Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
lsm: Make setenforce 0 fallback require
BOOTC_SETENFORCE0_FALLBACK
We shouldn't perform global system mutation without an opt-in.
As painful as it is.
Signed-off-by: Colin Walters walters@verbum.org
lsm: Test if we have install_t capability
Hardcoding
install_t
is a bit ugly; maybe at some pointthings change so that
spc_t
hasinstall_t
privileges.Let's do a runtime check if we can set an invalid label; if
so then we're good.
Signed-off-by: Colin Walters walters@verbum.org
lsm: Make a not-
nosuid
/tmp
This was the thing that was breaking our
unconfined_t
->install_t
transition; the host
/tmp
isnosuid
. It simplifies thingshere to just make our own, so do that.
Signed-off-by: Colin Walters walters@verbum.org