-
Notifications
You must be signed in to change notification settings - Fork 305
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
libostree: write selinux xattr when on non-selinux systems #3151
libostree: write selinux xattr when on non-selinux systems #3151
Conversation
Hi @mvo5. Thanks for your PR. I'm waiting for a ostreedev member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/ok-to-test |
I can help with a test case |
#3152 will help verify this, though to make it work we'll want to add a "no really try to use selinux even on non-selinux" host arg to Alternatively we can just do a direct ubuntu deploy here too, I can look at that. |
Thank you!, I really appreciate the quick reply here I have no opinion about the best approach here and will happily follow your lead. I will just need a few hints how to best approach this. Alternatively feel free to push directly to this PR or I can mark it ready and we test indirectly via the approaches outlined. I am happy either way :) |
We're going to investigate supporting installing SELinux-enabled targets from a SELinux-disabled host. This environment variable will allow bypassing the check. xref ostreedev/ostree#3151
We're going to investigate supporting installing SELinux-enabled targets from a SELinux-disabled host. This environment variable will allow bypassing the check. xref ostreedev/ostree#3151
We're going to investigate supporting installing SELinux-enabled targets from a SELinux-disabled host. This environment variable will allow bypassing the check. xref ostreedev/ostree#3151 Signed-off-by: Colin Walters <[email protected]>
OK containers/bootc#293 helps us get farther here for testing. And yes...trying this out I notice that yep, we are not handling the labeling for all of the "basic infrastructure dirs" here, like |
I did containers/bootc#294 push this farther, but there's definitely still that can of worms. |
790fa17
to
c78f9f1
Compare
I've updated this with a test, and this verifies that it improves things as we now correctly have labels for |
Thank you! Very nice how straightforward it was to add a small test for this. |
@mvo5 just one more bug to fix here, we need to handle the build without selinux enabled, xref https://github.com/ostreedev/ostree/actions/runs/7809000169/job/21300094068?pr=3151 |
c78f9f1
to
d5f87d7
Compare
Currently when writing data for selinux systems on a non-selinux system there will be no labels. This is because `ostree_sepolicy_setfscreatecon()` just returns TRUE on non-selinux systems and xattr writing for `security.seliux` is filtered out. This patches uses the suggestion of Colin Walters (thanks!) from ostreedev#2804 and detects if the host has selinux enabled and if not just skips filtering the xattrs for selinux.
As we work to change ostree to set up the labels for things even in a selinux-host-disabled case, let's test it here.
d5f87d7
to
5cfc5c7
Compare
/ok-to-test |
Currently when writing data for selinux systems on a non-selinux system there will be no labels. This is because
ostree_sepolicy_setfscreatecon()
just returns TRUE on non-selinux systems and xattr writing forsecurity.seliux
is filtered out.This patches uses the suggestion of Colin Walters (thanks!) from #2804 and detects if the host has selinux enabled and if not just skips filtering the xattrs for selinux.
[draft as this will need a test (and validation of the basic approach by someone experienced) and I will need a hint how to best test this]