Commits on Mar 28, 2022

1. deploy: Try to rebuild policy in new deployment if needed …

   Whenever the user has SELinux enabled and has any local
   modules/modifications installed, it is necessary to rebuild the policy
   in the final deployment, otherwise ostree will leave the binary policy
   files unchanged from last deployment as it detects difference against
   the base content (in rpm-ostree case this is the RPM content).
   
   To avoid the situation where the policy binaries go stale once any local
   customization of the policy is made, try to rebuild the policy as part
   of sysroot_finalize_deployment(). Use the special
   --rebuild-if-modules-changed switch, which detects if the input module
   files have changed relative to last time the policy was built and skips
   the most time-consuming part of the rebuild process if modules are
   unchanged (thus making this a relatively cheap operation if the user
   hasn't made any modifications to the shipped policy).
   
   As suggested by Jonathan Lebon, this uses bubblewrap (via
   g_spawn_sync()) to perform the rebuild inside the deployment's
   filesystem tree, which also means that ostree will have a runtime
   dependency on bubblewrap.
   
   Partially addresses: coreos/fedora-coreos-tracker#701
   
   Signed-off-by: Ondrej Mosnacek <[email protected]>

   

   WOnder93 authored and cgwalters committed Mar 28, 2022
   Configuration menu

   • View commit details
   • Copy full SHA for edb4f38
   • Browse repository at this point

   Copy the full SHA

   edb4f38 View commit details

   Browse the repository at this point in the history

2. deploy: Be a bit more verbose about SELinux bits …

   Let's log when we don't find the expected CLI argument which
   will help debug things.

   

   cgwalters committed Mar 28, 2022
   Configuration menu

   • View commit details
   • Copy full SHA for c58a4fe
   • Browse repository at this point

   Copy the full SHA

   c58a4fe View commit details

   Browse the repository at this point in the history