manifests: set proper SELinux labels for '/boot/efi' and '/boot/lost+found' #3912
Conversation
nikita-dubrovskii
force-pushed
the
issues_1877
branch
from
4480ede to
3327d6c
Compare
|
nice. I'll check it out! |
nikita-dubrovskii
force-pushed
the
issues_1877
branch
5 times, most recently
from
30e4814 to
1c188e0
Compare
|
I was playing around with this trying to use |
Do you have patch somewhere to check? |
nikita-dubrovskii
force-pushed
the
issues_1877
branch
from
1c188e0 to
b228d0d
Compare
|
@dustymabe indeed there was a small issue, now that fixed. I've added patch with |
nikita-dubrovskii
force-pushed
the
issues_1877
branch
2 times, most recently
from
322cfd5 to
11db312
Compare
|
added a few commits on top (the first one can be squashed into one of yours if you agree it adds value). Let me know what you think! |
|
LGTM, thx for your commits! |
nikita-dubrovskii
force-pushed
the
issues_1877
branch
2 times, most recently
from
60e36e9 to
3790fde
Compare
nikita-dubrovskii
force-pushed
the
issues_1877
branch
2 times, most recently
from
2ea5590 to
cc127c8
Compare
…found' Issue: osbuild/osbuild#1877 Co-authored-by: Dusty Mabe <[email protected]>
This allows us to use the policy rather than hardcoding labels to set on the mountpoints. The unfortunate thing here is that in order to pick up a policy easily we have to use the `build` pipeline where the files are written out plainly and we don't have to find where the OSTree deployment is. I say unfortunate because right now for FCOS the `build` pipeline was getting skipped because we weren't using it for anything else, but now we'll be forced to build it. That's OK I think, because we really want to start using a non-host (i.e. non-COSA) buildroot for FCOS too if we can ever convince the team/community to get python into it. This commit also adds a comment to explain the "why" for the mkdir and two selinux stages.
| options: | ||
| uuid: random | ||
| label: | ||
| mpp-format-string: '{sd_fs_label}' |
There was a problem hiding this comment.
missing the mkdir here that the other platforms have to create /boot directory
There was a problem hiding this comment.
ok I fixed this in a new push
| # We've created the filesystems. Now let's create the mountpoints (directories) | ||
| # on the filesystems and label them with appropriate SELinux labels. The labeling | ||
| # will happen once with just the root filesystem mounted and once with the boot | ||
| # filesystem mounted too (to make sure we get all potentially hidden mountpoints). | ||
| # https://github.com/coreos/fedora-coreos-tracker/issues/1771 |
There was a problem hiding this comment.
This comment doesn't match the others exactly. That was my mistake. I'll fix it.
dustymabe
force-pushed
the
issues_1877
branch
from
cc127c8 to
d0f9112
Compare
3 participants
Issue: osbuild/osbuild#1877
ostree PRs: