Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

manifests: set proper SELinux labels for '/boot/efi' and '/boot/lost+found' #3912

Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

manifests: set proper SELinux labels for '/boot/efi' and '/boot/lost+found' #3912

wants to merge 3 commits into from
+1,121 −59

Conversation

nikita-dubrovskii
Copy link
Contributor

@nikita-dubrovskii nikita-dubrovskii commented Oct 23, 2024
edited
Loading

@dustymabe
Copy link
Member

nice. I'll check it out!

@dustymabe
Copy link
Member

I was playing around with this trying to use file_contexts and target instead of labels and was never able to get it to work. I'm not opposed to leaving it like it is in this PR, but I also want to confirm that what I'm hitting isn't some sort of bug in the OSBuild PR upstream. I'll dig in more tomorrow.

@nikita-dubrovskii
Copy link
Contributor Author

I was playing around with this trying to use file_contexts and target instead of labels and was never able to get it to work. I'm not opposed to leaving it like it is in this PR, but I also want to confirm that what I'm hitting isn't some sort of bug in the OSBuild PR upstream. I'll dig in more tomorrow.

Do you have patch somewhere to check? file_contexts is somewhere under ostree/deploy/fcos/hash/, will check now using it

@nikita-dubrovskii
Copy link
Contributor Author

@dustymabe indeed there was a small issue, now that fixed. I've added patch with file_contexts usage on top

@dustymabe
Copy link
Member

added a few commits on top (the first one can be squashed into one of yours if you agree it adds value).

Let me know what you think!

@nikita-dubrovskii
Copy link
Contributor Author

LGTM, thx for your commits!

nikita-dubrovskii and others added 3 commits November 8, 2024 08:25
@nikita-dubrovskii @dustymabe
manifests: set proper SELinux labels for '/boot/efi' and '/boot/lost+…
414384d 
…found'

Issue: osbuild/osbuild#1877

Co-authored-by: Dusty Mabe <dusty@dustymabe.com>
@dustymabe @nikita-dubrovskii
osbuild: use SELinux policy when setting labels on mountpoints
e008f80 
This allows us to use the policy rather than hardcoding labels to set
on the mountpoints. The unfortunate thing here is that in order to
pick up a policy easily we have to use the `build` pipeline where
the files are written out plainly and we don't have to find where
the OSTree deployment is. I say unfortunate because right now for
FCOS the `build` pipeline was getting skipped because we weren't using
it for anything else, but now we'll be forced to build it.

That's OK I think, because we really want to start using a non-host
(i.e. non-COSA) buildroot for FCOS too if we can ever convince the
team/community to get python into it.

This commit also adds a comment to explain the "why" for the mkdir
and two selinux stages.
@nikita-dubrovskii
osbuild: set SELinux labels on qemu-secex image
3790fde
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dustymabe dustymabe Awaiting requested review from dustymabe

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@nikita-dubrovskii @dustymabe