rpms/ignition
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Backport fix for SELinux relabeling of systemd units

Browse Source
This commit is contained in:
Benjamin Gilbert 2019-03-27 18:27:16 -04:00
parent 0b9a765df3
commit edf3b2635a
2 changed files with 84 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

77
0001-stages-files-fix-unit-relabeling-to-exclude-DestDir.patch Normal file
View File

@ -0,0 +1,77 @@
From 5d57d6107a56fecfe9b6c8bb1a06f2dd1889a7e0 Mon Sep 17 00:00:00 2001
From: Benjamin Gilbert <bgilbert@redhat.com>
Date: Wed, 27 Mar 2019 17:29:15 -0400
Subject: [PATCH] stages/files: fix unit relabeling to exclude DestDir
Non-runtime units and dropins need to be relabeled relative to DestDir,
since relabeling happens in the real root.
e42ecb08f9b5 addressed this for files.
---
internal/exec/stages/files/units.go | 22 ++++++++++++++++++++--
1 file changed, 20 insertions(+), 2 deletions(-)
diff --git a/internal/exec/stages/files/units.go b/internal/exec/stages/files/units.go
index 98c0797..c73141c 100644
--- a/internal/exec/stages/files/units.go
+++ b/internal/exec/stages/files/units.go
@@ -15,7 +15,9 @@
package files
import (
+ "fmt"
"path/filepath"
+ "strings"
"github.com/coreos/ignition/config/v3_0/types"
"github.com/coreos/ignition/internal/distro"
@@ -85,6 +87,14 @@ func (s *stage) writeSystemdUnit(unit types.Unit, runtime bool) error {
s.Logger.Crit("error converting systemd dropin: %v", err)
return err
}
+ relabelPath := f.Node.Path
+ if !runtime {
+ // trim off prefix since this needs to be relative to the sysroot
+ if !strings.HasPrefix(f.Node.Path, s.DestDir) {
+ panic(fmt.Sprintf("Dropin path %s isn't under prefix %s", f.Node.Path, s.DestDir))
+ }
+ relabelPath = f.Node.Path[len(s.DestDir):]
+ }
if err := s.Logger.LogOp(
func() error { return u.PerformFetch(f) },
"writing systemd drop-in %q at %q", dropin.Name, f.Node.Path,
@@ -92,7 +102,7 @@ func (s *stage) writeSystemdUnit(unit types.Unit, runtime bool) error {
return err
}
if !relabeledDropinDir {
- s.relabel(filepath.Dir("/" + f.Node.Path))
+ s.relabel(filepath.Dir(relabelPath))
relabeledDropinDir = true
}
}
@@ -106,13 +116,21 @@ func (s *stage) writeSystemdUnit(unit types.Unit, runtime bool) error {
s.Logger.Crit("error converting unit: %v", err)
return err
}
+ relabelPath := f.Node.Path
+ if !runtime {
+ // trim off prefix since this needs to be relative to the sysroot
+ if !strings.HasPrefix(f.Node.Path, s.DestDir) {
+ panic(fmt.Sprintf("Unit path %s isn't under prefix %s", f.Node.Path, s.DestDir))
+ }
+ relabelPath = f.Node.Path[len(s.DestDir):]
+ }
if err := s.Logger.LogOp(
func() error { return u.PerformFetch(f) },
"writing unit %q at %q", unit.Name, f.Node.Path,
); err != nil {
return err
}
- s.relabel("/" + f.Node.Path)
+ s.relabel(relabelPath)
return nil
}, "processing unit %q", unit.Name)
--
2.20.1

8
ignition.spec
View File

@ -73,13 +73,15 @@
Name: ignition Name: ignition
Version: 2.0.0 Version: 2.0.0
Release: alpha.1.git%{shortcommit}%{?dist} Release: alpha.2.git%{shortcommit}%{?dist}
Summary: First boot installer and configuration tool Summary: First boot installer and configuration tool
License: ASL 2.0 and BSD License: ASL 2.0 and BSD
URL: https://%{provider_prefix} URL: https://%{provider_prefix}
Source0: https://%{provider_prefix}/archive/%{commit}/%{repo}-%{shortcommit}.tar.gz Source0: https://%{provider_prefix}/archive/%{commit}/%{repo}-%{shortcommit}.tar.gz
Source1: https://%{dracutprovider_prefix}/archive/%{dracutcommit}/%{dracutrepo}-%{dracutshortcommit}.tar.gz Source1: https://%{dracutprovider_prefix}/archive/%{dracutcommit}/%{dracutrepo}-%{dracutshortcommit}.tar.gz
Patch0: 0001-stages-files-fix-unit-relabeling-to-exclude-DestDir.patch
# For RHEL7 we'll want to specify gopath and list of arches since there is no # For RHEL7 we'll want to specify gopath and list of arches since there is no
# gopath or go_arches macro. We'll also want to make sure we pull in golang # gopath or go_arches macro. We'll also want to make sure we pull in golang
# 1.10 require golang >= 1.10 # 1.10 require golang >= 1.10
@ -339,6 +341,7 @@ This package contains a tool for validating Ignition configurations.
# setup command reference: http://ftp.rpm.org/max-rpm/s1-rpm-inside-macros.html # setup command reference: http://ftp.rpm.org/max-rpm/s1-rpm-inside-macros.html
# unpack source0 and apply patches # unpack source0 and apply patches
%setup -T -b 0 -q -n %{repo}-%{commit} %setup -T -b 0 -q -n %{repo}-%{commit}
%patch0 -p1
# unpack source1 (dracut modules) # unpack source1 (dracut modules)
%setup -T -D -a 1 -q -n %{repo}-%{commit} %setup -T -D -a 1 -q -n %{repo}-%{commit}
@ -485,6 +488,9 @@ export GOPATH=%{buildroot}/%{gopath}:$(pwd)/vendor:%{gopath}
%endif %endif
%changelog %changelog
* Wed Mar 27 2019 Benjamin Gilbert <bgilbert@backtick.net> - 2.0.0-alpha.2.git906cf04
- Backport fix for SELinux relabeling of systemd units
* Wed Mar 27 2019 Jonathan Lebon <jonathan@jlebon.com> - 2.0.0-alpha.1.git906cf04 * Wed Mar 27 2019 Jonathan Lebon <jonathan@jlebon.com> - 2.0.0-alpha.1.git906cf04
- New release 2.0.0-alpha - New release 2.0.0-alpha
- ignition-dracut: Go back to master branch - ignition-dracut: Go back to master branch