ignition: Enable SELinux relabeling #1784
Conversation
It was disabled. Signed-off-by: Juan Antonio Osorio <juan.osoriorobles@eu.equinix.com>
initramfs Signed-off-by: Juan Antonio Osorio <juan.osoriorobles@eu.equinix.com>
| @@ -46,7 +46,7 @@ PATCHES=( | |||
|
|
|||
| src_compile() { | |||
| export GO15VENDOREXPERIMENT="1" | |||
| GO_LDFLAGS="-X github.com/flatcar-linux/ignition/v2/internal/version.Raw=${PV} -X github.com/flatcar-linux/ignition/v2/internal/distro.selinuxRelabel=false -X github.com/flatcar-linux/ignition/v2/internal/distro.writeAuthorizedKeysFragment=false" || die | |||
| GO_LDFLAGS="-X github.com/flatcar-linux/ignition/v2/internal/version.Raw=${PV} -X github.com/flatcar-linux/ignition/v2/internal/distro.writeAuthorizedKeysFragment=false" || die | |||
There was a problem hiding this comment.
@tormath1 oh, I think writeAuthorizedKeysFragment should be true, right? Otherwise changes done by Ignition get lost when update-ssh-keys runs, or?
There was a problem hiding this comment.
and we would need to trigger update-ssh-keys once because internal/authorized_keys_d/authorized_keys_d.go is gone
There was a problem hiding this comment.
I'll create a new issue for that
|
To verify it works as expected, we can run the following test: This test will create the following service file: which has the following label: with this PR, result should be the following (obtained here after a One existing Mantle test could be updated consequently. |
|
CI failed for the following tests (94 tests, 82 ok, 11 not ok):
Mainly for these two reasons: |
|
Any ideas on how to fix this? |
|
For the pwd.lock maybe a patch to Ignition, and for the readonly mount I'm not sure how to skip it best. |
|
Unfortunately, I ran out of cycles for working on this. |
|
Superseded by #2500. Thanks for the initial work 💪 |
ignition: Enable SELinux relabeling
This removes the LD Flag that disabled SELinux relabeling. It defaulted to true, thus enabling the feature.
Related Bug: flatcar/Flatcar#673