repo: Add an option to label /usr/etc as /etc #3063
Conversation
Depends on ostreedev/ostree#3063 This is intended for use with ostreedev/ostree#2868 but is conceptually orthogonal to it; we probably want to try switching to this by default actually.
cgwalters
force-pushed
the
label-usretc-as-etc
branch
from
9e57bee
to
22471b5
Compare
|
I think this one is good to go, has a test case now. |
| case 0: | ||
| break; | ||
| case 1: | ||
| flags |= OSTREE_REPO_COMMIT_MODIFIER_FLAGS_SELINUX_LABEL_V1; |
There was a problem hiding this comment.
A bit unsure about the epoch approach. Do you envision many more SELinux options that fall in the "clearly right, but needs ratcheting" category?
We could always add epochs later on that just combine the flags if that happens.
There was a problem hiding this comment.
Right the background for this is that today there's ostree admin init-fs --modern and I actually wanted to change the defaults there to do something else, and then it gets weird because it'd be need to be called like --really-modern or something 😄
You're probably right we wouldn't change things again (and if we did we'd probably arguably want to change the policy defaults).
But still, no harm done in making this a bit more future proof right?
There was a problem hiding this comment.
But still, no harm done in making this a bit more future proof right?
Just trying to keep out unnecessary complexity (YAGNI and all that). :)
But not strongly against.
cgwalters
force-pushed
the
label-usretc-as-etc
branch
from
22471b5
to
e788a4a
Compare
| case 0: | ||
| break; | ||
| case 1: | ||
| flags |= OSTREE_REPO_COMMIT_MODIFIER_FLAGS_SELINUX_LABEL_V1; |
There was a problem hiding this comment.
But still, no harm done in making this a bit more future proof right?
Just trying to keep out unnecessary complexity (YAGNI and all that). :)
But not strongly against.
cgwalters
force-pushed
the
label-usretc-as-etc
branch
2 times, most recently
from
7b0ad02
to
198effb
Compare
This will be very useful for enabling a "transient /etc" option because we won't have to do hacks relabling in the initramfs, or forcing it on just for composefs.
cgwalters
force-pushed
the
label-usretc-as-etc
branch
from
198effb
to
81c0874
Compare
Depends on ostreedev/ostree#3063 This is intended for use with ostreedev/ostree#2868 but is conceptually orthogonal to it; we probably want to try switching to this by default actually.
Depends on ostreedev/ostree#3063 This is intended for use with ostreedev/ostree#2868 but is conceptually orthogonal to it; we probably want to try switching to this by default actually.
Depends on ostreedev/ostree#3063 This is intended for use with ostreedev/ostree#2868 but is conceptually orthogonal to it; we probably want to try switching to this by default actually.
Depends on ostreedev/ostree#3063 This is intended for use with ostreedev/ostree#2868 but is conceptually orthogonal to it; we probably want to try switching to this by default actually.
Depends on ostreedev/ostree#3063 This is intended for use with ostreedev/ostree#2868 but is conceptually orthogonal to it; we probably want to try switching to this by default actually.
Depends on ostreedev/ostree#3063 This is intended for use with ostreedev/ostree#2868 but is conceptually orthogonal to it; we probably want to try switching to this by default actually.
This will be very useful for enabling a "transient /etc" option because we won't have to do hacks relabling in the initramfs, or forcing it on just for composefs.