Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

bootc install to-disk --disable-selinux does not disable selinux when the host has selinux disabled #303

Closed
ckyrouac opened this issue Feb 8, 2024 · 3 comments · Fixed by #340
Closed

bootc install to-disk --disable-selinux does not disable selinux when the host has selinux disabled #303

ckyrouac opened this issue Feb 8, 2024 · 3 comments · Fixed by #340
Assignees
@ckyrouac

Comments

@ckyrouac
Copy link
Contributor

ckyrouac commented Feb 8, 2024

The purpose of the --disable-selinux command is to enable the creation of an image with selinux enabled from a host with selinux disabled. On my Fedora 39 machine, when I set selinux to disabled or permissive, this selinux_enabled check still returns true. This results in an image with broken selinux that won't fully boot. Would checking the output of getenforce be more reliable?
@cgwalters
Copy link
Collaborator

Yeah, that check is wrong - it only works on Ubuntu where it's load bearing because they don't compile in support at all.

OK so...this problem heavily overlaps with that of #302

Basically what we want to change here is replacing parsing /proc/filesystems with checking for /proc/1/root/sys/fs/selinux.

That change alone is probably sufficient.

@bcrochet bcrochet self-assigned this Feb 12, 2024
@ckyrouac
Copy link
Contributor Author

@bcrochet are you already working on this? If not I'd like to take a stab at it.

@bcrochet
Copy link
Contributor

@bcrochet are you already working on this? If not I'd like to take a stab at it.

Sort of? I actually started on a different section of the code that will ensure that the selinuxfs is mounted inside the container. If you want to focus on the selinux_enabled check and getting that working properly, I'd appreciate that.

Feel free to assign yourself to this issue as it's not directly tied to what I'm working on.

@ckyrouac ckyrouac assigned ckyrouac and unassigned bcrochet Feb 13, 2024
@ckyrouac ckyrouac mentioned this issue Feb 13, 2024
Merged
ckyrouac added a commit to ckyrouac/bootc that referenced this issue Feb 14, 2024
@ckyrouac
lsm: Look for selinuxfs mounted on host
d68f771 
This ensures we handle the case where SELinux is compile in the kernel
(e.g. Fedora) but where it's disabled at runtime via selinux=0.

fixes containers#303

Signed-off-by: ckyrouac <ckyrouac@redhat.com>
ckyrouac added a commit to ckyrouac/bootc that referenced this issue Feb 14, 2024
@ckyrouac
install: Make --disable-selinux always override host state
3921b71 
If the user disables SELinux, we should always honor that and not care
about the host state.

fixes: containers#303

Signed-off-by: ckyrouac <ckyrouac@redhat.com>
bcrochet added a commit to bcrochet/bootc that referenced this issue Feb 14, 2024
@bcrochet
Add selinuxfs to be mounted in the container
2d81174 
As a follow-on to containers#302, we want to also mount the selinuxfs special
filesystem if the host also has that filesystem mounted.

Related containers#303

Signed-off-by: Brad P. Crochet <brad@redhat.com>
@bcrochet bcrochet mentioned this issue Feb 14, 2024
Merged
bcrochet added a commit to bcrochet/bootc that referenced this issue Feb 15, 2024
@bcrochet
Add selinuxfs to be mounted in the container
26dc47f 
As a follow-on to containers#302, we want to also mount the selinuxfs special
filesystem if the host also has that filesystem mounted.

Related containers#303

Signed-off-by: Brad P. Crochet <brad@redhat.com>
bcrochet added a commit to bcrochet/bootc that referenced this issue Feb 15, 2024
@bcrochet
Add selinuxfs to be mounted in the container
f707f77 
As a follow-on to containers#302, we want to also mount the selinuxfs special
filesystem if the host also has that filesystem mounted.

Related containers#303

Signed-off-by: Brad P. Crochet <brad@redhat.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ckyrouac ckyrouac

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Make --disable-selinux work on hosts that have selinux=0 ckyrouac/bootc
3 participants
@cgwalters @bcrochet @ckyrouac