anmazzotti
commented
4 months ago @davidcassany FYI on Tumbleweed a patterns-microos-selinux is available. I used it for the dev image.
Closed davidcassany closed 3 months ago
anmazzotti
commented
4 months ago @davidcassany FYI on Tumbleweed a patterns-microos-selinux is available. I used it for the dev image.
This PR uses SELinux in enforce mode for the active/passive systems and in permissive mode for recovery and ISO systems.
The elemental labelling code changed slightly, basically the change is that now it is also executed as part of the close transaction step once the new root is already rsynced. In addition it also tries to label from the outer system any eventual mountpoint that was labeled in a chroot env (
/dev,/proc,/sys, etc.).Current unsolved issues:
In github actions the host has SELinux enabled and relabeling the new root within a container turns to fail (see build disk and build iso logs in GH)... as a consequence the disk and iso images are not properly labeled, hence they are not really usabled in enforce mode. This does not happen in a host without the
container-selinuxpolicy module. This has impact on our capability to build ISOs and Disks inside a k8s cluster using unprivileged pods.Running upgrades from the recovery system (
elemental upgradecommand) is not functional if the target is in btrfs. There seams to be an issue with selinux labels when mounting the.snapshotssubvolume preventing snapper to properly operate. One option would be to rethink the btrfs snapshotter env in recovery mode, instead of mounting.snapshotsin<some/root>/.snapshotsjust use/.snapshotsso any eventual relabel is done with the appropriate path.Fixes #2054
Signed-off-by: David Cassany dcassany@suse.com