search

ostreedev / ostree

Operating system and container binary deployment and upgrades
https://ostreedev.github.io/ostree/
Other
1.31k stars 300 forks source link

deploy: Don't copy xattrs for devicetree #3323

Closed cgwalters closed 1 month ago

cgwalters commented 1 month ago

xref: https://github.com/coreos/fedora-coreos-tracker/issues/1808

For the kernel/initramfs that we copy to /boot we use an explicit relabeling today, ignoring the source SELinux context.

When we added handling for devicetree it reuse the copy_dir_recurse we have for etc handling, and that copied the source xattrs.

Let's ensure that the devicetree is also boot_t by not copying xattrs and relying on the default labeling.

cgwalters commented 1 month ago

Only compile tested so far

HuijingHei commented 1 month ago

Do testing on aarch64 with this patch, after finalize-staged, the /boot/ostree/fedora-coreos-*/dtb are labeled with boot_t.

with the patch:

$ sudo /usr/bin/ostree admin finalize-staged
$ sudo restorecon -vnr /boot/ostree/

without this patch:

$ sudo /usr/bin/ostree admin finalize-staged
$ sudo restorecon -vnr /boot/ostree/ | wc -l
1866