dustymabe
commented
5 years ago do you mean /var/srv/containers as suggested by @rhatdan ?
Open cgwalters opened 5 years ago
dustymabe
commented
5 years ago I believe this should just be opening a PR to one of the repos under: https://github.com/fedora-selinux
mike-nguyen
commented
5 years ago I have these two PRs in flight. One for the creation of the directories and one for the proper selinux labeling https://src.fedoraproject.org/rpms/skopeo/pull-request/2 https://github.com/containers/container-selinux/pull/72
ondrejbudai
commented
3 months ago I randomly found this issue, and I think it's resolved for many years. :)
dustymabe
commented
3 months ago yeah, looks like it:
Fedora CoreOS 40.20240322.dev.0
Tracker: https://github.com/coreos/fedora-coreos-tracker
Discuss: https://discussion.fedoraproject.org/tag/coreos
Last login: Fri Mar 22 14:55:38 2024
[core@cosa-devsh ~]$
[core@cosa-devsh ~]$ sudo mkdir /var/srv/containers
[core@cosa-devsh ~]$ sudo touch /var/srv/containers/foo
[core@cosa-devsh ~]$ restorecon -vn /var/srv/containers/foo
Would relabel /var/srv/containers/foo from unconfined_u:object_r:var_t:s0 to unconfined_u:object_r:container_file_t:s0
jlebon
commented
3 months ago @dustymabe Though that output seems to indicate that the policy is missing a named transition rule.
dustymabe
commented
3 months ago maybe?? I guess you are saying the touch should have done the right thing without the restorecon? SELinux isn't among my strengths.
jlebon
commented
3 months ago Right, yeah. We shouldn't have to restorecon at all. The rule would basically say e.g. "creating a directory named containers in var_t should have label container_file_t".
dustymabe
commented
3 months ago @mike-nguyen want to make that PR since you made the other one?
See https://pagure.io/atomic-wg/issue/505