Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[rhcos-4.17] workaround selinux issues with osbuild #3886

Open
wants to merge 3 commits into
base: rhcos-4.17
Choose a base branch
from
Open

[rhcos-4.17] workaround selinux issues with osbuild #3886

wants to merge 3 commits into from

Commits on Sep 19, 2024

  1. vmdeps: add reset and clear to supermin VM 

    These are extremely useful when dealing with a limited serial
console to try to restore some order to the output.
    @dustymabe
    dustymabe authored and openshift-cherrypick-robot committed Sep 19, 2024
    Configuration menu
    Copy the full SHA
    48d6389 View commit details
    Browse the repository at this point in the history

  2. workaround selinux issues with osbuild 

    We have a few issues right now where files in our images
don't have any selinux context (i.e. end up unlabeled_t).
Here we workaround the hidden mountpoints issue [1] with
a patch to OSBuild to hardcode some chcon calls. We
workaround the "bunch of files under /sysroot are unlabeled"
issue [2] by backported a proposed upstream change to
the org.osbuild.selinux stage [3] and then using it to
explicitly set the context on the root of the tree to
`root_t`. We also add a fix [4] for another issue where
'/boot/coreos/platforms.json' would end up with the
wrong label.

[1] coreos/fedora-coreos-tracker#1771
[2] coreos/fedora-coreos-tracker#1772
[3] osbuild/osbuild#1889
[4] osbuild/osbuild#1888
    @dustymabe
    dustymabe authored and openshift-cherrypick-robot committed Sep 19, 2024
    Configuration menu
    Copy the full SHA
    51bb6ef View commit details
    Browse the repository at this point in the history

Commits on Sep 26, 2024

  1. mantle: move kolet binary location to /usr/local/bin 

    I'm writing a test that verifies files on the filesystem
in CoreOS machinges match the SELinux policy. Placing
kolet in `/var/home/core/kolet` with a `bin_t` context
is a violation of this. Let's use /usr/local/bin/. This
has the side effect of the file having the right `bin_t`
context as soon as it is created.

(cherry picked from commit b076a72)
    @dustymabe
    dustymabe committed Sep 26, 2024
    Configuration menu
    Copy the full SHA
    8856e69 View commit details
    Browse the repository at this point in the history