Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

really fix install_t in containers #83

Closed
cgwalters opened this issue Mar 21, 2023 · 4 comments
Closed

really fix install_t in containers #83

cgwalters opened this issue Mar 21, 2023 · 4 comments

Comments

@cgwalters
Copy link
Collaborator

I'm not sure if something changed here, or my code never actually worked but basically we currently fail to bootc install with unknown types.
cgwalters added a commit to cgwalters/bootc that referenced this issue Mar 21, 2023
@cgwalters
install: Fall back to setenforce 0 if needed
5a5124d 
I've opened containers#83
to track a better fix.
@cgwalters cgwalters mentioned this issue Mar 21, 2023
Merged
cgwalters added a commit to cgwalters/bootc that referenced this issue Mar 21, 2023
@cgwalters
install: Fall back to setenforce 0 if needed
41e61e4 
I've opened containers#83
to track a better fix.

Signed-off-by: Colin Walters <[email protected]>
cgwalters added a commit to cgwalters/bootc that referenced this issue Mar 21, 2023
@cgwalters
install: Fall back to setenforce 0 if needed
be98634 
I've opened containers#83
to track a better fix.

Signed-off-by: Colin Walters <[email protected]>
cgwalters added a commit to cgwalters/bootc that referenced this issue Mar 21, 2023
@cgwalters
install: Fall back to setenforce 0 if needed
600c64d 
I've opened containers#83
to track a better fix.

Signed-off-by: Colin Walters <[email protected]>
@akdev1l
Copy link

akdev1l commented Apr 24, 2023

I hit this bug while trying to create a bootc image based on Arch Linux

It seems that it can be worked around by disabling SELinux

@akdev1l
Copy link

akdev1l commented Apr 25, 2023

so we tried this on a fedora host with SELinux disabled and --disable-selinux flag.

This allowed us to skip the install_t issue when creating an bootc image from arch linux (they don't ship selinux policies so everything is unlabeled). However we ran into some problems.

We realized matchpathcon and chcon are both used even when selinux is disabled at the kernel level and --disable-selinux has been passed so the target installed system should not necessarily have labels (though I guess it is nice to have them in case the user wants to turn selinux on later, it seems the idea behind --disable-selinux is to support non-selinux enabled system)

We were able to patch this by simply overwriting the binaries, matchpathcon was hardcoded to output a specific selinux context and chcon was overwritten to be equal to /bin/true so both commands would succeed unconditionally. (we're trying not to touch bootc itself for now, just trying to make it work on a non-fedora system as proof of concept)

is this behaviour expected?

cgwalters added a commit to cgwalters/bootc that referenced this issue Apr 25, 2023
@cgwalters
install: Only invoke chcon if SELinux enabled in the source
e4052bf 
We shouldn't try to do any SELinux labeling if the source
doesn't have it.

xref containers#83
@cgwalters cgwalters mentioned this issue Apr 25, 2023
Merged
cgwalters added a commit to cgwalters/bootc that referenced this issue Apr 25, 2023
@cgwalters
install: Only invoke chcon if SELinux enabled in the source
afb4a21 
We shouldn't try to do any SELinux labeling if the source
doesn't have it.

xref containers#83

Signed-off-by: Colin Walters <[email protected]>
@cgwalters
Copy link
Collaborator Author

Thanks for the report; any chance you could test out #96 ?

cgwalters added a commit to cgwalters/bootc that referenced this issue Apr 25, 2023
@cgwalters
install: Only invoke chcon if SELinux enabled in the source
fede3b7 
We shouldn't try to do any SELinux labeling if the source
doesn't have it.

xref containers#83

Signed-off-by: Colin Walters <[email protected]>
@cgwalters cgwalters mentioned this issue Nov 3, 2023
Closed
@cgwalters
Copy link
Collaborator Author

This should be fixed by #284

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@cgwalters @akdev1l