Backport semanage bug workaround
I.e. https://github.com/coreos/rpm-ostree/pull/4122, for https://github.com/openshift/os/issues/1036.
This commit is contained in:
Jonathan Lebon
parent
3f8c02559f
commit
91907e91bc
71
0001-libpriv-postprocess-work-around-semanage-bug.patch
Normal file
71
0001-libpriv-postprocess-work-around-semanage-bug.patch
Normal file
@ -0,0 +1,71 @@
|
|||||||
|
From 479050e7540dc90de9ec6f49960b98e095537224 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Jonathan Lebon <jonathan@jlebon.com>
|
||||||
|
Date: Wed, 2 Nov 2022 12:19:09 -0400
|
||||||
|
Subject: [PATCH] libpriv/postprocess: work around semanage bug
|
||||||
|
|
||||||
|
There is a bug in the latest semanage code which causes an invocation of
|
||||||
|
`semodule --rebuild-if-modules-changed` to still write a policy even
|
||||||
|
though nothing changed since a full policy build. On FCOS and RHCOS,
|
||||||
|
this bug is triggered as early as `ostree admin deploy` in cosa when
|
||||||
|
creating the disk images. This results in shipping images with a policy
|
||||||
|
diff baked in.
|
||||||
|
|
||||||
|
Hack around this by immediately rerunning
|
||||||
|
`semodule --rebuild-if-modules-changed` after building the policy.
|
||||||
|
|
||||||
|
Fixes: https://github.com/openshift/os/issues/1036
|
||||||
|
---
|
||||||
|
src/libpriv/rpmostree-postprocess.cxx | 20 +++++++++++++++-----
|
||||||
|
tests/kolainst/nondestructive/misc.sh | 5 +++++
|
||||||
|
2 files changed, 20 insertions(+), 5 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/libpriv/rpmostree-postprocess.cxx b/src/libpriv/rpmostree-postprocess.cxx
|
||||||
|
index fc5c3cb0..bfadaa73 100644
|
||||||
|
--- a/src/libpriv/rpmostree-postprocess.cxx
|
||||||
|
+++ b/src/libpriv/rpmostree-postprocess.cxx
|
||||||
|
@@ -387,11 +387,21 @@ postprocess_final (int rootfs_dfd, rpmostreecxx::Treefile &treefile, gboolean un
|
||||||
|
{
|
||||||
|
g_print ("Recompiling policy\n");
|
||||||
|
|
||||||
|
- /* Now regenerate SELinux policy so that postprocess scripts from users and from us
|
||||||
|
- * (e.g. the /etc/default/useradd incision) that affect it are baked in. */
|
||||||
|
- rust::Vec child_argv = { rust::String ("semodule"), rust::String ("-nB") };
|
||||||
|
- ROSCXX_TRY (bubblewrap_run_sync (rootfs_dfd, child_argv, false, (bool)unified_core_mode),
|
||||||
|
- error);
|
||||||
|
+ {
|
||||||
|
+ /* Now regenerate SELinux policy so that postprocess scripts from users and from us
|
||||||
|
+ * (e.g. the /etc/default/useradd incision) that affect it are baked in. */
|
||||||
|
+ rust::Vec child_argv = { rust::String ("semodule"), rust::String ("-nB") };
|
||||||
|
+ ROSCXX_TRY (bubblewrap_run_sync (rootfs_dfd, child_argv, false, (bool)unified_core_mode),
|
||||||
|
+ error);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ /* Temporary workaround for https://github.com/openshift/os/issues/1036. */
|
||||||
|
+ {
|
||||||
|
+ rust::Vec child_argv = { rust::String ("semodule"), rust::String ("-n"),
|
||||||
|
+ rust::String ("--rebuild-if-modules-changed") };
|
||||||
|
+ ROSCXX_TRY (bubblewrap_run_sync (rootfs_dfd, child_argv, false, (bool)unified_core_mode),
|
||||||
|
+ error);
|
||||||
|
+ }
|
||||||
|
}
|
||||||
|
|
||||||
|
auto container = treefile.get_container ();
|
||||||
|
diff --git a/tests/kolainst/nondestructive/misc.sh b/tests/kolainst/nondestructive/misc.sh
|
||||||
|
index f98a13f0..e43dc87d 100755
|
||||||
|
--- a/tests/kolainst/nondestructive/misc.sh
|
||||||
|
+++ b/tests/kolainst/nondestructive/misc.sh
|
||||||
|
@@ -7,6 +7,11 @@ cd $(mktemp -d)
|
||||||
|
libtest_prepare_offline
|
||||||
|
libtest_enable_repover 0
|
||||||
|
|
||||||
|
+# Sanity-check the policy isn't marked as modified
|
||||||
|
+if ostree admin config-diff | grep 'selinux/targeted/policy'; then
|
||||||
|
+ assert_not_reached "selinux policy is marked as modified"
|
||||||
|
+fi
|
||||||
|
+
|
||||||
|
# Ensure multicall is correctly set up and working.
|
||||||
|
R_O_DIGEST=$(sha512sum $(which rpm-ostree) | cut -d' ' -f1)
|
||||||
|
O_C_DIGEST=$(sha512sum $(which /usr/libexec/libostree/ext/ostree-container) | cut -d' ' -f1)
|
||||||
|
--
|
||||||
|
2.38.1
|
||||||
|
|
||||||
@ -4,7 +4,7 @@
|
|||||||
Summary: Hybrid image/package system
|
Summary: Hybrid image/package system
|
||||||
Name: rpm-ostree
|
Name: rpm-ostree
|
||||||
Version: 2022.15
|
Version: 2022.15
|
||||||
Release: 2%{?dist}
|
Release: 3%{?dist}
|
||||||
License: LGPLv2+
|
License: LGPLv2+
|
||||||
URL: https://github.com/coreos/rpm-ostree
|
URL: https://github.com/coreos/rpm-ostree
|
||||||
# This tarball is generated via "cd packaging && make -f Makefile.dist-packaging dist-snapshot"
|
# This tarball is generated via "cd packaging && make -f Makefile.dist-packaging dist-snapshot"
|
||||||
@ -12,6 +12,7 @@ URL: https://github.com/coreos/rpm-ostree
|
|||||||
Source0: https://github.com/coreos/rpm-ostree/releases/download/v%{version}/rpm-ostree-%{version}.tar.xz
|
Source0: https://github.com/coreos/rpm-ostree/releases/download/v%{version}/rpm-ostree-%{version}.tar.xz
|
||||||
|
|
||||||
Patch0: 0001-util-Fix-fpermissive-warning.patch
|
Patch0: 0001-util-Fix-fpermissive-warning.patch
|
||||||
|
Patch1: 0001-libpriv-postprocess-work-around-semanage-bug.patch
|
||||||
|
|
||||||
ExclusiveArch: %{rust_arches}
|
ExclusiveArch: %{rust_arches}
|
||||||
|
|
||||||
@ -236,6 +237,10 @@ $PYTHON autofiles.py > files.devel \
|
|||||||
|
|
||||||
%files devel -f files.devel
|
%files devel -f files.devel
|
||||||
%changelog
|
%changelog
|
||||||
|
* Wed Nov 02 2022 Jonathan Lebon <jonathan@jlebon.com> - 2022.15-3
|
||||||
|
- Backport semanage bug workaround
|
||||||
|
https://github.com/coreos/rpm-ostree/pull/4122
|
||||||
|
|
||||||
* Tue Nov 01 2022 Colin Walters <walters@verbum.org> - 2022.15-2
|
* Tue Nov 01 2022 Colin Walters <walters@verbum.org> - 2022.15-2
|
||||||
- https://github.com/coreos/rpm-ostree/releases/tag/v2022.15
|
- https://github.com/coreos/rpm-ostree/releases/tag/v2022.15
|
||||||
|
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user