workaround selinux issues with osbuild #3885
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
These are extremely useful when dealing with a limited serial console to try to restore some order to the output.
We have a few issues right now where files in our images don't have any selinux context (i.e. end up unlabeled_t). Here we workaround the hidden mountpoints issue [1] with a patch to OSBuild to hardcode some chcon calls. We workaround the "bunch of files under /sysroot are unlabeled" issue [2] by backported a proposed upstream change to the org.osbuild.selinux stage [3] and then using it to explicitly set the context on the root of the tree to `root_t`. We also add a fix [4] for another issue where '/boot/coreos/platforms.json' would end up with the wrong label. [1] coreos/fedora-coreos-tracker#1771 [2] coreos/fedora-coreos-tracker#1772 [3] osbuild/osbuild#1889 [4] osbuild/osbuild#1888
jlebon
reviewed
Sep 17, 2024
jlebon
approved these changes
Sep 18, 2024
There was a problem hiding this comment.
Thanks for digging into this! Definitely not ideal, but I think warranted given the current situation.
Were you thinking of leaving the tracker issues until we clean this up here or should we file a separate cosa issue for this part? Don't want us to forget this is here.
I'm still working through it with upstream osbuild/osbuild#1877, but yeah I think maybe I'll open a new issue for the real longer term fix. |
|
/cherrypick rhcos-4.17 |
|
@dustymabe: new pull request created: #3886 In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
dustymabe
added a commit
to dustymabe/fedora-coreos-config
that referenced
this pull request
Sep 26, 2024
/boot/efi and /sysroot dir and subfiles are unlabeled_t since 40.20240504.3.0. This is likely due to some missing scaffolding in the OSBuild software and definitions that we started using in [1]. These issues [2] [3] were addressed in [4] for new image builds, but we still need to fix upgrading systems, which we do here in this migration script. Note that we also fix a few files in /boot that were left unlabeled by `rdcore` [5] while we are in here. [1] coreos/fedora-coreos-tracker#1653. [2] coreos/fedora-coreos-tracker#1771 [3] coreos/fedora-coreos-tracker#1772 [4] coreos/coreos-assembler#3885 [5] coreos/fedora-coreos-tracker#1770 Co-authored-by: Dusty Mabe <dusty@dustymabe.com>
dustymabe
added a commit
to jbtrystram/fedora-coreos-config
that referenced
this pull request
Sep 26, 2024
/boot/efi and /sysroot dir and subfiles are unlabeled_t since 40.20240504.3.0. This is likely due to some missing scaffolding in the OSBuild software and definitions that we started using in [1]. These issues [2] [3] were addressed in [4] for new image builds, but we still need to fix upgrading systems, which we do here in this migration script. Note that we also fix a few files in /boot that were left unlabeled by `rdcore` [5] while we are in here. [1] coreos/fedora-coreos-tracker#1653. [2] coreos/fedora-coreos-tracker#1771 [3] coreos/fedora-coreos-tracker#1772 [4] coreos/coreos-assembler#3885 [5] coreos/fedora-coreos-tracker#1770 Co-authored-by: Dusty Mabe <dusty@dustymabe.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
We have a few issues right now where files in our images
don't have any selinux context (i.e. end up unlabeled_t).
Here we workaround the hidden mountpoints issue [1] with
a patch to OSBuild to hardcode some chcon calls. We
workaround the "bunch of files under /sysroot are unlabeled"
issue [2] by backported a proposed upstream change to
the org.osbuild.selinux stage [3] and then using it to
explicitly set the context on the root of the tree to
root_t. We also add a fix [4] for another issue where'/boot/coreos/platforms.json' would end up with the
wrong label.
[1] coreos/fedora-coreos-tracker#1771
[2] coreos/fedora-coreos-tracker#1772
[3] osbuild/osbuild#1889
[4] osbuild/osbuild#1888