91907e91bc
I.e. https://github.com/coreos/rpm-ostree/pull/4122, for https://github.com/openshift/os/issues/1036.
72 lines
3.2 KiB
Diff
72 lines
3.2 KiB
Diff
From 479050e7540dc90de9ec6f49960b98e095537224 Mon Sep 17 00:00:00 2001
|
|
From: Jonathan Lebon <jonathan@jlebon.com>
|
|
Date: Wed, 2 Nov 2022 12:19:09 -0400
|
|
Subject: [PATCH] libpriv/postprocess: work around semanage bug
|
|
|
|
There is a bug in the latest semanage code which causes an invocation of
|
|
`semodule --rebuild-if-modules-changed` to still write a policy even
|
|
though nothing changed since a full policy build. On FCOS and RHCOS,
|
|
this bug is triggered as early as `ostree admin deploy` in cosa when
|
|
creating the disk images. This results in shipping images with a policy
|
|
diff baked in.
|
|
|
|
Hack around this by immediately rerunning
|
|
`semodule --rebuild-if-modules-changed` after building the policy.
|
|
|
|
Fixes: https://github.com/openshift/os/issues/1036
|
|
---
|
|
src/libpriv/rpmostree-postprocess.cxx | 20 +++++++++++++++-----
|
|
tests/kolainst/nondestructive/misc.sh | 5 +++++
|
|
2 files changed, 20 insertions(+), 5 deletions(-)
|
|
|
|
diff --git a/src/libpriv/rpmostree-postprocess.cxx b/src/libpriv/rpmostree-postprocess.cxx
|
|
index fc5c3cb0..bfadaa73 100644
|
|
--- a/src/libpriv/rpmostree-postprocess.cxx
|
|
+++ b/src/libpriv/rpmostree-postprocess.cxx
|
|
@@ -387,11 +387,21 @@ postprocess_final (int rootfs_dfd, rpmostreecxx::Treefile &treefile, gboolean un
|
|
{
|
|
g_print ("Recompiling policy\n");
|
|
|
|
- /* Now regenerate SELinux policy so that postprocess scripts from users and from us
|
|
- * (e.g. the /etc/default/useradd incision) that affect it are baked in. */
|
|
- rust::Vec child_argv = { rust::String ("semodule"), rust::String ("-nB") };
|
|
- ROSCXX_TRY (bubblewrap_run_sync (rootfs_dfd, child_argv, false, (bool)unified_core_mode),
|
|
- error);
|
|
+ {
|
|
+ /* Now regenerate SELinux policy so that postprocess scripts from users and from us
|
|
+ * (e.g. the /etc/default/useradd incision) that affect it are baked in. */
|
|
+ rust::Vec child_argv = { rust::String ("semodule"), rust::String ("-nB") };
|
|
+ ROSCXX_TRY (bubblewrap_run_sync (rootfs_dfd, child_argv, false, (bool)unified_core_mode),
|
|
+ error);
|
|
+ }
|
|
+
|
|
+ /* Temporary workaround for https://github.com/openshift/os/issues/1036. */
|
|
+ {
|
|
+ rust::Vec child_argv = { rust::String ("semodule"), rust::String ("-n"),
|
|
+ rust::String ("--rebuild-if-modules-changed") };
|
|
+ ROSCXX_TRY (bubblewrap_run_sync (rootfs_dfd, child_argv, false, (bool)unified_core_mode),
|
|
+ error);
|
|
+ }
|
|
}
|
|
|
|
auto container = treefile.get_container ();
|
|
diff --git a/tests/kolainst/nondestructive/misc.sh b/tests/kolainst/nondestructive/misc.sh
|
|
index f98a13f0..e43dc87d 100755
|
|
--- a/tests/kolainst/nondestructive/misc.sh
|
|
+++ b/tests/kolainst/nondestructive/misc.sh
|
|
@@ -7,6 +7,11 @@ cd $(mktemp -d)
|
|
libtest_prepare_offline
|
|
libtest_enable_repover 0
|
|
|
|
+# Sanity-check the policy isn't marked as modified
|
|
+if ostree admin config-diff | grep 'selinux/targeted/policy'; then
|
|
+ assert_not_reached "selinux policy is marked as modified"
|
|
+fi
|
|
+
|
|
# Ensure multicall is correctly set up and working.
|
|
R_O_DIGEST=$(sha512sum $(which rpm-ostree) | cut -d' ' -f1)
|
|
O_C_DIGEST=$(sha512sum $(which /usr/libexec/libostree/ext/ostree-container) | cut -d' ' -f1)
|
|
--
|
|
2.38.1
|
|
|