Add temporary workaround for agetty --reload SELinux denial
#988
Conversation
|
Still need to test this. |
|
Once we get this in, we can drop the way hackier workaround in rawhide that was added in #859. |
|
would dropping a stub ignition config that creates the file work too? I think files that get laid down by ignition get relabeled by default. |
Ignition configs can't write to |
In f34+, we're hitting an SELinux denial from c-l-h-m trying to do `agetty --reload` and causing `/run/agetty.reload` to be created with the wrong label. This then prevents agetty from adding an inotify watch to know when to reload the prompt to display new information. For more details, see: coreos#859 (comment) This is tracked at https://bugzilla.redhat.com/show_bug.cgi?id=1932053. With this workaround, we create the file up front in the initrd so that it gets relabeled by systemd on switchroot and thus will already exists with the right label well before c-l-h-m or anything else tries to `agetty --reload`.
jlebon
force-pushed
the
pr/agetty-workaround
branch
from
5d8569d to
316971c
Compare
Heh yeah, this is what this comment is about:
(See coreos/fedora-coreos-tracker#704 (comment)). We can bump it to f35 when we're rebasing |
|
Tested working! |
This reverts commit f8b31ab. This is done a cleaner way now in coreos#988.
extensions: use stream9 as builder because of s390x
In f34+, we're hitting an SELinux denial from c-l-h-m trying to do
agetty --reloadand causing/run/agetty.reloadto be created withthe wrong label. This then prevents agetty from adding an inotify watch
to know when to reload the prompt to display new information. For more
details, see:
#859 (comment)
This is tracked at https://bugzilla.redhat.com/show_bug.cgi?id=1932053.
With this workaround, we create the file up front in the initrd so that
it gets relabeled by systemd on switchroot and thus will already exists
with the right label well before c-l-h-m or anything else tries to
agetty --reload.