-
Notifications
You must be signed in to change notification settings - Fork 75
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
bootc install to-disk --disable-selinux does not disable selinux when the host has selinux disabled #303
Comments
Yeah, that check is wrong - it only works on Ubuntu where it's load bearing because they don't compile in support at all. OK so...this problem heavily overlaps with that of #302 Basically what we want to change here is replacing parsing That change alone is probably sufficient. |
@bcrochet are you already working on this? If not I'd like to take a stab at it. |
Sort of? I actually started on a different section of the code that will ensure that the selinuxfs is mounted inside the container. If you want to focus on the selinux_enabled check and getting that working properly, I'd appreciate that. Feel free to assign yourself to this issue as it's not directly tied to what I'm working on. |
This ensures we handle the case where SELinux is compile in the kernel (e.g. Fedora) but where it's disabled at runtime via selinux=0. fixes containers#303 Signed-off-by: ckyrouac <ckyrouac@redhat.com>
If the user disables SELinux, we should always honor that and not care about the host state. fixes: containers#303 Signed-off-by: ckyrouac <ckyrouac@redhat.com>
As a follow-on to containers#302, we want to also mount the selinuxfs special filesystem if the host also has that filesystem mounted. Related containers#303 Signed-off-by: Brad P. Crochet <brad@redhat.com>
As a follow-on to containers#302, we want to also mount the selinuxfs special filesystem if the host also has that filesystem mounted. Related containers#303 Signed-off-by: Brad P. Crochet <brad@redhat.com>
As a follow-on to containers#302, we want to also mount the selinuxfs special filesystem if the host also has that filesystem mounted. Related containers#303 Signed-off-by: Brad P. Crochet <brad@redhat.com>
The purpose of the
--disable-selinux
command is to enable the creation of an image with selinux enabled from a host with selinux disabled. On my Fedora 39 machine, when I set selinux to disabled or permissive, this selinux_enabled check still returns true. This results in an image with broken selinux that won't fully boot. Would checking the output of getenforce be more reliable?The text was updated successfully, but these errors were encountered: