Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

repo: Don't try to perform labeling if SELinux is disabled #1667

Merged
merged 1 commit into from
Jun 24, 2024

Conversation

jan-kolarik
Copy link
Member

Clone of #1665 for RHEL 8.10.

The default for container execution is that `/sys/fs/selinux`
is not mounted, and the libselinux library function `is_selinux_enabled`
should be used to dynamically check if the system should attempt to perform SELinux labeling.

This is how it's done by rpm, ostree, and systemd for example.

But this code unconditionally tries to label if it finds a policy,
which breaks in an obscure corner case
when executed inside a container that includes policy files (e.g.
fedora/rhel-bootc) but when we're not using overlayfs for the backend
(with BUILDAH_BACKEND=vfs).
@jan-kolarik jan-kolarik requested a review from ppisar June 19, 2024 11:34
@ppisar ppisar self-assigned this Jun 21, 2024
Copy link
Contributor

@ppisar ppisar left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good.

@ppisar ppisar merged commit 8eac755 into rhel-8.10 Jun 24, 2024
2 of 3 checks passed
@ppisar ppisar deleted the jkolarik/rhel-8.10-fix-selinux-labelling-vfs branch June 24, 2024 14:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants