-
Notifications
You must be signed in to change notification settings - Fork 60
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
/sysroot
dir and subfiles are unlabeled_t
since version 40.20240504.3.0
#1772
Comments
When fixing #1771, we should also fix this in the same barrier code. |
/boot/efi and /sysroot dir and subfiles are unlabeled_t since 40.20240504.3.0. This is likely due to a missing step in the OSBuild pipeline as this started with coreos/fedora-coreos-tracker#1653. This should be removed after the next barrier release, if the newly produced images are fixed. See coreos/fedora-coreos-tracker#1771 And coreos/fedora-coreos-tracker#1772
/boot/efi and /sysroot dir and subfiles are unlabeled_t since 40.20240504.3.0. This is likely due to a missing step in the OSBuild pipeline as this started with coreos/fedora-coreos-tracker#1653. This should be removed after the next barrier release, if the newly produced images are fixed. See coreos/fedora-coreos-tracker#1771 And coreos/fedora-coreos-tracker#1772
OK yeah, this is a mess. Basically everything in
In the Some of these entries will cycle out over time. E.g. some of the dirmeta/dirtree objects, the directories with digests in them, etc... Others will linger. A comprehensive fix for this is now trickier and riskier than I thought. We could do something like the
This will need to be carefully written and tested. We should run |
@jlebon - did you mean to close this? |
Whoops no! Sorry, GitHub project issue. |
For Let's pick a static list of files that we know are safe to fix. |
Experimenting a bit with a good and a bad build on rawhide, following jonathan's comment guidelines I find 90 files that are I got a list of files mounting the FCOS rootfs on a loop device then
The remaining files are as follow
Then all the I am going to update the PR with a proposed script and do some testing. |
Just a reminder that |
You've made us aware. This discussion is about how to fix existing systems. |
We have a few issues right now where files in our images don't have any selinux context (i.e. end up unlabeled_t). Here we workaround the hidden mountpoints issue [1] with a patch to OSBuild to hardcode some chcon calls. We workaround the "bunch of files under /sysroot are unlabeled" issue [2] by backported a proposed upstream change to the org.osbuild.selinux stage [3] and then using it to explicitly set the context on the root of the tree to `root_t`. We also add a fix [4] for another issue where '/boot/coreos/platforms.json' would end up with the wrong label. [1] coreos/fedora-coreos-tracker#1771 [2] coreos/fedora-coreos-tracker#1772 [3] osbuild/osbuild#1889 [4] osbuild/osbuild#1888
We have a few issues right now where files in our images don't have any selinux context (i.e. end up unlabeled_t). Here we workaround the hidden mountpoints issue [1] with a patch to OSBuild to hardcode some chcon calls. We workaround the "bunch of files under /sysroot are unlabeled" issue [2] by backported a proposed upstream change to the org.osbuild.selinux stage [3] and then using it to explicitly set the context on the root of the tree to `root_t`. We also add a fix [4] for another issue where '/boot/coreos/platforms.json' would end up with the wrong label. [1] coreos/fedora-coreos-tracker#1771 [2] coreos/fedora-coreos-tracker#1772 [3] osbuild/osbuild#1889 [4] osbuild/osbuild#1888
We have a few issues right now where files in our images don't have any selinux context (i.e. end up unlabeled_t). Here we workaround the hidden mountpoints issue [1] with a patch to OSBuild to hardcode some chcon calls. We workaround the "bunch of files under /sysroot are unlabeled" issue [2] by backported a proposed upstream change to the org.osbuild.selinux stage [3] and then using it to explicitly set the context on the root of the tree to `root_t`. We also add a fix [4] for another issue where '/boot/coreos/platforms.json' would end up with the wrong label. [1] coreos/fedora-coreos-tracker#1771 [2] coreos/fedora-coreos-tracker#1772 [3] osbuild/osbuild#1889 [4] osbuild/osbuild#1888
/boot/efi and /sysroot dir and subfiles are unlabeled_t since 40.20240504.3.0. This is likely due to some missing scaffolding in the OSBuild software and definitions that we started using in [1]. These issues [2] [3] were addressed in [4] for new image builds, but we still need to fix upgrading systems, which we do here in this migration script. Note that we also fix a few files in /boot that were left unlabeled by `rdcore` [5] while we are in here. [1] coreos/fedora-coreos-tracker#1653. [2] coreos/fedora-coreos-tracker#1771 [3] coreos/fedora-coreos-tracker#1772 [4] coreos/coreos-assembler#3885 [5] coreos/fedora-coreos-tracker#1770 Co-authored-by: Dusty Mabe <[email protected]>
/boot/efi and /sysroot dir and subfiles are unlabeled_t since 40.20240504.3.0. This is likely due to some missing scaffolding in the OSBuild software and definitions that we started using in [1]. These issues [2] [3] were addressed in [4] for new image builds, but we still need to fix upgrading systems, which we do here in this migration script. Note that we also fix a few files in /boot that were left unlabeled by `rdcore` [5] while we are in here. [1] coreos/fedora-coreos-tracker#1653. [2] coreos/fedora-coreos-tracker#1771 [3] coreos/fedora-coreos-tracker#1772 [4] coreos/coreos-assembler#3885 [5] coreos/fedora-coreos-tracker#1770 Co-authored-by: Dusty Mabe <[email protected]>
We have a few issues right now where files in our images don't have any selinux context (i.e. end up unlabeled_t). Here we workaround the hidden mountpoints issue [1] with a patch to OSBuild to hardcode some chcon calls. We workaround the "bunch of files under /sysroot are unlabeled" issue [2] by backported a proposed upstream change to the org.osbuild.selinux stage [3] and then using it to explicitly set the context on the root of the tree to `root_t`. We also add a fix [4] for another issue where '/boot/coreos/platforms.json' would end up with the wrong label. [1] coreos/fedora-coreos-tracker#1771 [2] coreos/fedora-coreos-tracker#1772 [3] osbuild/osbuild#1889 [4] osbuild/osbuild#1888 (cherry picked from commit d3302e0)
/boot/efi and /sysroot dir and subfiles are unlabeled_t since 40.20240504.3.0. This is likely due to some missing scaffolding in the OSBuild software and definitions that we started using in [1]. These issues [2] [3] were addressed in [4] for new image builds, but we still need to fix upgrading systems, which we do here in this migration script. Note that we also fix a few files in /boot that were left unlabeled by `rdcore` [5] while we are in here. [1] coreos/fedora-coreos-tracker#1653. [2] coreos/fedora-coreos-tracker#1771 [3] coreos/fedora-coreos-tracker#1772 [4] coreos/coreos-assembler#3885 [5] coreos/fedora-coreos-tracker#1770 Co-authored-by: Dusty Mabe <[email protected]>
/boot/efi and /sysroot dir and subfiles are unlabeled_t since 40.20240504.3.0. This is likely due to some missing scaffolding in the OSBuild software and definitions that we started using in [1]. These issues [2] [3] were addressed in [4] for new image builds, but we still need to fix upgrading systems, which we do here in this migration script. Note that we also fix a few files in /boot that were left unlabeled by `rdcore` [5] while we are in here. [1] coreos/fedora-coreos-tracker#1653. [2] coreos/fedora-coreos-tracker#1771 [3] coreos/fedora-coreos-tracker#1772 [4] coreos/coreos-assembler#3885 [5] coreos/fedora-coreos-tracker#1770 Co-authored-by: Dusty Mabe <[email protected]>
/boot/efi and /sysroot dir and subfiles are unlabeled_t since 40.20240504.3.0. This is likely due to some missing scaffolding in the OSBuild software and definitions that we started using in [1]. These issues [2] [3] were addressed in [4] for new image builds, but we still need to fix upgrading systems, which we do here in this migration script. Note that we also fix a few files in /boot that were left unlabeled by `rdcore` [5] while we are in here. [1] coreos/fedora-coreos-tracker#1653. [2] coreos/fedora-coreos-tracker#1771 [3] coreos/fedora-coreos-tracker#1772 [4] coreos/coreos-assembler#3885 [5] coreos/fedora-coreos-tracker#1770 Co-authored-by: Dusty Mabe <[email protected]>
We have a few issues right now where files in our images don't have any selinux context (i.e. end up unlabeled_t). Here we workaround the hidden mountpoints issue [1] with a patch to OSBuild to hardcode some chcon calls. We workaround the "bunch of files under /sysroot are unlabeled" issue [2] by backported a proposed upstream change to the org.osbuild.selinux stage [3] and then using it to explicitly set the context on the root of the tree to `root_t`. We also add a fix [4] for another issue where '/boot/coreos/platforms.json' would end up with the wrong label. [1] coreos/fedora-coreos-tracker#1771 [2] coreos/fedora-coreos-tracker#1772 [3] osbuild/osbuild#1889 [4] osbuild/osbuild#1888 (cherry picked from commit d3302e0)
/boot/efi and /sysroot dir and subfiles are unlabeled_t since 40.20240504.3.0. This is likely due to some missing scaffolding in the OSBuild software and definitions that we started using in [1]. These issues [2] [3] were addressed in [4] for new image builds, but we still need to fix upgrading systems, which we do here in this migration script. Note that we also fix a few files in /boot that were left unlabeled by `rdcore` [5] while we are in here. [1] coreos/fedora-coreos-tracker#1653. [2] coreos/fedora-coreos-tracker#1771 [3] coreos/fedora-coreos-tracker#1772 [4] coreos/coreos-assembler#3885 [5] coreos/fedora-coreos-tracker#1770 Co-authored-by: Dusty Mabe <[email protected]>
/boot/efi and /sysroot dir and subfiles are unlabeled_t since 40.20240504.3.0. This is likely due to some missing scaffolding in the OSBuild software and definitions that we started using in [1]. These issues [2] [3] were addressed in [4] for new image builds, but we still need to fix upgrading systems, which we do here in this migration script. Note that we also fix a few files in /boot that were left unlabeled by `rdcore` [5] while we are in here. [1] coreos/fedora-coreos-tracker#1653. [2] coreos/fedora-coreos-tracker#1771 [3] coreos/fedora-coreos-tracker#1772 [4] coreos/coreos-assembler#3885 [5] coreos/fedora-coreos-tracker#1770 Co-authored-by: Dusty Mabe <[email protected]>
/boot/efi and /sysroot dir and subfiles are unlabeled_t since 40.20240504.3.0. This is likely due to some missing scaffolding in the OSBuild software and definitions that we started using in [1]. These issues [2] [3] were addressed in [4] for new image builds, but we still need to fix upgrading systems, which we do here in this migration script. Note that we also fix a few files in /boot that were left unlabeled by `rdcore` [5] while we are in here. [1] coreos/fedora-coreos-tracker#1653. [2] coreos/fedora-coreos-tracker#1771 [3] coreos/fedora-coreos-tracker#1772 [4] coreos/coreos-assembler#3885 [5] coreos/fedora-coreos-tracker#1770 Co-authored-by: Dusty Mabe <[email protected]>
/boot/efi and /sysroot dir and subfiles are unlabeled_t since 40.20240504.3.0. This is likely due to some missing scaffolding in the OSBuild software and definitions that we started using in [1]. These issues [2] [3] were addressed in [4] for new image builds, but we still need to fix upgrading systems, which we do here in this migration script. Note that we also fix a few files in /boot that were left unlabeled by `rdcore` [5] while we are in here. [1] coreos/fedora-coreos-tracker#1653. [2] coreos/fedora-coreos-tracker#1771 [3] coreos/fedora-coreos-tracker#1772 [4] coreos/coreos-assembler#3885 [5] coreos/fedora-coreos-tracker#1770 Co-authored-by: Dusty Mabe <[email protected]>
/boot/efi and /sysroot dir and subfiles are unlabeled_t since 40.20240504.3.0. This is likely due to some missing scaffolding in the OSBuild software and definitions that we started using in [1]. These issues [2] [3] were addressed in [4] for new image builds, but we still need to fix upgrading systems, which we do here in this migration script. Note that we also fix a few files in /boot that were left unlabeled by `rdcore` [5] while we are in here. [1] coreos/fedora-coreos-tracker#1653. [2] coreos/fedora-coreos-tracker#1771 [3] coreos/fedora-coreos-tracker#1772 [4] coreos/coreos-assembler#3885 [5] coreos/fedora-coreos-tracker#1770 Co-authored-by: Dusty Mabe <[email protected]> (cherry picked from commit 2e355fd)
/boot/efi and /sysroot dir and subfiles are unlabeled_t since 40.20240504.3.0. This is likely due to some missing scaffolding in the OSBuild software and definitions that we started using in [1]. These issues [2] [3] were addressed in [4] for new image builds, but we still need to fix upgrading systems, which we do here in this migration script. Note that we also fix a few files in /boot that were left unlabeled by `rdcore` [5] while we are in here. [1] coreos/fedora-coreos-tracker#1653. [2] coreos/fedora-coreos-tracker#1771 [3] coreos/fedora-coreos-tracker#1772 [4] coreos/coreos-assembler#3885 [5] coreos/fedora-coreos-tracker#1770 Co-authored-by: Dusty Mabe <[email protected]> (cherry picked from commit 2e355fd)
|
We have a few issues right now where files in our images don't have any selinux context (i.e. end up unlabeled_t). Here we workaround the hidden mountpoints issue [1] with a patch to OSBuild to hardcode some chcon calls. We workaround the "bunch of files under /sysroot are unlabeled" issue [2] by backported a proposed upstream change to the org.osbuild.selinux stage [3] and then using it to explicitly set the context on the root of the tree to `root_t`. We also add a fix [4] for another issue where '/boot/coreos/platforms.json' would end up with the wrong label. [1] coreos/fedora-coreos-tracker#1771 [2] coreos/fedora-coreos-tracker#1772 [3] osbuild/osbuild#1889 [4] osbuild/osbuild#1888
/boot/efi and /sysroot dir and subfiles are unlabeled_t since 40.20240504.3.0. This is likely due to some missing scaffolding in the OSBuild software and definitions that we started using in [1]. These issues [2] [3] were addressed in [4] for new image builds, but we still need to fix upgrading systems, which we do here in this migration script. Note that we also fix a few files in /boot that were left unlabeled by `rdcore` [5] while we are in here. [1] coreos/fedora-coreos-tracker#1653. [2] coreos/fedora-coreos-tracker#1771 [3] coreos/fedora-coreos-tracker#1772 [4] coreos/coreos-assembler#3885 [5] coreos/fedora-coreos-tracker#1770 Co-authored-by: Dusty Mabe <[email protected]> (cherry picked from commit 2e355fd)
/boot/efi and /sysroot dir and subfiles are unlabeled_t since 40.20240504.3.0. This is likely due to some missing scaffolding in the OSBuild software and definitions that we started using in [1]. These issues [2] [3] were addressed in [4] for new image builds, but we still need to fix upgrading systems, which we do here in this migration script. Note that we also fix a few files in /boot that were left unlabeled by `rdcore` [5] while we are in here. [1] coreos/fedora-coreos-tracker#1653. [2] coreos/fedora-coreos-tracker#1771 [3] coreos/fedora-coreos-tracker#1772 [4] coreos/coreos-assembler#3885 [5] coreos/fedora-coreos-tracker#1770 Co-authored-by: Dusty Mabe <[email protected]> (cherry picked from commit 2e355fd)
The fix for this went into |
The fix for this went into |
Describe the bug
/sysroot
dir and subfiles areunlabeled_t
since 40.20240504.3.0.Bisect results:
40.20240416.3.1 is good
40.20240504.3.0 is bad
Reproduction steps
Start FCOS and run
ls -alZ /sysroot
Expected behavior
/sysroot
dir and subfiles are correctly labeled.Actual behavior
/sysroot
dir and subfiles areunlabeled_t
.System details
N/A
Butane or Ignition config
No response
Additional information
No response
The text was updated successfully, but these errors were encountered: