From 623734c384aaa1d50c26d3b55b75c983b06684ce Mon Sep 17 00:00:00 2001 From: Jonathan Lebon Date: Mon, 17 Sep 2018 14:31:45 -0400 Subject: [PATCH] Backport patch for relabeling /var/home on FCOS Ref: https://github.com/coreos/fedora-coreos-config/issues/2 --- ...es-relabel-var-home-and-var-roothome.patch | 50 +++++++++++++++++++ ignition.spec | 9 +++- 2 files changed, 58 insertions(+), 1 deletion(-) create mode 100644 0001-stages-files-relabel-var-home-and-var-roothome.patch diff --git a/0001-stages-files-relabel-var-home-and-var-roothome.patch b/0001-stages-files-relabel-var-home-and-var-roothome.patch new file mode 100644 index 0000000..196b15e --- /dev/null +++ b/0001-stages-files-relabel-var-home-and-var-roothome.patch @@ -0,0 +1,50 @@ +From 45b75181389d2bc357de524dc32ede787222dedc Mon Sep 17 00:00:00 2001 +From: Jonathan Lebon +Date: Fri, 14 Sep 2018 15:27:37 -0400 +Subject: [PATCH] stages/files: relabel /var/home and /var/roothome + +The behaviour of how `restorecon` handles symlinks changed between RHCOS +and FCOS. More specifically, `restorecon` will follow symlinks that are +part of a given path, but not if the target path is a symlink itself. +On OSTree-based systems, `/home` and `/root` are just symlinks, so the +newer `restorecon` wasn't actually relabeling anything under there. + +Add the real paths to the list of dirs to relabel and add `-i` so that +it's not a fatal error on non-OSTree-based systems. + +Closes: coreos/fedora-coreos-config#2 +--- + internal/exec/stages/files/files.go | 2 +- + internal/exec/stages/files/passwd.go | 3 +++ + 2 files changed, 4 insertions(+), 1 deletion(-) + +diff --git a/internal/exec/stages/files/files.go b/internal/exec/stages/files/files.go +index 077d383..609a0e8 100644 +--- a/internal/exec/stages/files/files.go ++++ b/internal/exec/stages/files/files.go +@@ -146,7 +146,7 @@ OnFailureJobMode=replace-irreversibly + + [Service] + Type=oneshot +-ExecStart=` + distro.RestoreconCmd() + ` -0vRf /etc/selinux/ignition.relabel ++ExecStart=` + distro.RestoreconCmd() + ` -0vRif /etc/selinux/ignition.relabel + ExecStart=/usr/bin/rm /etc/selinux/ignition.relabel + RemainAfterExit=yes`, + } +diff --git a/internal/exec/stages/files/passwd.go b/internal/exec/stages/files/passwd.go +index 2eecd40..1ae0f02 100644 +--- a/internal/exec/stages/files/passwd.go ++++ b/internal/exec/stages/files/passwd.go +@@ -41,6 +41,9 @@ func (s *stage) createPasswd(config types.Config) error { + "/etc/.pwd.lock", + "/home", + "/root", ++ // for OSTree-based systems (newer restorecon doesn't follow symlinks) ++ "/var/home", ++ "/var/roothome", + ) + } + +-- +2.19.0 + diff --git a/ignition.spec b/ignition.spec index 6182028..ef9b72d 100644 --- a/ignition.spec +++ b/ignition.spec @@ -73,12 +73,14 @@ Name: ignition Version: 0.28.0 -Release: 3.git%{shortcommit}%{?dist} +Release: 4.git%{shortcommit}%{?dist} Summary: First boot installer and configuration tool License: ASL 2.0 URL: https://%{provider_prefix} Source0: https://%{provider_prefix}/archive/%{commit}/%{repo}-%{shortcommit}.tar.gz +Patch0: 0001-stages-files-relabel-var-home-and-var-roothome.patch + # e.g. el6 has ppc64 arch without gcc-go, so EA tag is required ExclusiveArch: %{?go_arches:%{go_arches}}%{!?go_arches:%{ix86} x86_64 aarch64 %{arm}} # If go_compiler is not set to 1, there is no virtual provide. Use golang instead. @@ -326,6 +328,7 @@ initramfs on boot. # setup command reference: http://ftp.rpm.org/max-rpm/s1-rpm-inside-macros.html # unpack source0 and apply patches %setup -T -b 0 -q -n %{repo}-%{commit} +%patch0 -p1 # unpack source1 (dracut modules) %setup -T -D -a 1 -q -n %{repo}-%{commit} @@ -469,6 +472,10 @@ export GOPATH=%{buildroot}/%{gopath}:$(pwd)/vendor:%{gopath} %endif %changelog +* Mon Sep 17 2018 Jonathan Lebon - 0.28.0-4.gitf707912 +- Backport patch for relabeling /var/home on FCOS + https://github.com/coreos/fedora-coreos-config/issues/2 + * Thu Sep 06 2018 Luca Bruno - 0.28.0-3.gitf707912 - Add requires for disks stage