Only fail if selinux is in enforcing #6881
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This was referenced Aug 7, 2022
Minion3665
pushed a commit
to Minion3665/nix
that referenced
this pull request
Feb 23, 2023
…properly Only fail if selinux is in enforcing
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
In #6639 (which was implemented because of issue #2374) a bug was introduced where the installer will fail even if SELinux is set to permissive. The check is explicitly checking if SELinux is disabled but this is not accurate. SELinux can have three states:
Disable means SELinux is not running at all.
Permissive means that SELinux is running, but it won't prevent any actions, even if they would be denied.
Enforcing means that SELinux is running and will deny any actions which don't match a rule.
In our environment we are required to have SELinux set to permissive, therefore, we are unable to install nix. Even though beforehand we were able too. I've worked around this by manually downloading the install bundle and then changing the check, but I thought I would also update the repo to prevent other people having this problem.
It's not right to mandate that SELinux should be disabled because this prevents the file system from getting the right file contexts applied. Which means if a SysAdmin wants to ever go back to enforcing this becomes a lot harder. Whereas, with SELinux set to permissive the file system still keeps it's contexts etc.
The real solution would be to provide SELinux rules for the application, but I understand at this current time that is not feasible.
I have checked on my fedora system and the install will now continue if SELinux is set to Disabled or Permissive, but will show the same error as in #6639 if the system is set to enforcing.
Many Thanks,
Tom Franklin.