Ensure root_t label for /store
The way osbuild works is to synthesize a filesystem tree in the store, then copy it to the disk. This ensures the label for the store is `root_t` which ends up being the labeling for the "infrastructure" bits in the `/ostree` repository in the target root. This in turn is blocking a lot of things. Closes: https://github.com/osbuild/bootc-image-builder/issues/149
This commit is contained in:
Colin Walters
Simon de Vlieger
parent
1ea8e87fad
commit
2d95d34bb6
1 changed files with 10 additions and 2 deletions
|
|
@ -12,13 +12,21 @@ import (
|
|||
|
||||
// EnsureEnvironment mutates external filesystem state as necessary
|
||||
// to run in a container environment. This function is idempotent.
|
||||
func EnsureEnvironment() error {
|
||||
func EnsureEnvironment(storePath string) error {
|
||||
osbuildPath := "/usr/bin/osbuild"
|
||||
if util.IsMountpoint(osbuildPath) {
|
||||
return nil
|
||||
}
|
||||
|
||||
// A hardcoded security label from Fedora derivatives
|
||||
// Forcibly label the store to ensure we're not grabbing container labels
|
||||
rootType := "system_u:object_r:root_t:s0"
|
||||
// This papers over the lack of ensuring correct labels for the /ostree root
|
||||
// in the existing pipeline
|
||||
if err := util.RunCmdSync("chcon", rootType, storePath); err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
// A hardcoded security label from Fedora derivatives for osbuild
|
||||
// TODO: Avoid hardcoding this by using either host policy lookup
|
||||
// Or eventually depend on privileged containers just having this capability.
|
||||
//
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue