Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

run as install_t #24

Closed
cgwalters opened this issue Dec 7, 2022 · 3 comments · Fixed by #30
Closed

run as install_t #24

cgwalters opened this issue Dec 7, 2022 · 3 comments · Fixed by #30

Comments

@cgwalters
Copy link
Collaborator

cgwalters commented Dec 7, 2022
edited

Ah yes, this bites again 😢

$ error: Importing: Layer sha256:fef321502627eccb4eeabbc2ad0788e82c68e192d41b6677c4570202cadde69d: Importing object 23/a4d18c7b21b51a284dedd705c739584dcb690607ab831aa97bafee06f0482c.file: Processing content object 23a4d18c7b21b51a284dedd705c739584dcb690607ab831aa97bafee06f0482c: Writing content object: Setting xattrs: fsetxattr(security.selinux): Invalid argument

Today e.g. rpm-ostree runs as install_t which lets it set unknown security contexts. We need to do the same...maybe hack in a quick setexeccon() or so.
@cgwalters
Copy link
Collaborator Author

Alternatively...hmm, we may be able to just fork off the child ostree commit process as install_t.

cgwalters added a commit to cgwalters/ostree-rs-ext that referenced this issue Dec 7, 2022
@cgwalters
Add a SELinux module with helper to verify install_t
a04576a 
This is a hack to help detect the situation in
containers/bootc#24

Ultimately, this whole issue makes it extremely hard
to expose a *library* interface to our users because the requirement
is infectious - they also need to be `install_t`.

Anyways for now, this new module will help at least detect
the situation.
@cgwalters cgwalters mentioned this issue Dec 7, 2022
Merged
@HuijingHei
Copy link

Maybe we also need install_t for bootc ?

[root@cosa-devsh release]# ls -Z /usr/bin/bootc
system_u:object_r:bin_t:s0 /usr/bin/bootc
[root@cosa-devsh release]# bootc switch --ostree-remote=fedora quay.io/fedora/fedora-coreos:stable
error: Verifying self is install_t SELinux domain: Detected SELinux enabled system, but the executing binary is not labeled install_exec_t

[root@cosa-devsh release]# chcon system_u:object_r:install_exec_t:s0 /usr/bin/bootc
[root@cosa-devsh release]# ls -Z /usr/bin/bootc
system_u:object_r:install_exec_t:s0 /usr/bin/bootc

[root@cosa-devsh ~]# bootc switch --ostree-remote=fedora quay.io/fedora/fedora-coreos:stable
...
Queued for next boot: ostree-remote-image:fedora:docker://quay.io/fedora/fedora-coreos:stable

@cgwalters cgwalters mentioned this issue Dec 8, 2022
Merged
@cgwalters
Copy link
Collaborator Author

Yep, exactly. So we need fedora-selinux/selinux-policy#1500 to ensure that the label is set correctly at the start.

zpytela pushed a commit to fedora-selinux/selinux-policy that referenced this issue Dec 8, 2022
@cgwalters @zpytela
Make bootc be install_exec_t
3ce2708 
For the same reasons ostree and rpm-ostree are.
xref containers/bootc#24
@cgwalters cgwalters mentioned this issue Jan 23, 2023
Merged
zpytela pushed a commit to fedora-selinux/selinux-policy that referenced this issue Apr 15, 2024
@cgwalters @JurajMarcin
Make bootc be install_exec_t
0ca320b 
For the same reasons ostree and rpm-ostree are.
xref containers/bootc#24

Resolves: RHEL-19199
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add an install command cgwalters/bootc
2 participants
@cgwalters @HuijingHei