manifests/fedora-coreos: add SELinux workaround

Recent changes in the SELinux policy have broken a lot of our code. Revert the affected domains back to permissive mode until fedora-selinux/selinux-policy#2257 merges and the domains are reverted back to permissive mode upstream. bootupd_t: https://bugzilla.redhat.com/show_bug.cgi?id=2300306 coreos_installer_t: https://bugzilla.redhat.com/show_bug.cgi?id=2305385
marmijo · Aug 29, 2024 · f5585db · f5585db
1 parent f1eae23
commit f5585db
Showing 1 changed file with 18 additions and 1 deletion.
diff --git a/manifests/fedora-coreos.yaml b/manifests/fedora-coreos.yaml
@@ -136,7 +136,24 @@ postprocess:
             done
         done
     done
-
+  # Recent changes in the SELinux policy have broken a lot of our code.
+  # Revert the affected domains back to permissive mode until
+  # https://github.com/fedora-selinux/selinux-policy/pull/2257 merges
+  # and the domains are reverted upstream.
+  - |
+    #!/usr/bin/env bash
+    set -xeuo pipefail
+    cat > /tmp/fcos-workarounds.cil << EOF
+    ; https://bugzilla.redhat.com/show_bug.cgi?id=2300306
+    (typeattributeset cil_gen_require bootupd_t)
+    (typepermissive bootupd_t)
+
+    ; https://bugzilla.redhat.com/show_bug.cgi?id=2305385
+    (typeattributeset cil_gen_require coreos_installer_t)
+    (typepermissive coreos_installer_t)
+    EOF
+    /usr/sbin/semodule -i /tmp/fcos-workarounds.cil
+    rm /tmp/fcos-workarounds.cil
 
 remove-files:
   # We don't ship man(1) or info(1)