Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

manifest: label {,u}mount as install_exec_t to avoid selinux denials #1

Closed
wants to merge 1 commit into from
Closed

manifest: label {,u}mount as install_exec_t to avoid selinux denials #1

wants to merge 1 commit into from

Commits on Nov 27, 2023

  1. manifest: label {,u}mount as install_exec_t to avoid apparmor denials 

    When running osbuild inside a container created via the new
`osbuild-deploy-container` the selinux setup is interesting (and
different from a normal host).

Because the `/` inside the contains is mounted `nosuid` the main
osbuild binary is labeled with `install_exec_t` because with
`nosuid` the transition from `osbuild_t` to `install_t` is not
allowed. This works around the limitations of the container.

However when in `install_t` the transition to `mount_t` is not
allowed which leads to an selinux denial in the logs. The `install_t`
has all the privs needed so even with this transition failing
mount still works.

This commit labels `{,u}mount` with `install_exec_t` in the
buildroot now as well to avoid this error in the logs.

Open questions:
- is this *really* strictly only for the buildroot or could these
  hacked permissions somehow escape into a real image?
- why is the error from `install_t` -> `mount_t` not fatal?

Missing:
- some sort of integration test that ensures we can automatically
  test that the contains is free of denials.
    @mvo5
    mvo5 committed Nov 27, 2023
    Configuration menu
    Copy the full SHA
    0856522 View commit details
    Browse the repository at this point in the history