particle-os/debian-forge-composer
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

image-info: changes related to reading SELinux labels unknown to host

Browse source 
When `image-info` inspects ostree images, the `/usr/etc` is bind-mounted
to `/etc`. This results in conflicting SELinux policy specification for
these files and makes the outcome dependent on the `setfiles` build.
All the files in `/etc` have mismatch in the expected vs. actual SELinux
context.

Exclude `/etc` from the check of SELinux ctx mismatches in case the
analysed tree is from an ostree-based image.

Sort the list returned `read_selinux_ctx_mismatch()` based on the item's
`filename` key, to make the result consistent across runs.

`image-info` can not read SELinux labels from the images, which are not
known to the host. This makes the report content depend on the host
environment. As a temporary workaround, relabel the image-info script with
osbuild_exec_t label to allow it to read unknown SELinux labels.

Modify documentation in `test/README.md` to explain the issue with
`image-info` and unknown SELinux labels.

Modify the `generate-all-test-cases` to relabel `image-info` before
generating test cases.

Modify the `image_tests.sh` to relabel `image-info` before running image
test cases.

Add 'tar' image for 'rhel-8' on 's390x' back to the matrix of generated
test cases, as it was removed by mistake. Regenerate the image test
case. Remove 'tar' image from 'rhel-84' on 's390x' from the matrix of
generated test cases, as it is not supported.

Regenerate all affected image test cases.

Signed-off-by: Tomas Hozza <thozza@redhat.com>
This commit is contained in:
Tomas Hozza 2021-06-11 12:40:15 +02:00 committed by Alexander Todorov
parent 95cd5b782e
commit bce603586e
26 changed files with 134 additions and 144862 deletions
Download patch file Download diff file Expand all files Collapse all files

10
test/data/manifests/rhel_8-aarch64-tar-boot.json
View file

@ -5704,6 +5704,11 @@
},
"selinux": {
"context-mismatch": [
{
"actual": "unconfined_u:object_r:rpm_var_lib_t:s0",
"expected": "system_u:object_r:rpm_var_lib_t:s0",
"filename": "/var/lib/rpm/__db.001"
},
{
"actual": "unconfined_u:object_r:rpm_var_lib_t:s0",
"expected": "system_u:object_r:rpm_var_lib_t:s0",
@ -5713,11 +5718,6 @@
"actual": "unconfined_u:object_r:rpm_var_lib_t:s0",
"expected": "system_u:object_r:rpm_var_lib_t:s0",
"filename": "/var/lib/rpm/__db.003"
},
{
"actual": "unconfined_u:object_r:rpm_var_lib_t:s0",
"expected": "system_u:object_r:rpm_var_lib_t:s0",
"filename": "/var/lib/rpm/__db.001"
}
],
"policy": {