gpg: Check is_selinux_enabled() before trying to label

rpm-software-management / librepo

A library providing C and Python (libcURL like) API for downloading packages and linux repository metadata in rpm-md format

http://rpm-software-management.github.io/librepo/

GNU Lesser General Public License v2.1

74 stars 91 forks source link

gpg: Check is_selinux_enabled() before trying to label #313

Closed cgwalters closed 2 months ago

cgwalters commented 4 months ago

The default for container execution is that /sys/fs/selinux is not mounted, and the libselinux library function is_selinux_enabled should be used to dynamically check if the system should attempt to perform SELinux labeling.

This is how it's done by rpm, ostree, and systemd for example.

But this code unconditionally tries to label if it finds a policy, which breaks in an obscure corner case when executed inside a container when we're not using overlayfs for the backend.

cgwalters commented 4 months ago

Corresponding libdnf PR https://github.com/rpm-software-management/libdnf/pull/1665