run as `install_t`

Question

run as `install_t`

cgwalters opened this issue 2 years ago · comments

Ah yes, this bites again 😢

$ error: Importing: Layer sha256:fef321502627eccb4eeabbc2ad0788e82c68e192d41b6677c4570202cadde69d: Importing object 23/a4d18c7b21b51a284dedd705c739584dcb690607ab831aa97bafee06f0482c.file: Processing content object 23a4d18c7b21b51a284dedd705c739584dcb690607ab831aa97bafee06f0482c: Writing content object: Setting xattrs: fsetxattr(security.selinux): Invalid argument

Today e.g. rpm-ostree runs as install_t which lets it set unknown security contexts. We need to do the same...maybe hack in a quick setexeccon() or so.

Colin Walters · Answer 1 · Wed Dec 07 2022 23:23:42 GMT+0800 (China Standard Time)

Alternatively...hmm, we may be able to just fork off the child ostree commit process as install_t.

Huijing Hei · Answer 2 · Thu Dec 08 2022 16:37:11 GMT+0800 (China Standard Time)

Maybe we also need install_t for bootc ?

[root@cosa-devsh release]# ls -Z /usr/bin/bootc
system_u:object_r:bin_t:s0 /usr/bin/bootc
[root@cosa-devsh release]# bootc switch --ostree-remote=fedora quay.io/fedora/fedora-coreos:stable
error: Verifying self is install_t SELinux domain: Detected SELinux enabled system, but the executing binary is not labeled install_exec_t

[root@cosa-devsh release]# chcon system_u:object_r:install_exec_t:s0 /usr/bin/bootc
[root@cosa-devsh release]# ls -Z /usr/bin/bootc
system_u:object_r:install_exec_t:s0 /usr/bin/bootc

[root@cosa-devsh ~]# bootc switch --ostree-remote=fedora quay.io/fedora/fedora-coreos:stable
...
Queued for next boot: ostree-remote-image:fedora:docker://quay.io/fedora/fedora-coreos:stable

Colin Walters · Answer 3 · Thu Dec 08 2022 21:24:16 GMT+0800 (China Standard Time)

Yep, exactly. So we need fedora-selinux/selinux-policy#1500 to ensure that the label is set correctly at the start.