64c18a989e
Need https://github.com/coreos/ignition/pull/1029 for https://github.com/coreos/fedora-coreos-config/pull/426#issuecomment-658867731.
52 lines
2.0 KiB
Diff
52 lines
2.0 KiB
Diff
From 6be9319720458c8c52dd0f5b760f5c6449775d14 Mon Sep 17 00:00:00 2001
|
|
From: Jonathan Lebon <jonathan@jlebon.com>
|
|
Date: Wed, 15 Jul 2020 12:13:12 -0400
|
|
Subject: [PATCH] files: don't relabel homedir symlinks themselves
|
|
|
|
Regression from #996. If the home directory is a symlink, then just
|
|
relabel the referent, not the symlink itself. Since the symlink already
|
|
existed, we assume that it's properly labeled.
|
|
|
|
This causes an error on the FCOS live ISO, where `/sysroot` is mounted
|
|
from the squashfs, and so is read-only. But even on non-live, we should
|
|
just assume that whatever created the `/root -> /var/roothome` symlink
|
|
labeled it correctly.
|
|
|
|
This would normally be a no-op because `setfiles` would see that it's
|
|
properly labeled and not even attempt a `setxattr`. But because we can't
|
|
yet read SELinux labels from the initrd, it thinks it's unlabeled. (That
|
|
will be fixed by https://bugzilla.redhat.com/show_bug.cgi?id=1845210).
|
|
---
|
|
internal/exec/stages/files/passwd.go | 9 ++++++---
|
|
1 file changed, 6 insertions(+), 3 deletions(-)
|
|
|
|
diff --git a/internal/exec/stages/files/passwd.go b/internal/exec/stages/files/passwd.go
|
|
index 3ef4b00..7e4263f 100644
|
|
--- a/internal/exec/stages/files/passwd.go
|
|
+++ b/internal/exec/stages/files/passwd.go
|
|
@@ -75,15 +75,18 @@ func (s *stage) createPasswd(config types.Config) error {
|
|
if err != nil {
|
|
return err
|
|
}
|
|
- s.relabel(homedir)
|
|
|
|
// Check if the homedir is actually a symlink, and make sure we
|
|
- // relabel the target too. This is relevant on OSTree-based
|
|
- // platforms, where /root is a link to /var/roothome.
|
|
+ // relabel the target instead in that case. This is relevant on
|
|
+ // OSTree-based platforms, where /root is a link to /var/roothome.
|
|
if resolved, err := s.ResolveSymlink(homedir); err != nil {
|
|
return err
|
|
} else if resolved != "" {
|
|
+ // note we don't relabel the symlink itself; we assume it's
|
|
+ // already properly labeled
|
|
s.relabel(resolved)
|
|
+ } else {
|
|
+ s.relabel(homedir)
|
|
}
|
|
}
|
|
}
|
|
--
|
|
2.26.2
|
|
|