Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

coreos-boot-edit.sh creates /boot/.root_uuid as unlabeled_t #1770

Open
travier opened this issue Jul 31, 2024 · 4 comments · Fixed by coreos/fedora-coreos-config#3155
Open

coreos-boot-edit.sh creates /boot/.root_uuid as unlabeled_t #1770

travier opened this issue Jul 31, 2024 · 4 comments · Fixed by coreos/fedora-coreos-config#3155
Assignees
@jlebon
Labels
area/selinux jira for syncing to jira kind/bug

Comments

@travier
Copy link
Member

travier commented Jul 31, 2024
edited
Loading

Describe the bug

https://github.com/coreos/fedora-coreos-config/blob/testing-devel/overlay.d/05core/usr/lib/dracut/modules.d/35coreos-ignition/coreos-boot-edit.sh likely runs before we've loaded the SELinux policy and writes /boot/.root_uuid which ends up not being labeled (unlabeled_t).

Reproduction steps

Boot FCOS. Run:

ls -alhZ /boot

Expected behavior

All files are correctly labeled.

Actual behavior

/boot/.root_uuid is unlabeled_t.

System details

N/A

Butane or Ignition config

None

Additional information

No response
@travier travier mentioned this issue Jul 31, 2024
Open
@jlebon
Copy link
Member

jlebon commented Aug 6, 2024

A coreos-relabel would fix it for new systems, but I think that'd require changing coreos-boot-edit to actually do the temporary boot mount under /sysroot/boot instead of /mnt/boot_partition so the expected path lines up. (Though there's a bit of a layering violation in that the script would have to know that rdcore bind-boot writes that file; rdcore could itself call coreos-relabel instead, but that command so far hasn't really escaped this repo.)

We should probably fix it on existing systems, but it doesn't seem worth a barrier. We could bundle it in whatever the next barrier release we do.

@dustymabe
Copy link
Member

We should probably fix it on existing systems, but it doesn't seem worth a barrier. We could bundle it in whatever the next barrier release we do.

@jbtrystram is working on a migration script to fixup labels on systems for #1771 and various other issues so we can fix these too.

We kind of need all of these root causes of the unlabeled files fixed too before we can release the migration script (i.e. freshly installed systems at a certain point should have no unlabeled_t once installed).

What's the proper fix for this root cause?

jlebon added a commit to jlebon/fedora-coreos-config that referenced this issue Sep 10, 2024
@jlebon
coreos-boot-edit: relabel rdcore files
6f9f54d 
The `rdcore bind-boot` command write files to the bootfs but currently
doesn't relabel them. Let's just relabel it from this side for now.
In the future we could look at having `rdcore` call `setfiles` like
Ignition does, or better, make `coreos-relabel` a more public API.

This fixes coreos/fedora-coreos-tracker#1770
for new installs.

Refrained from adding tests for this. I think instead what we need is
once all these relabeling issues are fixed, a test that verifies that
*everything* is labeled.
@jlebon jlebon mentioned this issue Sep 10, 2024
Merged
@jlebon
Copy link
Member

jlebon commented Sep 10, 2024

Opened coreos/fedora-coreos-config#3155 for this.

@dustymabe dustymabe added the jira for syncing to jira label Sep 10, 2024
@jlebon
Copy link
Member

jlebon commented Sep 10, 2024

coreos/fedora-coreos-config#3155 only fixed the new installs case. We should still fix it on existing installs.

@jlebon jlebon reopened this Sep 10, 2024
dustymabe added a commit to dustymabe/fedora-coreos-config that referenced this issue Sep 26, 2024
@jbtrystram @dustymabe
overlay/05core: fix selinux labels in /boot and /sysroot
45e83cf 
/boot/efi and /sysroot dir and subfiles are unlabeled_t since
40.20240504.3.0. This is likely due to some missing scaffolding
in the OSBuild software and definitions that we started using in
[1]. These issues [2] [3] were addressed in [4] for new image
builds, but we still need to fix upgrading systems, which we
do here in this migration script.

Note that we also fix a few files in /boot that were left
unlabeled by `rdcore` [5] while we are in here.

[1] coreos/fedora-coreos-tracker#1653.
[2] coreos/fedora-coreos-tracker#1771
[3] coreos/fedora-coreos-tracker#1772
[4] coreos/coreos-assembler#3885
[5] coreos/fedora-coreos-tracker#1770

Co-authored-by: Dusty Mabe <dusty@dustymabe.com>
dustymabe added a commit to jbtrystram/fedora-coreos-config that referenced this issue Sep 26, 2024
@jbtrystram @dustymabe
overlay.d: add 07fix-selinux-labels overlay
0a0191b 
/boot/efi and /sysroot dir and subfiles are unlabeled_t since
40.20240504.3.0. This is likely due to some missing scaffolding
in the OSBuild software and definitions that we started using in
[1]. These issues [2] [3] were addressed in [4] for new image
builds, but we still need to fix upgrading systems, which we
do here in this migration script.

Note that we also fix a few files in /boot that were left
unlabeled by `rdcore` [5] while we are in here.

[1] coreos/fedora-coreos-tracker#1653.
[2] coreos/fedora-coreos-tracker#1771
[3] coreos/fedora-coreos-tracker#1772
[4] coreos/coreos-assembler#3885
[5] coreos/fedora-coreos-tracker#1770

Co-authored-by: Dusty Mabe <dusty@dustymabe.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jlebon jlebon

Labels
area/selinux jira for syncing to jira kind/bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

coreos-boot-edit: relabel rdcore files jlebon/fedora-coreos-config
3 participants
@dustymabe @jlebon @travier