From 5c01f1c2f68591ea18b22173bf3b3bfb29f944f6 Mon Sep 17 00:00:00 2001 From: Colin Walters Date: Wed, 31 Jan 2024 15:43:09 -0500 Subject: [PATCH] install: Add BOOTC_SKIP_SELINUX_HOST_CHECK We're going to investigate supporting installing SELinux-enabled targets from a SELinux-disabled host. This environment variable will allow bypassing the check. xref https://github.com/ostreedev/ostree/pull/3151 --- .github/workflows/ci.yml | 7 +++++++ lib/src/install.rs | 9 +++++++++ 2 files changed, 16 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index c39913f16..99894b250 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -137,3 +137,10 @@ jobs: --karg=foo=bar --disable-selinux --replace=alongside /target ls -al /boot/loader/ sudo grep foo=bar /boot/loader/entries/*.conf + # TODO fix https://github.com/containers/bootc/pull/137 + sudo chattr -i / /ostree/deploy/default/deploy/* + sudo rm /ostree/deploy/default -rf + sudo podman run --rm -ti --privileged --env BOOTC_SKIP_SELINUX_HOST_CHECK=1 --env RUST_LOG=debug -v /:/target -v /var/lib/containers:/var/lib/containers -v ./usr/bin/bootc:/usr/bin/bootc --pid=host --security-opt label=disable \ + quay.io/centos-bootc/fedora-bootc-dev:eln bootc install to-filesystem \ + --replace=alongside /target + sudo ls -ldZ / /ostree/deploy/default/deploy/* /ostree/deploy/default/deploy/*/etc diff --git a/lib/src/install.rs b/lib/src/install.rs index 9c6b11430..6f929625f 100644 --- a/lib/src/install.rs +++ b/lib/src/install.rs @@ -707,6 +707,10 @@ pub(crate) fn reexecute_self_for_selinux_if_needed( let mut ret_did_override = false; // If the target state has SELinux enabled, we need to check the host state. let mut g = None; + // We don't currently quite support installing SELinux enabled systems + // from SELinux disabled hosts, but this environment variable can be set + // to test it out anyways. + let skip_check_envvar = "BOOTC_SKIP_SELINUX_HOST_CHECK"; if srcdata.selinux { let host_selinux = crate::lsm::selinux_enabled()?; tracing::debug!("Target has SELinux, host={host_selinux}"); @@ -722,6 +726,11 @@ pub(crate) fn reexecute_self_for_selinux_if_needed( } else if override_disable_selinux { ret_did_override = true; println!("notice: Target has SELinux enabled, overriding to disable") + } else if std::env::var_os(skip_check_envvar).is_some() { + eprintln!( + "Host kernel does not have SELinux support, but target enables it by default; {} is set, continuing anyways", + skip_check_envvar + ); } else { anyhow::bail!( "Host kernel does not have SELinux support, but target enables it by default"