prepare.sh: label osbuild,setfiles "correctly" in the container #16
Commits on Nov 27, 2023
-
prepare.sh: label osbuild,setfiles "correctly" in the container
When running osbuild inside a container the selinux setup is slightly different from a non container setup: Inside the container all files under "/" in the overlayfs have the label `system_u:object_r:container_files_t`. This includes `/usr/bin/osbuild` and `/usr/sbin/setfiles`. Because the container is using an overlayfs the files cannot directly relabled under "/" with the correct selinux labels. This is why `prepare.sh` creates a tmpfs and relabels there and bind mounts back. This commit tweaks this mechanism now to create labels that are closer to a real selinux system. I.e. it will: 1. label /usr/bin/osbuild as `osbuild_exec_t` 2. label /usr/sbin/setfiles as `setfiles_exec_t` With that the normal transition rules work, i.e. osbuild_exec_t can transition to mount_t and when setfiles is called it will automatically use `setfiles_exec_t`.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.