-
Notifications
You must be signed in to change notification settings - Fork 305
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
repo: Add an option to label /usr/etc as /etc #3063
Conversation
Depends on ostreedev/ostree#3063 This is intended for use with ostreedev/ostree#2868 but is conceptually orthogonal to it; we probably want to try switching to this by default actually.
9e57bee
to
22471b5
Compare
I think this one is good to go, has a test case now. |
case 0: | ||
break; | ||
case 1: | ||
flags |= OSTREE_REPO_COMMIT_MODIFIER_FLAGS_SELINUX_LABEL_V1; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
A bit unsure about the epoch approach. Do you envision many more SELinux options that fall in the "clearly right, but needs ratcheting" category?
We could always add epochs later on that just combine the flags if that happens.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Right the background for this is that today there's ostree admin init-fs --modern
and I actually wanted to change the defaults there to do something else, and then it gets weird because it'd be need to be called like --really-modern
or something 😄
You're probably right we wouldn't change things again (and if we did we'd probably arguably want to change the policy defaults).
But still, no harm done in making this a bit more future proof right?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
But still, no harm done in making this a bit more future proof right?
Just trying to keep out unnecessary complexity (YAGNI and all that). :)
But not strongly against.
22471b5
to
e788a4a
Compare
case 0: | ||
break; | ||
case 1: | ||
flags |= OSTREE_REPO_COMMIT_MODIFIER_FLAGS_SELINUX_LABEL_V1; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
But still, no harm done in making this a bit more future proof right?
Just trying to keep out unnecessary complexity (YAGNI and all that). :)
But not strongly against.
7b0ad02
to
198effb
Compare
This will be very useful for enabling a "transient /etc" option because we won't have to do hacks relabling in the initramfs, or forcing it on just for composefs.
198effb
to
81c0874
Compare
Depends on ostreedev/ostree#3063 This is intended for use with ostreedev/ostree#2868 but is conceptually orthogonal to it; we probably want to try switching to this by default actually.
Depends on ostreedev/ostree#3063 This is intended for use with ostreedev/ostree#2868 but is conceptually orthogonal to it; we probably want to try switching to this by default actually.
Depends on ostreedev/ostree#3063 This is intended for use with ostreedev/ostree#2868 but is conceptually orthogonal to it; we probably want to try switching to this by default actually.
Depends on ostreedev/ostree#3063 This is intended for use with ostreedev/ostree#2868 but is conceptually orthogonal to it; we probably want to try switching to this by default actually.
Depends on ostreedev/ostree#3063 This is intended for use with ostreedev/ostree#2868 but is conceptually orthogonal to it; we probably want to try switching to this by default actually.
Depends on ostreedev/ostree#3063 This is intended for use with ostreedev/ostree#2868 but is conceptually orthogonal to it; we probably want to try switching to this by default actually.
This will be very useful for enabling a "transient /etc" option because we won't have to do hacks relabling in the initramfs, or forcing it on just for composefs.