From 47db12917671604d6cda32ace2483e2b154d271e Mon Sep 17 00:00:00 2001 From: Colin Walters Date: Mon, 29 Jan 2024 15:46:03 -0500 Subject: [PATCH] install: Ensure we label `/` (and `/boot`) This came out of a discussion with bootc-image-builder, which has this issue right now: https://github.com/osbuild/bootc-image-builder/issues/149 As I noted in that issue, I think it's basically been working here because we always write to a real fresh filesystem, but let's be very explicit. There's a notable tricky bootstrapping we're solving here around "what's the label of `/`" because we know we are running the target OS as a container image already. Signed-off-by: Colin Walters --- lib/src/install.rs | 10 ++++++++++ tests/kolainst/install | 1 + 2 files changed, 11 insertions(+) diff --git a/lib/src/install.rs b/lib/src/install.rs index a95f5a59a..f432898d4 100644 --- a/lib/src/install.rs +++ b/lib/src/install.rs @@ -445,6 +445,10 @@ async fn initialize_ostree_root_from_self( let rootfs = root_setup.rootfs.as_path(); let cancellable = gio::Cancellable::NONE; + // Ensure that the physical root is labeled. + // Another implementation: https://github.com/coreos/coreos-assembler/blob/3cd3307904593b3a131b81567b13a4d0b6fe7c90/src/create_disk.sh#L295 + state.lsm_label(rootfs, "/".into(), false)?; + // TODO: make configurable? let stateroot = STATEROOT_DEFAULT; Task::new_and_run( @@ -453,6 +457,12 @@ async fn initialize_ostree_root_from_self( ["admin", "init-fs", "--modern", rootfs.as_str()], )?; + // And also label /boot AKA xbootldr, if it exists + let bootdir = rootfs.join("boot"); + if bootdir.try_exists()? { + state.lsm_label(&bootdir, "/boot".into(), false)?; + } + // Default to avoiding grub2-mkconfig etc., but we need to use zipl on s390x. // TODO: Lower this logic into ostree proper. let bootloader = if cfg!(target_arch = "s390x") { diff --git a/tests/kolainst/install b/tests/kolainst/install index 121dc2af7..cb8544076 100755 --- a/tests/kolainst/install +++ b/tests/kolainst/install @@ -35,6 +35,7 @@ EOF # but for now let's just sanity test that the install command executes. lsblk ${DEV} mount /dev/vda3 /var/mnt + ls -Z /var/mnt |grep ':root_t:' grep foo=bar /var/mnt/loader/entries/*.conf grep localtestkarg=somevalue /var/mnt/loader/entries/*.conf grep -Ee '^linux /boot/ostree' /var/mnt/loader/entries/*.conf