particle-os/debian-forge
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

buildroot: ensure /sys/fs/selinux is read-only

Browse source 
Make sure "/sys/fs/selinux" is read-only, otherwise libselinux and
tools will assume that SELinux is available and active and in turn
use /sys/fs/selinux to e.g. verify the file systems labels; this
will then prevent setting unknown labels via `setfiles`.
This commit is contained in:
Christian Kellner 2020-08-12 00:50:54 +02:00
parent 6e63baa0d4
commit 41cf4bf2d3
1 changed files with 1 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

1
osbuild/buildroot.py
View file

@ -150,6 +150,7 @@ class BuildRoot(contextlib.AbstractContextManager):
# Setup API file-systems.
mounts += ["--proc", "/proc"]
mounts += ["--bind", "/sys", "/sys"]
mounts += ["--ro-bind-try", "/sys/fs/selinux", "/sys/fs/selinux"]
# We execute our own modules by bind-mounting them from the host into
# the build-root. We have minimal requirements on the build-root, so