build_library: set correct SELinux contexts in final images #368
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
8 tasks
pothos
reviewed
Jul 7, 2022
pothos
reviewed
Jul 7, 2022
pothos
reviewed
Jul 7, 2022
1 task
tormath1
force-pushed
the
tormath1/selinux
branch
from
70075fc
to
5a9381c
Compare
tormath1
force-pushed
the
tormath1/selinux
branch
from
5a9381c
to
4a2f054
Compare
jepio
reviewed
Aug 12, 2022
build_packages
Outdated
| # build and label the system before generating torcx image. | ||
| info "Label the build root" | ||
| sudo chroot "${BOARD_ROOT}" bash -c "cd /usr/share/selinux/mcs && semodule -s mcs -i *.pp" | ||
| sudo setfiles -Dv -r "${BOARD_ROOT}" "${BOARD_ROOT}"/etc/selinux/mcs/contexts/files/file_contexts "${BOARD_ROOT}" |
There was a problem hiding this comment.
setfiles is a cool idea, but doing it in build_packages is not useful, because the images are not built from the files in BOARD_ROOT. This would have to happen somewhere in build_image and in build_torcx_store.
There was a problem hiding this comment.
Also came across this: https://github.com/gardenlinux/gardenlinux/blob/main/bin/makepart#L20-L22
tormath1
force-pushed
the
tormath1/selinux
branch
2 times, most recently
from
b7d9a63
to
42ff444
Compare
tormath1
force-pushed
the
tormath1/selinux
branch
from
42ff444
to
67abbed
Compare
tormath1
force-pushed
the
tormath1/selinux
branch
from
67abbed
to
1f26e11
Compare
tormath1
force-pushed
the
tormath1/selinux
branch
from
1f26e11
to
9a658e1
Compare
tormath1
force-pushed
the
tormath1/selinux
branch
7 times, most recently
from
5134d91
to
b510a48
Compare
tormath1
force-pushed
the
tormath1/selinux
branch
3 times, most recently
from
174c2a9
to
1b9c992
Compare
tormath1
force-pushed
the
tormath1/selinux
branch
3 times, most recently
from
0eb84a0
to
d7e8a99
Compare
`setfiles` can be used to directly set the SELinux labels on a root filesystem based on the values in `file_contexts`. Signed-off-by: Mathieu Tortuyaux <[email protected]>
tormath1
force-pushed
the
tormath1/selinux
branch
from
d7e8a99
to
759559f
Compare
|
Closed in favor of #666 (:imp:) |
Can you rather rebase? My PR only did the labeling for |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
build_packages: use setfiles to label the system
setfilescan be used to directly set the SELinux labels on a root filesystem based on the values infile_contexts.