composepost: Add SELinux equivalency rule for /usr/lib/opt → /opt #4819
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
When `/opt` packages get moved to `/usr/lib/opt`, they're not being labeled properly; they get the `lib_t` label instead of `usr_t` (or e.g. `bin_t` for `/opt/bin`). This apparently works for e.g. Google Chrome (for which the `/usr/lib/opt` translation was added). But with state overlays, the goal is to support all `/opt` packages and things will break without proper labeling. Add an equivalency rule so that `/usr/lib/opt` is labeled like `/opt. This fixes the SELinux issues that occur when layering Puppet in coreos#233 (comment). This should probably be upstreamed to SELinux (along with the `/usr/etc` equivalency rule just above). Side note: in the status quo model where `/opt` is a symlink to `/var/opt`, everything is *also* mislabeled (it gets `var_t`). To be conservative, we don't fix this since presumably this works right now for people writing files there via e.g. Ignition/cloud-init and anyway all that would go away if we move over to state overlays by default in the future.
cgwalters
approved these changes
Feb 6, 2024
|
Prow failing with Some other kind of "off by one rpm-ostree release" thing going on possibly there. Will investigate. |
Let's match CoreOS CI and also build RPMs here to not fall into issues relating to supermin relying on the rpmdb: coreos#4763 (comment) This implicitly reverts 1451675.
jlebon
force-pushed
the
pr/opt-relabel
branch
3 times, most recently
from
f1635e6
to
ba1b287
Compare
The Prow CI build job we have doesn't seem to keep the git remote around.
jlebon
force-pushed
the
pr/opt-relabel
branch
from
7e5a284
to
ab58750
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
When
/optpackages get moved to/usr/lib/opt, they're not being labeled properly; they get thelib_tlabel instead ofusr_t(or e.g.bin_tfor/opt/bin).This apparently works for e.g. Google Chrome (for which the
/usr/lib/opttranslation was added). But with state overlays, the goal is to support all/optpackages and things will break without proper labeling.Add an equivalency rule so that
/usr/lib/optis labeled like `/opt. This fixes the SELinux issues that occur when layering Puppet in #233 (comment).This should probably be upstreamed to SELinux (along with the
/usr/etcequivalency rule just above).Side note: in the status quo model where
/optis a symlink to/var/opt, everything is also mislabeled (it getsvar_t). To be conservative, we don't fix this since presumably this works right now for people writing files there via e.g. Ignition/cloud-init and anyway all that would go away if we move over to state overlays by default in the future.