run as `install_t`
cgwalters opened this issue · comments
Colin Walters commented
Ah yes, this bites again 😢
$ error: Importing: Layer sha256:fef321502627eccb4eeabbc2ad0788e82c68e192d41b6677c4570202cadde69d: Importing object 23/a4d18c7b21b51a284dedd705c739584dcb690607ab831aa97bafee06f0482c.file: Processing content object 23a4d18c7b21b51a284dedd705c739584dcb690607ab831aa97bafee06f0482c: Writing content object: Setting xattrs: fsetxattr(security.selinux): Invalid argument
Today e.g. rpm-ostree runs as install_t
which lets it set unknown security contexts. We need to do the same...maybe hack in a quick setexeccon()
or so.
Colin Walters commented
Alternatively...hmm, we may be able to just fork off the child ostree commit
process as install_t
.
Huijing Hei commented
Maybe we also need install_t
for bootc ?
[root@cosa-devsh release]# ls -Z /usr/bin/bootc
system_u:object_r:bin_t:s0 /usr/bin/bootc
[root@cosa-devsh release]# bootc switch --ostree-remote=fedora quay.io/fedora/fedora-coreos:stable
error: Verifying self is install_t SELinux domain: Detected SELinux enabled system, but the executing binary is not labeled install_exec_t
[root@cosa-devsh release]# chcon system_u:object_r:install_exec_t:s0 /usr/bin/bootc
[root@cosa-devsh release]# ls -Z /usr/bin/bootc
system_u:object_r:install_exec_t:s0 /usr/bin/bootc
[root@cosa-devsh ~]# bootc switch --ostree-remote=fedora quay.io/fedora/fedora-coreos:stable
...
Queued for next boot: ostree-remote-image:fedora:docker://quay.io/fedora/fedora-coreos:stable
Colin Walters commented
Yep, exactly. So we need fedora-selinux/selinux-policy#1500 to ensure that the label is set correctly at the start.