mpp-format-int: '{image.layout[''root''].partnum}'
target: /
- type: org.osbuild.selinux
options:
file_contexts: input://tree/etc/selinux/targeted/contexts/files/file_contexts
target: mount://root/boot/
inputs:
tree:
type: org.osbuild.tree
origin: org.osbuild.pipeline
references:
- name:build
devices:
disk:
type: org.osbuild.loopback
Expand All @@ -345,7 +387,7 @@ pipelines:
source: disk
partition:
mpp-format-int: '{image.layout[''root''].partnum}'
target: /sysroot
target: /
- name: boot
type: org.osbuild.ext4
source: disk
Expand Down Expand Up @@ -495,6 +537,11 @@ pipelines:
mpp-format-string: '{root_fs_uuid}'
label:
mpp-format-string: '{root_fs_label}'
# We've created the filesystems. Now let's create the mountpoints (directories)
# on the filesystems and label them with appropriate SELinux labels. The labeling
# will happen once with just the root filesystem mounted and once with the boot
# filesystem mounted too (to make sure we get all potentially hidden mountpoints).
# https://github.com/coreos/fedora-coreos-tracker/issues/1771
- type: org.osbuild.mkdir
options:
paths:
Expand All @@ -517,9 +564,14 @@ pipelines:
target: /root-mount-point
- type: org.osbuild.selinux
options:
labels:
mount://root/boot: system_u:object_r:boot_t:s0
mount://boot/lost+found: system_u:object_r:lost_found_t:s0
file_contexts: input://tree/etc/selinux/targeted/contexts/files/file_contexts
target: mount://root/
inputs:
tree:
type: org.osbuild.tree
origin: org.osbuild.pipeline
references:
- name:build
devices:
disk:
type: org.osbuild.loopback
Expand All @@ -534,7 +586,32 @@ pipelines:
source: disk
partition:
mpp-format-int: '{image4k.layout[''root''].partnum}'
target: /sysroot
target: /
- type: org.osbuild.selinux
options:
file_contexts: input://tree/etc/selinux/targeted/contexts/files/file_contexts
target: mount://root/boot/
inputs:
tree:
type: org.osbuild.tree
origin: org.osbuild.pipeline
references:
- name:build
devices:
disk:
type: org.osbuild.loopback
options:
filename: disk.img
partscan: true
sector-size:
mpp-format-int: "{four_k_sector_size}"
mounts:
- name: root
type: org.osbuild.xfs
source: disk
partition:
mpp-format-int: '{image4k.layout[''root''].partnum}'
target: /
- name: boot
type: org.osbuild.ext4
source: disk
Expand Down
Loading

0 comments on commit 5376f91

Please sign in to comment.