-
Notifications
You must be signed in to change notification settings - Fork 50
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
anaconda: enable SELinux for live-installer #897
Conversation
The live installer build has been installing non-enforcing systems. This is due to a leftover from the image installer setting the system to permissive. Make it so we apply the contexts and don't write a permissive config for the live installer. Signed-off-by: Simon de Vlieger <supakeen@redhat.com>
The previous commit introduced SElinux to the live installer. This commit brings the pipeline more in line with the os pipeline, SElinux is now a property on the pipeline set in the image. It is hardcoded to be set to targeted for live installers and is considered a programming error to be set for non-live installers. Signed-off-by: Simon de Vlieger <supakeen@redhat.com>
Note that I could be convinced to move this to the same paradigm with The non-live installers could be done as a follow up but we have the 'problem' there that we need to ensure that the toggle makes sense and goes to the right place as the anaconda-tree is not the tree being installed to system so we'd have two SElinux policies there. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the changes. This looks good enough for me 🙂
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks. LGTM!
The CentOS Stream 10 unit tests are failing because |
there's dnf5-plugins that replace "core/extras" but they've not done proper provides/obsoleted etc. I think core needs to come back, I am going to file a bug on this because it bit me the other day too in a different usecase, will reference the bug |
Thanks! Though, doing a quick check with the |
The live installer build has been installing non-enforcing systems. This is due to a leftover from the image installer setting the system to permissive.
Make it so we apply the contexts and don't write a permissive config for the live installer.
Closes #460 which has been flying under my radar for entirely too long.