initrd-setup-root: Process all tmpfile configs #143
Conversation
| @@ -32,3 +31,7 @@ fi | |||
| if [ -d /usr/share/oem ] && mountpoint --quiet /sysroot/usr/share/oem; then | |||
| cp -Ra /usr/share/oem/. /sysroot/usr/share/oem | |||
| fi | |||
|
|
|||
| # Add SELinux labels to files. | |||
| setfiles -F /sysroot/usr/lib/selinux/mcs/contexts/files/file_contexts /sysroot/ | |||
There was a problem hiding this comment.
Is this safe to do unconditionally? Won't this change labels that users have manually set?
There was a problem hiding this comment.
I'm still looking into this, but yes, I think you are correct. We need to somehow arrange for all files created in the initramfs to have the proper SELinux labels, and this was to handle that. Some related info is here: coreos/bugs#2417
There was a problem hiding this comment.
@dm0- I put this relabeling in to cover the Root on Raid case. Initially there were AVC dened messages without this relabeling, and the kola Root on Raid test was failing. After some recent investigation though I found that things work without it. Maybe due to the update of systemd.
With Root on Raid the rootfs is created above by running systemd-tmpfiles. At that time in the boot it seems the SELinux policy is not available, so systemd-tmpfiles does not make the correct labels, but later in the boot systemd runs systemd-tmpfiles again, and at that time the SELinux policy is available. Since these tmpfile configs are in a 'standard' location they are re-processed and the correct labels get created.
| @@ -12,7 +12,6 @@ systemd-tmpfiles --root=/sysroot --create \ | |||
| baselayout-home.conf etc.conf etc-shadow.conf | |||
|
|
|||
| # Not all images provide these files so check before using them. | |||
| # Note: selinux-base.conf must run before libsemanage.conf | |||
| for config in baselayout-ldso.conf selinux-base.conf libsemanage.conf; do | |||
There was a problem hiding this comment.
Do these still need to be conditional after SELinux is enabled for arm64? (I don't see any baselayout-ldso.conf file, so maybe that can just be removed.)
There was a problem hiding this comment.
I'll remove baselayout-ldso.conf and change it to just run them all unconditionally.
All build targets should now have the same tmpfile configs, so remove the conditional processing. libsemanage.conf now creates the directory it needs, so remove the comment here regarding a dependency on selinux-base.conf. Signed-off-by: Geoff Levand <geoff@infradead.org>
|
Rebased to latest, removed setting any SEL labels, changed to run systemd-tmpfiles on all tmpfile configs. |
glevand
changed the title
Needed by the other Update selinux support PRs: coreos/portage-stable#654 and coreos/coreos-overlay#3155.