remount: ignore ENOENT error during SELinux relabeling #3266
Conversation
github-actions
bot
added
the
area/prepare-root
ericcurtin
force-pushed
the
if-file-missing-on-relabel-continue
branch
2 times, most recently
from
f84d97a to
11ed3b0
Compare
|
lgtm |
There was a problem hiding this comment.
Hmm, so we'd then rely on any process doing concurrent writes to have initialized the labels on its own?
I don't think that can really work longer term because it'd still be racy on things like the parent directory, right?
ISTM we need to move this logic out of ostree-remount.service into something that happens basically immediately after the systemd policy load.
Ah, digging in a bit I see there's /run/systemd/relabel-extra.d, I think all we need to do here is synthesize a variant of that in the transient-etc case that contains simply /etc.
I think that'd be equally easy and much more reliable, but I'm approving this PR as is as I think it will mostly work too.
|
/run/systemd/relabel-extra.d isn't good enough as-is, as doing so would cause a massive relabel of all of /etc, instead of the smarter approach of just relabeling the very few files that have a file in the upper. |
ericcurtin
force-pushed
the
if-file-missing-on-relabel-continue
branch
from
11ed3b0 to
f68cf8d
Compare
|
Made a very minor change, there was a small typo in the comment |
OK, right. So to fix this we'd need to extend That said, the other fix here is to also add Actually, I think we could split this logic out into something like its own distinct |
Yeah, thats probably a good idea. |
|
Tangentially related, we don't have CI coverage for the transient-etc case in this repo. Something on the list. |
|
I'll work on this in a follow on PR: ostree-relabel-etc.service |
|
Although I can also put a Before=systemd-remount-fs.service in this PR also if it is requested |
No, in this PR it needs to be |
Pushing, sorry I meant that one, copy pasted the wrong one in here, re-pushing in seconds |
Ignore ENOENT error in selinux_restorecon to avoid failures when temporary files created by systemd-sysusers in /etc are missing during relabeling. This prevents errors such as: "Failed to relabel /etc/.#gshadowJzu4Rx: No such file or directory" and allows the process to continue. Co-Authored-By: Alexander Larsson <[email protected]> Signed-off-by: Eric Curtin <[email protected]>
ericcurtin
force-pushed
the
if-file-missing-on-relabel-continue
branch
from
f68cf8d to
e25ca80
Compare
| @@ -25,7 +25,7 @@ After=-.mount var.mount | |||
| After=systemd-remount-fs.service | |||
| # But we run *before* most other core bootup services that need write access to /etc and /var | |||
| Before=local-fs.target umount.target | |||
| Before=systemd-random-seed.service plymouth-read-write.service systemd-journal-flush.service | |||
| Before=systemd-random-seed.service plymouth-read-write.service systemd-journal-flush.service systemd-sysusers.service | |||
There was a problem hiding this comment.
Hmm, this actually created an ordering cycle it looks like; my bad for not digging into this. I merged over red because we had other unrelated tests that were broken.
Ignore ENOENT error in selinux_restorecon to avoid failures when temporary files created by systemd-sysusers in /etc are missing during relabeling. This prevents errors such as:
"Failed to relabel /etc/.#gshadowJzu4Rx: No such file or directory"
and allows the process to continue.