particle-os/debian-forge-composer
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

distro: SELinux should be the last stage

Browse source 
SELinux relabels the entire filesystem tree and should always be the
last stage in the os pipelines.
This commit is contained in:
Simon de Vlieger 2022-11-03 11:52:10 +01:00 committed by Christian Kellner
parent d73171fdde
commit f6bd62e838
198 changed files with 466 additions and 557 deletions
Download patch file Download diff file Expand all files Collapse all files

10
internal/distro/rhel8/pipelines.go
View file

@ -652,11 +652,6 @@ func osPipeline(t *imageType,
p.AddStage(osbuild.NewOscapRemediationStage(remediationOptions))
}
// Relabel the tree, unless the `NoSElinux` flag is explicitly set to `true`
if imageConfig.NoSElinux == nil || imageConfig.NoSElinux != nil && !*imageConfig.NoSElinux {
p.AddStage(osbuild.NewSELinuxStage(selinuxStageOptions(false)))
}
if t.arch.distro.isRHEL() && options.Facts != nil {
p.AddStage(osbuild.NewRHSMFactsStage(&osbuild.RHSMFactsStageOptions{
Facts: osbuild.RHSMFacts{
@ -665,6 +660,11 @@ func osPipeline(t *imageType,
}))
}
// Relabel the tree, unless the `NoSElinux` flag is explicitly set to `true`
if imageConfig.NoSElinux == nil || imageConfig.NoSElinux != nil && !*imageConfig.NoSElinux {
p.AddStage(osbuild.NewSELinuxStage(selinuxStageOptions(false)))
}
if t.rpmOstree {
p.AddStage(osbuild.NewOSTreePrepTreeStage(&osbuild.OSTreePrepTreeStageOptions{
EtcGroupMembers: []string{

10
internal/distro/rhel9/pipelines.go
View file

@ -653,11 +653,6 @@ func osPipeline(t *imageType,
p.AddStage(osbuild.NewOscapRemediationStage(remediationOptions))
}
// Relabel the tree, unless the `NoSElinux` flag is explicitly set to `true`
if imageConfig.NoSElinux == nil || imageConfig.NoSElinux != nil && !*imageConfig.NoSElinux {
p.AddStage(osbuild.NewSELinuxStage(selinuxStageOptions(false)))
}
if t.arch.distro.isRHEL() && options.Facts != nil {
p.AddStage(osbuild.NewRHSMFactsStage(&osbuild.RHSMFactsStageOptions{
Facts: osbuild.RHSMFacts{
@ -666,6 +661,11 @@ func osPipeline(t *imageType,
}))
}
// Relabel the tree, unless the `NoSElinux` flag is explicitly set to `true`
if imageConfig.NoSElinux == nil || imageConfig.NoSElinux != nil && !*imageConfig.NoSElinux {
p.AddStage(osbuild.NewSELinuxStage(selinuxStageOptions(false)))
}
if t.rpmOstree {
p.AddStage(osbuild.NewOSTreePrepTreeStage(&osbuild.OSTreePrepTreeStageOptions{
EtcGroupMembers: []string{