when selinux:false, rpm-ostree still looks for selinux policies and raises error

[zlind0]

Host system details Fedora 33, rpm-ostree executed by fedora coreos assembler under its docker image (quay.io/coreos-assembler/coreos-assembler)

We would like to build a minimal os which excludes SELinux function. Our project is based on Fedora CoreOS, therefore, we use fedora coreos assembler. According to documentation, we set selinux:false in TREEFILE. However, while coreos assembler executes this command:

rpm-ostree compose tree 
--repo=/srv/tmp/repo 
--touch-if-changed /srv/tmp/treecompose.changed 
--cachedir=/srv/cache 
--unified-core /srv/tmp/override/coreos-assembler-override-manifest.yaml 
--cache-only 
--add-metadata-from-json /srv/tmp/build/tmp/commit-metadata-input.json 
--write-composejson-to /srv/tmp/compose.json 
--ex-write-lockfile-to /srv/tmp/repo/tmp/manifest-lock.generated.x86_64.json.tmp 
--ex-lockfile=/srv/src/config/manifest-lock.x86_64.json 
--no-parent 
--ex-lockfile=/srv/tmp/override/local-overrides.json

The error SELinux enabled, but no policy found is raised:

Writing rpmdb... done
error: Loading pkgcache branch rpmostree/pkg/libblkid/2.32.1-27.3.al8.x86__64: SELinux enabled, but no policy found

The expected behavior is that while setting selinux:false rpm-ostree don't look for any SELinux policies.

By looking into the code for days, we found that this patch solves this problem, but it is not likely to solve the problem fundamentally.

diff --color -ur rpm-ostree-2021.1/src/libpriv/rpmostree-core.cxx rpm-ostree-2021.1.new/src/libpriv/rpmostree-core.cxx
--- rpm-ostree-2021.1/src/libpriv/rpmostree-core.cxx    2021-12-03 13:48:20.179113126 +0800
+++ rpm-ostree-2021.1.new/src/libpriv/rpmostree-core.cxx    2021-12-03 13:49:18.261730774 +0800
@@ -1372,6 +1372,10 @@
   /* Init output here, since we have several early returns */
   *out_in_ostree = FALSE;
   /* If there's no sepolicy, then we always match */
+  gboolean selinux_switch;
+  g_variant_dict_lookup (self->spec->dict, "selinux", "b", &selinux_switch);
+  if (selinux_switch == FALSE)
+      sepolicy = NULL;
   *out_selinux_match = (sepolicy == NULL);

   /* NB: we're not using a pkgcache yet in the compose path */

In other words, in src/libpriv/rpmostree-core.cxx:1363:

static gboolean
find_pkg_in_ostree (RpmOstreeContext *self,
                    DnfPackage     *pkg,
                    OstreeSePolicy *sepolicy,
                    gboolean       *out_in_ostree,
                    gboolean       *out_selinux_match,
                    GError        **error)
  if (sepolicy)
    {
      if (!commit_has_matching_sepolicy (commit, sepolicy,
                                         out_selinux_match, error))
        return FALSE;
    }

sepolicy shoule be NULL when selinux set to false in TREEFILE, however, it has some value. We are frustrated when looking for the specific place where sepolicy was set.

[lucab]

Hi and welcome! I'm not super-familiar with that specific option in the treefile, but I have a feeling that the sepolicy value may be coming from here: https://github.com/coreos/rpm-ostree/blob/06b70045a5a94a3fe83fc6f2cfc7a82fe25da1a8/src/app/rpmostree-compose-builtin-tree.cxx#L454-L458

But overall I think those if (selinux) checks may be misleading, as a non-NULL value does not mean there is a policy available. In other places, this is the more complete check that is performed to detect SELinux policy presence: https://github.com/coreos/rpm-ostree/blob/5ae5a8e7140536e143924721c6baeb7638de392a/src/libpriv/rpmostree-postprocess.cxx#L815

[cgwalters]

I think this is a dup of https://github.com/coreos/rpm-ostree/issues/971

It makes sense to support, just needs a bit of investigation and care - and a new entry to the CI flow. As I commented in the previous issue, supporting rpm-ostree in-container - which is now a high priority due to https://github.com/coreos/enhancements/blob/main/os/coreos-layering.md - would also motivate this.

[jlebon]

Short-term, it may be easier to leave it on during the compose but configure the OS to permissive mode.

[cheese]

I met the same issue when I try to compose an image from CentOS Stream 9 packages: error: Sorting packages: Loading pkgcache branch rpmostree/pkg/acl/2.3.1-3.el9.x86__64: Failed to find metadata key rpmostree.sepolicy (signature s)

Host is Fedora 35 with rpm-ostree-2022.5-1.fc35.x86_64 and with SELinux set to permissive.

[wanglmb]

I met this issue aw well.

[duyiwei7w]

I met this issue aw well.

me too