diff --git a/build.sh b/build.sh index 9ec701a0b9..5752c4edd1 100755 --- a/build.sh +++ b/build.sh @@ -173,7 +173,11 @@ patch_osbuild() { mv /usr/bin/osbuild-mpp /usr/lib/osbuild/tools/ # Now all the software is under the /usr/lib/osbuild dir and we can patch - patch -d /usr/lib/osbuild -p1 < /usr/lib/coreos-assembler/0001-hacks-for-coreos-selinux-issues.patch + cat /usr/lib/coreos-assembler/0001-parsing-add-parse_location_into_parts.patch \ + /usr/lib/coreos-assembler/0002-parsing-treat-locations-without-scheme-as-belonging-.patch \ + /usr/lib/coreos-assembler/0003-org.osbuild.selinux-support-operating-on-mounts.patch \ + /usr/lib/coreos-assembler/0004-org.osbuild.selinux-support-for-specifying-where-fil.patch \ + | patch -d /usr/lib/osbuild -p1 # And then move the files back; supermin appliance creation will need it back # in the places delivered by the RPM. diff --git a/src/0001-hacks-for-coreos-selinux-issues.patch b/src/0001-hacks-for-coreos-selinux-issues.patch deleted file mode 100644 index 449e365e5e..0000000000 --- a/src/0001-hacks-for-coreos-selinux-issues.patch +++ /dev/null @@ -1,44 +0,0 @@ -From 9faf7e2566cd9460ac51ff508c192bdc839ad2ef Mon Sep 17 00:00:00 2001 -From: Dusty Mabe -Date: Tue, 17 Sep 2024 12:27:37 -0400 -Subject: [PATCH 3/3] hacks for coreos selinux issues - -context in https://github.com/coreos/fedora-coreos-tracker/issues/1771#issuecomment-2348607969 ---- - osbuild/mounts.py | 13 ++++++++++++- - 1 file changed, 12 insertions(+), 1 deletion(-) - -diff --git a/osbuild/mounts.py b/osbuild/mounts.py -index 42b556ba..9b6c0804 100644 ---- a/osbuild/mounts.py -+++ b/osbuild/mounts.py -@@ -178,7 +178,12 @@ class FileSystemMountService(MountService): - - options = self.translate_options(options) - -- os.makedirs(mountpoint, exist_ok=True) -+ if not os.path.exists(mountpoint): -+ os.makedirs(mountpoint) -+ # Tactical fix for https://github.com/coreos/fedora-coreos-tracker/issues/1771 -+ if target == '/boot' or target == "/boot/efi": -+ subprocess.run(["chcon", "-v", "-t", 'boot_t', mountpoint], check=True) -+ - self.mountpoint = mountpoint - - print(f"mounting {source} -> {mountpoint}") -@@ -198,6 +203,12 @@ class FileSystemMountService(MountService): - msg = e.stdout.strip() - raise RuntimeError(f"{msg} (code: {code})") from e - -+ # Tactical fix for https://github.com/coreos/fedora-coreos-tracker/issues/1771 -+ # After the mount, let's make sure the lost+found directory has the right label -+ lostfounddir = os.path.join(mountpoint, 'lost+found') -+ if os.path.exists(lostfounddir): -+ subprocess.run(["chcon", "-v", "-t", 'lost_found_t', lostfounddir], check=True) -+ - self.check = True - return mountpoint - --- -2.46.0 - diff --git a/src/0001-parsing-add-parse_location_into_parts.patch b/src/0001-parsing-add-parse_location_into_parts.patch new file mode 100644 index 0000000000..6e8b6b969f --- /dev/null +++ b/src/0001-parsing-add-parse_location_into_parts.patch @@ -0,0 +1,68 @@ +From 077244e3b9f4a3ba46244a1b3e056cb70609e265 Mon Sep 17 00:00:00 2001 +From: Nikita Dubrovskii +Date: Fri, 18 Oct 2024 12:28:32 +0200 +Subject: [PATCH 1/4] parsing: add parse_location_into_parts + +New fucntion returns tuple of 'root' and relative 'file path', which could be +useful in contexts, where knowing 'root' is required, for example setting +selinux labels. +--- + osbuild/util/parsing.py | 25 +++++++++++++++++++------ + 1 file changed, 19 insertions(+), 6 deletions(-) + +diff --git a/osbuild/util/parsing.py b/osbuild/util/parsing.py +index f8fb2768..f75ffd67 100644 +--- a/osbuild/util/parsing.py ++++ b/osbuild/util/parsing.py +@@ -2,7 +2,7 @@ + + import os + import re +-from typing import Dict, Union ++from typing import Dict, Tuple, Union + from urllib.parse import ParseResult, urlparse + + +@@ -72,9 +72,9 @@ def parse_input(url: ParseResult, args: Dict) -> os.PathLike: + return root + + +-def parse_location(location: str, args: Dict) -> str: ++def parse_location_into_parts(location: str, args: Dict) -> Tuple[str, str]: + """ +- Parses the location URL to derive the corresponding file path. ++ Parses the location URL to derive the corresponding root and url path. + + Parameters: + - location (str): The location URL to be parsed. +@@ -97,11 +97,24 @@ def parse_location(location: str, args: Dict) -> str: + if not url.path.startswith("/"): + raise ValueError(f"url.path from location must start with '/', got: {url.path}") + +- path = os.path.relpath(url.path, "/") ++ return root, url.path ++ ++ ++def parse_location(location: str, args: Dict) -> str: ++ """ ++ Parses the location URL to derive the corresponding file path. ++ ++ Parameters: ++ - location (str): The location URL to be parsed. ++ - args (Dict): A dictionary containing arguments including mounts and ++ path information as passed by osbuild.api.arguments() ++ """ ++ ++ root, urlpath = parse_location_into_parts(location, args) ++ path = os.path.relpath(urlpath, "/") + path = os.path.join(root, path) + path = os.path.normpath(path) +- +- if url.path.endswith("/"): ++ if urlpath.endswith("/"): + path = os.path.join(path, ".") + + return path +-- +2.47.0 + diff --git a/src/0002-parsing-treat-locations-without-scheme-as-belonging-.patch b/src/0002-parsing-treat-locations-without-scheme-as-belonging-.patch new file mode 100644 index 0000000000..ef7680507e --- /dev/null +++ b/src/0002-parsing-treat-locations-without-scheme-as-belonging-.patch @@ -0,0 +1,55 @@ +From 6a59e740e4ccb761f9d87c2c6f837fa748908a90 Mon Sep 17 00:00:00 2001 +From: Nikita Dubrovskii +Date: Mon, 28 Oct 2024 11:20:23 +0100 +Subject: [PATCH 2/4] parsing: treat locations without scheme as belonging to + 'tree://' + +--- + osbuild/util/parsing.py | 6 +++++- + stages/org.osbuild.mkdir | 9 +++------ + 2 files changed, 8 insertions(+), 7 deletions(-) + +diff --git a/osbuild/util/parsing.py b/osbuild/util/parsing.py +index f75ffd67..d6d16f22 100644 +--- a/osbuild/util/parsing.py ++++ b/osbuild/util/parsing.py +@@ -77,11 +77,15 @@ def parse_location_into_parts(location: str, args: Dict) -> Tuple[str, str]: + Parses the location URL to derive the corresponding root and url path. + + Parameters: +- - location (str): The location URL to be parsed. ++ - location (str): The location URL to be parsed. If the URL has no scheme, ++ then 'tree://' is implied + - args (Dict): A dictionary containing arguments including mounts and + path information as passed by osbuild.api.arguments() + """ + ++ if "://" not in location: ++ location = f"tree://{location}" ++ + url = urlparse(location) + + scheme = url.scheme +diff --git a/stages/org.osbuild.mkdir b/stages/org.osbuild.mkdir +index d2d11a7a..01f5f431 100755 +--- a/stages/org.osbuild.mkdir ++++ b/stages/org.osbuild.mkdir +@@ -15,12 +15,9 @@ def main(args): + parents = item.get("parents", False) + exist_ok = item.get("exist_ok", False) + +- if "://" not in path: +- if not path.startswith("/"): +- print("WARNING: relative path used, this is discouraged!") +- path = f"tree:///{path}" +- else: +- path = f"tree://{path}" ++ if "://" not in path and not path.startswith("/"): ++ print("WARNING: relative path used, this is discouraged!") ++ path = f"tree:///{path}" + + target = parsing.parse_location(path, args) + if parents: +-- +2.47.0 + diff --git a/src/0003-org.osbuild.selinux-support-operating-on-mounts.patch b/src/0003-org.osbuild.selinux-support-operating-on-mounts.patch new file mode 100644 index 0000000000..e8408ae9a4 --- /dev/null +++ b/src/0003-org.osbuild.selinux-support-operating-on-mounts.patch @@ -0,0 +1,116 @@ +From 84d4de577057f66e1ad1c8e91631c441c0294532 Mon Sep 17 00:00:00 2001 +From: Nikita Dubrovskii +Date: Thu, 17 Oct 2024 12:57:00 +0200 +Subject: [PATCH 3/4] org.osbuild.selinux: support operating on mounts + +This adds support for specifying paths to operate on, +rather than just the root of the target: +``` +- type: org.osbuild.selinux + options: + file_contexts: etc/selinux/targeted/contexts/files/file_contexts + target: mount://root/path/to/dir + mounts: + - name: root + source: disk + target: / +``` + +or + +``` +- type: org.osbuild.selinux + options: + labels: + mount://root/path/to/file: system_u:object_r:boot_t:s0 + mount://root/path/to/other/file: system_u:object_r:var_t:s0 + mounts: + - name: root + source: disk + target: / + +``` +--- + stages/org.osbuild.selinux | 21 ++++++++++++--------- + stages/org.osbuild.selinux.meta.json | 8 +++++++- + 2 files changed, 19 insertions(+), 10 deletions(-) + +diff --git a/stages/org.osbuild.selinux b/stages/org.osbuild.selinux +index 563d827b..40487599 100755 +--- a/stages/org.osbuild.selinux ++++ b/stages/org.osbuild.selinux +@@ -4,26 +4,30 @@ import pathlib + import sys + + import osbuild.api +-from osbuild.util import selinux ++from osbuild.util import parsing, selinux + + +-def main(tree, options): ++def main(args): ++ # Get the path where the tree is ++ options = args["options"] + file_contexts = options.get("file_contexts") + exclude_paths = options.get("exclude_paths") ++ target = options.get("target", "tree:///") ++ root, target = parsing.parse_location_into_parts(target, args) + + if file_contexts: +- file_contexts = os.path.join(f"{tree}", options["file_contexts"]) ++ file_contexts = os.path.join(args["tree"], options["file_contexts"]) + if exclude_paths: +- exclude_paths = [os.path.join(tree, p.lstrip("/")) for p in exclude_paths] +- selinux.setfiles(file_contexts, os.fspath(tree), "", exclude_paths=exclude_paths) ++ exclude_paths = [os.path.normpath(f"{root}/{target}/{p}") for p in exclude_paths] ++ selinux.setfiles(file_contexts, os.path.normpath(root), target, exclude_paths=exclude_paths) + + labels = options.get("labels", {}) + for path, label in labels.items(): +- fullpath = os.path.join(tree, path.lstrip("/")) ++ fullpath = parsing.parse_location(path, args) + selinux.setfilecon(fullpath, label) + + if options.get("force_autorelabel", False): +- stamp = pathlib.Path(tree, ".autorelabel") ++ stamp = pathlib.Path(root, ".autorelabel") + # Creating just empty /.autorelabel resets only the type of files. + # To ensure that the full context is reset, we write "-F" into the file. + # This mimics the behavior of `fixfiles -F boot`. The "-F" option is +@@ -34,6 +38,5 @@ def main(tree, options): + + + if __name__ == '__main__': +- args = osbuild.api.arguments() +- r = main(args["tree"], args["options"]) ++ r = main(osbuild.api.arguments()) + sys.exit(r) +diff --git a/stages/org.osbuild.selinux.meta.json b/stages/org.osbuild.selinux.meta.json +index 30dbddae..e536cead 100644 +--- a/stages/org.osbuild.selinux.meta.json ++++ b/stages/org.osbuild.selinux.meta.json +@@ -33,6 +33,12 @@ + } + ], + "properties": { ++ "target": { ++ "type": "string", ++ "description": "Target path in the tree or on a mount", ++ "pattern": "^mount://[^/]+/|^tree:///", ++ "default": "tree:///" ++ }, + "file_contexts": { + "type": "string", + "description": "Path to the active SELinux policy's `file_contexts`" +@@ -53,7 +59,7 @@ + }, + "force_autorelabel": { + "type": "boolean", +- "description": "Do not use. Forces auto-relabelling on first boot.", ++ "description": "Do not use. Forces auto-relabelling on first boot. Affects target's root or tree:/// by default", + "default": false + } + } +-- +2.47.0 + diff --git a/src/0004-org.osbuild.selinux-support-for-specifying-where-fil.patch b/src/0004-org.osbuild.selinux-support-for-specifying-where-fil.patch new file mode 100644 index 0000000000..d41c825373 --- /dev/null +++ b/src/0004-org.osbuild.selinux-support-for-specifying-where-fil.patch @@ -0,0 +1,92 @@ +From a8e8ebde4400e94036df35f72b08708f00bd4ffe Mon Sep 17 00:00:00 2001 +From: Nikita Dubrovskii +Date: Fri, 18 Oct 2024 17:04:07 +0200 +Subject: [PATCH 4/4] org.osbuild.selinux: support for specifying where + file_contexts comes from + +file_context now can come from +- tree (current default) +- mount +- input + +Example: +``` +- type: org.osbuild.selinux + inputs: + tree: + type: org.osbuild.tree + origin: org.osbuild.pipeline + references: + - name:tree + options: + file_contexts: input://tree/etc/selinux/targeted/contexts/files/file_contexts +``` +--- + stages/org.osbuild.selinux | 6 +++++- + stages/org.osbuild.selinux.meta.json | 12 ++++++++---- + 2 files changed, 13 insertions(+), 5 deletions(-) + +diff --git a/stages/org.osbuild.selinux b/stages/org.osbuild.selinux +index 40487599..8e25a281 100755 +--- a/stages/org.osbuild.selinux ++++ b/stages/org.osbuild.selinux +@@ -9,6 +9,7 @@ from osbuild.util import parsing, selinux + + def main(args): + # Get the path where the tree is ++ tree = args["tree"] + options = args["options"] + file_contexts = options.get("file_contexts") + exclude_paths = options.get("exclude_paths") +@@ -16,7 +17,10 @@ def main(args): + root, target = parsing.parse_location_into_parts(target, args) + + if file_contexts: +- file_contexts = os.path.join(args["tree"], options["file_contexts"]) ++ if "://" not in file_contexts: ++ file_contexts = os.path.normpath(f"{tree}/{file_contexts}") ++ else: ++ file_contexts = parsing.parse_location(file_contexts, args) + if exclude_paths: + exclude_paths = [os.path.normpath(f"{root}/{target}/{p}") for p in exclude_paths] + selinux.setfiles(file_contexts, os.path.normpath(root), target, exclude_paths=exclude_paths) +diff --git a/stages/org.osbuild.selinux.meta.json b/stages/org.osbuild.selinux.meta.json +index e536cead..9a9d7bb1 100644 +--- a/stages/org.osbuild.selinux.meta.json ++++ b/stages/org.osbuild.selinux.meta.json +@@ -1,8 +1,8 @@ + { + "summary": "Set SELinux file contexts", + "description": [ +- "Sets correct SELinux labels for every file in the tree, according to the", +- "SELinux policy installed inside the tree.", ++ "Sets correct SELinux labels for every file in the tree or on mount, according to", ++ "the SELinux policy.", + "Uses the host's `setfiles` program and the tree's `file_contexts`, usually", + " /etc/selinux//contexts/files/file_contexts", + "where is the value set in /etc/selinux/config (usually \"targeted\"", +@@ -40,8 +40,8 @@ + "default": "tree:///" + }, + "file_contexts": { +- "type": "string", +- "description": "Path to the active SELinux policy's `file_contexts`" ++ "description": "Path to the active SELinux policy's `file_contexts`. Supports `tree://`, `mount://`, and `input://` schemes. Plain paths imply `tree://`.", ++ "type": "string" + }, + "exclude_paths": { + "type": "array", +@@ -70,6 +70,10 @@ + }, + "mounts": { + "type": "array" ++ }, ++ "inputs": { ++ "type": "object", ++ "additionalProperties": true + } + } + } +-- +2.47.0 + diff --git a/src/osbuild-manifests/coreos.osbuild.aarch64.mpp.yaml b/src/osbuild-manifests/coreos.osbuild.aarch64.mpp.yaml index 049fb05fee..6a6b58c26a 100644 --- a/src/osbuild-manifests/coreos.osbuild.aarch64.mpp.yaml +++ b/src/osbuild-manifests/coreos.osbuild.aarch64.mpp.yaml @@ -110,7 +110,9 @@ pipelines: else: type: org.osbuild.noop # Construct a buildroot here from the input container reference (either - # ociarchive or registry/tag). Note that it won't actually be built + # ociarchive or registry/tag). Note that this is only used as a buildroot + # on RHCOS (FCOS doesn't ship python), but it is used everywhere as + # file_context input to the org.osbuild.selinux stages. # unless used somewhere later in the manifest. - name: build stages: @@ -143,8 +145,14 @@ pipelines: # https://github.com/coreos/fedora-coreos-tracker/issues/1772 - type: org.osbuild.selinux options: - labels: - /: system_u:object_r:root_t:s0 + file_contexts: input://tree/etc/selinux/targeted/contexts/files/file_contexts + target: tree:/// + inputs: + tree: + type: org.osbuild.tree + origin: org.osbuild.pipeline + references: + - name:build - type: org.osbuild.ostree.init-fs - type: org.osbuild.ostree.os-init options: @@ -317,6 +325,90 @@ pipelines: mpp-format-string: '{root_fs_uuid}' label: mpp-format-string: '{root_fs_label}' + # We've created the filesystems. Now let's create the mountpoints (directories) + # on the filesystems and label them with appropriate SELinux labels. This also + # covers things like filesystem autogenerated files like 'lost+found'. The labeling + # will happen once with just the root filesystem mounted and once with the boot + # filesystem mounted too (to make sure we get all potentially hidden mountpoints). + # https://github.com/coreos/fedora-coreos-tracker/issues/1771 + - type: org.osbuild.mkdir + options: + paths: + - path: mount://root/boot + mode: 493 + - path: mount://boot/efi + mode: 493 + devices: + disk: + type: org.osbuild.loopback + options: + filename: disk.img + partscan: true + mounts: + - name: root + type: org.osbuild.xfs + source: disk + partition: + mpp-format-int: '{image.layout[''root''].partnum}' + target: /root-mount-point + - name: boot + type: org.osbuild.ext4 + source: disk + partition: + mpp-format-int: '{image.layout[''boot''].partnum}' + target: /boot-mount-point + - type: org.osbuild.selinux + options: + file_contexts: input://tree/etc/selinux/targeted/contexts/files/file_contexts + target: mount://root/ + inputs: + tree: + type: org.osbuild.tree + origin: org.osbuild.pipeline + references: + - name:build + devices: + disk: + type: org.osbuild.loopback + options: + filename: disk.img + partscan: true + mounts: + - name: root + type: org.osbuild.xfs + source: disk + partition: + mpp-format-int: '{image.layout[''root''].partnum}' + target: / + - type: org.osbuild.selinux + options: + file_contexts: input://tree/etc/selinux/targeted/contexts/files/file_contexts + target: mount://root/boot/ + inputs: + tree: + type: org.osbuild.tree + origin: org.osbuild.pipeline + references: + - name:build + devices: + disk: + type: org.osbuild.loopback + options: + filename: disk.img + partscan: true + mounts: + - name: root + type: org.osbuild.xfs + source: disk + partition: + mpp-format-int: '{image.layout[''root''].partnum}' + target: / + - name: boot + type: org.osbuild.ext4 + source: disk + partition: + mpp-format-int: '{image.layout[''boot''].partnum}' + target: /boot - type: org.osbuild.copy inputs: tree: @@ -483,6 +575,96 @@ pipelines: mpp-format-string: '{root_fs_uuid}' label: mpp-format-string: '{root_fs_label}' + # We've created the filesystems. Now let's create the mountpoints (directories) + # on the filesystems and label them with appropriate SELinux labels. This also + # covers things like filesystem autogenerated files like 'lost+found'. The labeling + # will happen once with just the root filesystem mounted and once with the boot + # filesystem mounted too (to make sure we get all potentially hidden mountpoints). + # https://github.com/coreos/fedora-coreos-tracker/issues/1771 + - type: org.osbuild.mkdir + options: + paths: + - path: mount://root/boot + mode: 493 + - path: mount://boot/efi + mode: 493 + devices: + disk: + type: org.osbuild.loopback + options: + filename: disk.img + partscan: true + sector-size: + mpp-format-int: "{four_k_sector_size}" + mounts: + - name: root + type: org.osbuild.xfs + source: disk + partition: + mpp-format-int: '{image4k.layout[''root''].partnum}' + target: /root-mount-point + - name: boot + type: org.osbuild.ext4 + source: disk + partition: + mpp-format-int: '{image4k.layout[''boot''].partnum}' + target: /boot-mount-point + - type: org.osbuild.selinux + options: + file_contexts: input://tree/etc/selinux/targeted/contexts/files/file_contexts + target: mount://root/ + inputs: + tree: + type: org.osbuild.tree + origin: org.osbuild.pipeline + references: + - name:build + devices: + disk: + type: org.osbuild.loopback + options: + filename: disk.img + partscan: true + sector-size: + mpp-format-int: "{four_k_sector_size}" + mounts: + - name: root + type: org.osbuild.xfs + source: disk + partition: + mpp-format-int: '{image4k.layout[''root''].partnum}' + target: / + - type: org.osbuild.selinux + options: + file_contexts: input://tree/etc/selinux/targeted/contexts/files/file_contexts + target: mount://root/boot/ + inputs: + tree: + type: org.osbuild.tree + origin: org.osbuild.pipeline + references: + - name:build + devices: + disk: + type: org.osbuild.loopback + options: + filename: disk.img + partscan: true + sector-size: + mpp-format-int: "{four_k_sector_size}" + mounts: + - name: root + type: org.osbuild.xfs + source: disk + partition: + mpp-format-int: '{image4k.layout[''root''].partnum}' + target: / + - name: boot + type: org.osbuild.ext4 + source: disk + partition: + mpp-format-int: '{image4k.layout[''boot''].partnum}' + target: /boot - type: org.osbuild.copy inputs: tree: diff --git a/src/osbuild-manifests/coreos.osbuild.ppc64le.mpp.yaml b/src/osbuild-manifests/coreos.osbuild.ppc64le.mpp.yaml index 51ba805ea4..c3f29851c7 100644 --- a/src/osbuild-manifests/coreos.osbuild.ppc64le.mpp.yaml +++ b/src/osbuild-manifests/coreos.osbuild.ppc64le.mpp.yaml @@ -112,7 +112,9 @@ pipelines: else: type: org.osbuild.noop # Construct a buildroot here from the input container reference (either - # ociarchive or registry/tag). Note that it won't actually be built + # ociarchive or registry/tag). Note that this is only used as a buildroot + # on RHCOS (FCOS doesn't ship python), but it is used everywhere as + # file_context input to the org.osbuild.selinux stages. # unless used somewhere later in the manifest. - name: build stages: @@ -145,8 +147,14 @@ pipelines: # https://github.com/coreos/fedora-coreos-tracker/issues/1772 - type: org.osbuild.selinux options: - labels: - /: system_u:object_r:root_t:s0 + file_contexts: input://tree/etc/selinux/targeted/contexts/files/file_contexts + target: tree:/// + inputs: + tree: + type: org.osbuild.tree + origin: org.osbuild.pipeline + references: + - name:build - type: org.osbuild.ostree.init-fs - type: org.osbuild.ostree.os-init options: @@ -310,6 +318,82 @@ pipelines: mpp-format-string: '{root_fs_uuid}' label: mpp-format-string: '{root_fs_label}' + # We've created the filesystems. Now let's create the mountpoints (directories) + # on the filesystems and label them with appropriate SELinux labels. This also + # covers things like filesystem autogenerated files like 'lost+found'. The labeling + # will happen once with just the root filesystem mounted and once with the boot + # filesystem mounted too (to make sure we get all potentially hidden mountpoints). + # https://github.com/coreos/fedora-coreos-tracker/issues/1771 + - type: org.osbuild.mkdir + options: + paths: + - path: mount://root/boot + mode: 493 + devices: + disk: + type: org.osbuild.loopback + options: + filename: disk.img + partscan: true + mounts: + - name: root + type: org.osbuild.xfs + source: disk + partition: + mpp-format-int: '{image.layout[''root''].partnum}' + target: /root-mount-point + - type: org.osbuild.selinux + options: + file_contexts: input://tree/etc/selinux/targeted/contexts/files/file_contexts + target: mount://root/ + inputs: + tree: + type: org.osbuild.tree + origin: org.osbuild.pipeline + references: + - name:build + devices: + disk: + type: org.osbuild.loopback + options: + filename: disk.img + partscan: true + mounts: + - name: root + type: org.osbuild.xfs + source: disk + partition: + mpp-format-int: '{image.layout[''root''].partnum}' + target: / + - type: org.osbuild.selinux + options: + file_contexts: input://tree/etc/selinux/targeted/contexts/files/file_contexts + target: mount://root/boot/ + inputs: + tree: + type: org.osbuild.tree + origin: org.osbuild.pipeline + references: + - name:build + devices: + disk: + type: org.osbuild.loopback + options: + filename: disk.img + partscan: true + mounts: + - name: root + type: org.osbuild.xfs + source: disk + partition: + mpp-format-int: '{image.layout[''root''].partnum}' + target: / + - name: boot + type: org.osbuild.ext4 + source: disk + partition: + mpp-format-int: '{image.layout[''boot''].partnum}' + target: /boot - type: org.osbuild.copy inputs: tree: @@ -453,6 +537,88 @@ pipelines: mpp-format-string: '{root_fs_uuid}' label: mpp-format-string: '{root_fs_label}' + # We've created the filesystems. Now let's create the mountpoints (directories) + # on the filesystems and label them with appropriate SELinux labels. This also + # covers things like filesystem autogenerated files like 'lost+found'. The labeling + # will happen once with just the root filesystem mounted and once with the boot + # filesystem mounted too (to make sure we get all potentially hidden mountpoints). + # https://github.com/coreos/fedora-coreos-tracker/issues/1771 + - type: org.osbuild.mkdir + options: + paths: + - path: mount://root/boot + mode: 493 + devices: + disk: + type: org.osbuild.loopback + options: + filename: disk.img + partscan: true + sector-size: + mpp-format-int: "{four_k_sector_size}" + mounts: + - name: root + type: org.osbuild.xfs + source: disk + partition: + mpp-format-int: '{image4k.layout[''root''].partnum}' + target: /root-mount-point + - type: org.osbuild.selinux + options: + file_contexts: input://tree/etc/selinux/targeted/contexts/files/file_contexts + target: mount://root/ + inputs: + tree: + type: org.osbuild.tree + origin: org.osbuild.pipeline + references: + - name:build + devices: + disk: + type: org.osbuild.loopback + options: + filename: disk.img + partscan: true + sector-size: + mpp-format-int: "{four_k_sector_size}" + mounts: + - name: root + type: org.osbuild.xfs + source: disk + partition: + mpp-format-int: '{image4k.layout[''root''].partnum}' + target: / + - type: org.osbuild.selinux + options: + file_contexts: input://tree/etc/selinux/targeted/contexts/files/file_contexts + target: mount://root/boot/ + inputs: + tree: + type: org.osbuild.tree + origin: org.osbuild.pipeline + references: + - name:build + devices: + disk: + type: org.osbuild.loopback + options: + filename: disk.img + partscan: true + sector-size: + mpp-format-int: "{four_k_sector_size}" + mounts: + - name: root + type: org.osbuild.xfs + source: disk + partition: + mpp-format-int: '{image4k.layout[''root''].partnum}' + target: / + - name: boot + type: org.osbuild.ext4 + source: disk + partition: + mpp-format-int: '{image4k.layout[''boot''].partnum}' + target: /boot - type: org.osbuild.copy inputs: tree: diff --git a/src/osbuild-manifests/coreos.osbuild.s390x.mpp.yaml b/src/osbuild-manifests/coreos.osbuild.s390x.mpp.yaml index 20c8a69395..c6d9cbe3f8 100644 --- a/src/osbuild-manifests/coreos.osbuild.s390x.mpp.yaml +++ b/src/osbuild-manifests/coreos.osbuild.s390x.mpp.yaml @@ -102,7 +102,9 @@ pipelines: else: type: org.osbuild.noop # Construct a buildroot here from the input container reference (either - # ociarchive or registry/tag). Note that it won't actually be built + # ociarchive or registry/tag). Note that this is only used as a buildroot + # on RHCOS (FCOS doesn't ship python), but it is used everywhere as + # file_context input to the org.osbuild.selinux stages. # unless used somewhere later in the manifest. - name: build stages: @@ -135,8 +137,14 @@ pipelines: # https://github.com/coreos/fedora-coreos-tracker/issues/1772 - type: org.osbuild.selinux options: - labels: - /: system_u:object_r:root_t:s0 + file_contexts: input://tree/etc/selinux/targeted/contexts/files/file_contexts + target: tree:/// + inputs: + tree: + type: org.osbuild.tree + origin: org.osbuild.pipeline + references: + - name:build - type: org.osbuild.ostree.init-fs - type: org.osbuild.ostree.os-init options: @@ -313,6 +321,82 @@ pipelines: mpp-format-string: '{root_fs_uuid}' label: mpp-format-string: '{root_fs_label}' + # We've created the filesystems. Now let's create the mountpoints (directories) + # on the filesystems and label them with appropriate SELinux labels. This also + # covers things like filesystem autogenerated files like 'lost+found'. The labeling + # will happen once with just the root filesystem mounted and once with the boot + # filesystem mounted too (to make sure we get all potentially hidden mountpoints). + # https://github.com/coreos/fedora-coreos-tracker/issues/1771 + - type: org.osbuild.mkdir + options: + paths: + - path: mount://root/boot + mode: 493 + devices: + disk: + type: org.osbuild.loopback + options: + filename: disk.img + partscan: true + mounts: + - name: root + type: org.osbuild.xfs + source: disk + partition: + mpp-format-int: '{image.layout[''root''].partnum}' + target: /root-mount-point + - type: org.osbuild.selinux + options: + file_contexts: input://tree/etc/selinux/targeted/contexts/files/file_contexts + target: mount://root/ + inputs: + tree: + type: org.osbuild.tree + origin: org.osbuild.pipeline + references: + - name:build + devices: + disk: + type: org.osbuild.loopback + options: + filename: disk.img + partscan: true + mounts: + - name: root + type: org.osbuild.xfs + source: disk + partition: + mpp-format-int: '{image.layout[''root''].partnum}' + target: / + - type: org.osbuild.selinux + options: + file_contexts: input://tree/etc/selinux/targeted/contexts/files/file_contexts + target: mount://root/boot/ + inputs: + tree: + type: org.osbuild.tree + origin: org.osbuild.pipeline + references: + - name:build + devices: + disk: + type: org.osbuild.loopback + options: + filename: disk.img + partscan: true + mounts: + - name: root + type: org.osbuild.xfs + source: disk + partition: + mpp-format-int: '{image.layout[''root''].partnum}' + target: / + - name: boot + type: org.osbuild.ext4 + source: disk + partition: + mpp-format-int: '{image.layout[''boot''].partnum}' + target: /boot - type: org.osbuild.copy inputs: tree: @@ -427,6 +511,88 @@ pipelines: mpp-format-string: '{root_fs_uuid}' label: mpp-format-string: '{root_fs_label}' + # We've created the filesystems. Now let's create the mountpoints (directories) + # on the filesystems and label them with appropriate SELinux labels. This also + # covers things like filesystem autogenerated files like 'lost+found'. The labeling + # will happen once with just the root filesystem mounted and once with the boot + # filesystem mounted too (to make sure we get all potentially hidden mountpoints). + # https://github.com/coreos/fedora-coreos-tracker/issues/1771 + - type: org.osbuild.mkdir + options: + paths: + - path: mount://root/boot + mode: 493 + devices: + disk: + type: org.osbuild.loopback + options: + filename: disk.img + partscan: true + sector-size: + mpp-format-int: "{four_k_sector_size}" + mounts: + - name: root + type: org.osbuild.xfs + source: disk + partition: + mpp-format-int: '{image4k.layout[''root''].partnum}' + target: /root-mount-point + - type: org.osbuild.selinux + options: + file_contexts: input://tree/etc/selinux/targeted/contexts/files/file_contexts + target: mount://root/ + inputs: + tree: + type: org.osbuild.tree + origin: org.osbuild.pipeline + references: + - name:build + devices: + disk: + type: org.osbuild.loopback + options: + filename: disk.img + partscan: true + sector-size: + mpp-format-int: "{four_k_sector_size}" + mounts: + - name: root + type: org.osbuild.xfs + source: disk + partition: + mpp-format-int: '{image4k.layout[''root''].partnum}' + target: / + - type: org.osbuild.selinux + options: + file_contexts: input://tree/etc/selinux/targeted/contexts/files/file_contexts + target: mount://root/boot/ + inputs: + tree: + type: org.osbuild.tree + origin: org.osbuild.pipeline + references: + - name:build + devices: + disk: + type: org.osbuild.loopback + options: + filename: disk.img + partscan: true + sector-size: + mpp-format-int: "{four_k_sector_size}" + mounts: + - name: root + type: org.osbuild.xfs + source: disk + partition: + mpp-format-int: '{image4k.layout[''root''].partnum}' + target: / + - name: boot + type: org.osbuild.ext4 + source: disk + partition: + mpp-format-int: '{image4k.layout[''boot''].partnum}' + target: /boot - type: org.osbuild.copy inputs: tree: diff --git a/src/osbuild-manifests/coreos.osbuild.x86_64.mpp.yaml b/src/osbuild-manifests/coreos.osbuild.x86_64.mpp.yaml index bd49851444..837f666445 100644 --- a/src/osbuild-manifests/coreos.osbuild.x86_64.mpp.yaml +++ b/src/osbuild-manifests/coreos.osbuild.x86_64.mpp.yaml @@ -112,7 +112,9 @@ pipelines: else: type: org.osbuild.noop # Construct a buildroot here from the input container reference (either - # ociarchive or registry/tag). Note that it won't actually be built + # ociarchive or registry/tag). Note that this is only used as a buildroot + # on RHCOS (FCOS doesn't ship python), but it is used everywhere as + # file_context input to the org.osbuild.selinux stages. # unless used somewhere later in the manifest. - name: build stages: @@ -145,8 +147,14 @@ pipelines: # https://github.com/coreos/fedora-coreos-tracker/issues/1772 - type: org.osbuild.selinux options: - labels: - /: system_u:object_r:root_t:s0 + file_contexts: input://tree/etc/selinux/targeted/contexts/files/file_contexts + target: tree:/// + inputs: + tree: + type: org.osbuild.tree + origin: org.osbuild.pipeline + references: + - name:build - type: org.osbuild.ostree.init-fs - type: org.osbuild.ostree.os-init options: @@ -319,6 +327,90 @@ pipelines: mpp-format-string: '{root_fs_uuid}' label: mpp-format-string: '{root_fs_label}' + # We've created the filesystems. Now let's create the mountpoints (directories) + # on the filesystems and label them with appropriate SELinux labels. This also + # covers things like filesystem autogenerated files like 'lost+found'. The labeling + # will happen once with just the root filesystem mounted and once with the boot + # filesystem mounted too (to make sure we get all potentially hidden mountpoints). + # https://github.com/coreos/fedora-coreos-tracker/issues/1771 + - type: org.osbuild.mkdir + options: + paths: + - path: mount://root/boot + mode: 493 + - path: mount://boot/efi + mode: 493 + devices: + disk: + type: org.osbuild.loopback + options: + filename: disk.img + partscan: true + mounts: + - name: root + type: org.osbuild.xfs + source: disk + partition: + mpp-format-int: '{image.layout[''root''].partnum}' + target: /root-mount-point + - name: boot + type: org.osbuild.ext4 + source: disk + partition: + mpp-format-int: '{image.layout[''boot''].partnum}' + target: /boot-mount-point + - type: org.osbuild.selinux + options: + file_contexts: input://tree/etc/selinux/targeted/contexts/files/file_contexts + target: mount://root/ + inputs: + tree: + type: org.osbuild.tree + origin: org.osbuild.pipeline + references: + - name:build + devices: + disk: + type: org.osbuild.loopback + options: + filename: disk.img + partscan: true + mounts: + - name: root + type: org.osbuild.xfs + source: disk + partition: + mpp-format-int: '{image.layout[''root''].partnum}' + target: / + - type: org.osbuild.selinux + options: + file_contexts: input://tree/etc/selinux/targeted/contexts/files/file_contexts + target: mount://root/boot/ + inputs: + tree: + type: org.osbuild.tree + origin: org.osbuild.pipeline + references: + - name:build + devices: + disk: + type: org.osbuild.loopback + options: + filename: disk.img + partscan: true + mounts: + - name: root + type: org.osbuild.xfs + source: disk + partition: + mpp-format-int: '{image.layout[''root''].partnum}' + target: / + - name: boot + type: org.osbuild.ext4 + source: disk + partition: + mpp-format-int: '{image.layout[''boot''].partnum}' + target: /boot - type: org.osbuild.copy inputs: tree: @@ -487,6 +579,96 @@ pipelines: mpp-format-string: '{root_fs_uuid}' label: mpp-format-string: '{root_fs_label}' + # We've created the filesystems. Now let's create the mountpoints (directories) + # on the filesystems and label them with appropriate SELinux labels. This also + # covers things like filesystem autogenerated files like 'lost+found'. The labeling + # will happen once with just the root filesystem mounted and once with the boot + # filesystem mounted too (to make sure we get all potentially hidden mountpoints). + # https://github.com/coreos/fedora-coreos-tracker/issues/1771 + - type: org.osbuild.mkdir + options: + paths: + - path: mount://root/boot + mode: 493 + - path: mount://boot/efi + mode: 493 + devices: + disk: + type: org.osbuild.loopback + options: + filename: disk.img + partscan: true + sector-size: + mpp-format-int: "{four_k_sector_size}" + mounts: + - name: root + type: org.osbuild.xfs + source: disk + partition: + mpp-format-int: '{image4k.layout[''root''].partnum}' + target: /root-mount-point + - name: boot + type: org.osbuild.ext4 + source: disk + partition: + mpp-format-int: '{image4k.layout[''boot''].partnum}' + target: /boot-mount-point + - type: org.osbuild.selinux + options: + file_contexts: input://tree/etc/selinux/targeted/contexts/files/file_contexts + target: mount://root/ + inputs: + tree: + type: org.osbuild.tree + origin: org.osbuild.pipeline + references: + - name:build + devices: + disk: + type: org.osbuild.loopback + options: + filename: disk.img + partscan: true + sector-size: + mpp-format-int: "{four_k_sector_size}" + mounts: + - name: root + type: org.osbuild.xfs + source: disk + partition: + mpp-format-int: '{image4k.layout[''root''].partnum}' + target: / + - type: org.osbuild.selinux + options: + file_contexts: input://tree/etc/selinux/targeted/contexts/files/file_contexts + target: mount://root/boot/ + inputs: + tree: + type: org.osbuild.tree + origin: org.osbuild.pipeline + references: + - name:build + devices: + disk: + type: org.osbuild.loopback + options: + filename: disk.img + partscan: true + sector-size: + mpp-format-int: "{four_k_sector_size}" + mounts: + - name: root + type: org.osbuild.xfs + source: disk + partition: + mpp-format-int: '{image4k.layout[''root''].partnum}' + target: / + - name: boot + type: org.osbuild.ext4 + source: disk + partition: + mpp-format-int: '{image4k.layout[''boot''].partnum}' + target: /boot - type: org.osbuild.copy inputs: tree: diff --git a/src/osbuild-manifests/platform.qemu-secex.ipp.yaml b/src/osbuild-manifests/platform.qemu-secex.ipp.yaml index fdd1b14a5b..88904c39cc 100644 --- a/src/osbuild-manifests/platform.qemu-secex.ipp.yaml +++ b/src/osbuild-manifests/platform.qemu-secex.ipp.yaml @@ -109,6 +109,82 @@ pipelines: uuid: random label: mpp-format-string: '{sd_fs_label}' + # We've created the filesystems. Now let's create the mountpoints (directories) + # on the filesystems and label them with appropriate SELinux labels. This also + # covers things like filesystem autogenerated files like 'lost+found'. The labeling + # will happen once with just the root filesystem mounted and once with the boot + # filesystem mounted too (to make sure we get all potentially hidden mountpoints). + # https://github.com/coreos/fedora-coreos-tracker/issues/1771 + - type: org.osbuild.mkdir + options: + paths: + - path: mount://root/boot + mode: 493 + devices: + disk: + type: org.osbuild.loopback + options: + filename: disk.img + partscan: true + mounts: + - name: root + type: org.osbuild.xfs + source: disk + partition: + mpp-format-int: '{image_secex.layout[''root''].partnum}' + target: /root-mount-point + - type: org.osbuild.selinux + options: + file_contexts: input://tree/etc/selinux/targeted/contexts/files/file_contexts + target: mount://root/ + inputs: + tree: + type: org.osbuild.tree + origin: org.osbuild.pipeline + references: + - name:build + devices: + disk: + type: org.osbuild.loopback + options: + filename: disk.img + partscan: true + mounts: + - name: root + type: org.osbuild.xfs + source: disk + partition: + mpp-format-int: '{image_secex.layout[''root''].partnum}' + target: / + - type: org.osbuild.selinux + options: + file_contexts: input://tree/etc/selinux/targeted/contexts/files/file_contexts + target: mount://root/boot/ + inputs: + tree: + type: org.osbuild.tree + origin: org.osbuild.pipeline + references: + - name:build + devices: + disk: + type: org.osbuild.loopback + options: + filename: disk.img + partscan: true + mounts: + - name: root + type: org.osbuild.xfs + source: disk + partition: + mpp-format-int: '{image_secex.layout[''root''].partnum}' + target: / + - name: boot + type: org.osbuild.ext4 + source: disk + partition: + mpp-format-int: '{image_secex.layout[''boot''].partnum}' + target: /boot - type: org.osbuild.copy inputs: tree: