-
Notifications
You must be signed in to change notification settings - Fork 305
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
WORKAROUND: Add ostree selinux module to workaround issues with relab…
…eling permissions When using transient /etc, ostree-prepare-root will mount an overlayfs on /etc from the initrd. This overlay mount will have the context kernel_t, meaning that not only will an external process need to pass its selinux checks against the overlay file, the overlay filesystem itself need to pass the selinux check against the overlayfs upper/work dirs. Unfortunately, even with a recent selinux-policy (e.g. selinux-policy-38.1.23) the kernel_t type doesn't have right to relabel files, nor the rights to manage device nodes so boot fails.
- Loading branch information
1 parent
1124c80
commit 326e2eb
Showing
8 changed files
with
61 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,18 @@ | ||
if BUILD_SELINUX_MODULE | ||
selinux_moduledir = ${datadir}/selinux/packages | ||
selinux_module_DATA = $(NULL) | ||
|
||
ostree.pp.bz2: selinux/ostree.te selinux/ostree.fc selinux/build-selinux.sh | ||
$(srcdir)/selinux/build-selinux.sh . $^ | ||
|
||
selinux_module_DATA += ostree.pp.bz2 | ||
endif | ||
|
||
EXTRA_DIST += \ | ||
selinux/build-selinux.sh \ | ||
selinux/ostree.te \ | ||
selinux/ostree.fc \ | ||
selinux/ostree.if \ | ||
$(NULL) | ||
|
||
DISTCLEANFILES += ostree.pp.bz2 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,16 @@ | ||
#!/bin/sh | ||
# Copyright 2023 Red Hat Inc. | ||
# SPDX-License-Identifier: LGPL-2.1-or-later | ||
|
||
set -x | ||
set -eu | ||
|
||
TMP=$(mktemp -d selinux-build-XXXXXX) | ||
output="$1" | ||
shift | ||
cp -- "$@" "$TMP/" | ||
|
||
make -C "$TMP" -f /usr/share/selinux/devel/Makefile ostree.pp | ||
bzip2 -9 "$TMP/ostree.pp" | ||
cp "$TMP/ostree.pp.bz2" "$output" | ||
rm -fr "$TMP" |
Empty file.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
## <summary>selinux</summary> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,12 @@ | ||
policy_module(ostree, 1.0) | ||
|
||
gen_require(` | ||
type kernel_t; | ||
attribute file_type; | ||
') | ||
|
||
# Work around issue with kernel_t not supporting relabelto/from and device node management | ||
|
||
files_relabel_all_files(kernel_t) | ||
manage_chr_files_pattern(kernel_t, file_type, file_type) | ||
manage_blk_files_pattern(kernel_t, file_type, file_type) |