This repository was archived by the owner on May 30, 2023. It is now read-only.
sys-apps/policycoreutils: update correct SELinux store#1502
Merged
Conversation
krnowak
reviewed
Dec 15, 2021
The policycoreutils ebuild calls `semodule` in postinst to update SELinux stores. It does not, however, tells `semodule` the correct ROOT to use, so builds that go into `/build/[arch]-usr` end up updating the SDK's store. Fixes libsemanage.semanage_commit_sandbox: Error while renaming /var/lib/selinux/targeted/active to /var/lib/selinux/targeted/previous. (Invalid cross-device link) observed when using the SDK Container to build the OS image. It now also updates the correct store, which it previously did not.
Co-authored-by: Krzesimir Nowak <knowak@microsoft.com>
e83a107 to
d0123d5
Compare
Contributor
Author
|
Rebased on latest main (for the containerd-1.5.8 tarball checksum fix). |
krnowak
approved these changes
Dec 16, 2021
Contributor
krnowak
left a comment
There was a problem hiding this comment.
Looks good (if it fixes your issue and CI is fine).
Signed-off-by: Thilo Fromm <thilo@kinvolk.io>
Contributor
Author
|
Added a bugfix changelog file. |
Contributor
Author
|
CI run successful, will merge and cherry-pick for flatcar-3033, flatcar-3066, and flatcar-3087. |
t-lo
added a commit
that referenced
this pull request
Dec 16, 2021
sys-apps/policycoreutils: update correct SELinux store by t-lo
t-lo
added a commit
that referenced
this pull request
Dec 16, 2021
sys-apps/policycoreutils: update correct SELinux store by t-lo
t-lo
added a commit
that referenced
this pull request
Dec 16, 2021
sys-apps/policycoreutils: update correct SELinux store by t-lo
t-lo
added a commit
to t-lo/gentoo
that referenced
this pull request
Dec 16, 2021
The policycoreutils ebuild calls 'semodule' in postinst to update
SELinux stores. It does not, however, tells semodule the correct ROOT
to use, so installing policycoreutils in a crossdev environment will
actually update the *host's* store.
This patch adds '-S "${ROOT:-/}"' to the 'semodule' call so the correct
environment is updated.
First seen + fixed in Flatcar Container Linux:
flatcar-archive/coreos-overlay#1502
Signed-off-by: Thilo Fromm <thilo@kinvolk.io>
gentoo-bot
pushed a commit
to gentoo/gentoo
that referenced
this pull request
Dec 17, 2021
The policycoreutils ebuild calls 'semodule' in postinst to update
SELinux stores. It does not, however, tells semodule the correct ROOT
to use, so installing policycoreutils in a crossdev environment will
actually update the *host's* store.
This patch adds '-S "${ROOT:-/}"' to the 'semodule' call so the correct
environment is updated.
First seen + fixed in Flatcar Container Linux:
flatcar-archive/coreos-overlay#1502
Signed-off-by: Thilo Fromm <thilo@kinvolk.io>
Closes: #23332
Signed-off-by: Sam James <sam@gentoo.org>
pothos
added a commit
that referenced
this pull request
Jan 3, 2022
The used changelog entry format in #1502 is not really useful for the release notes. This paragraph is good for the PR description or a commit message, but here should be a bullet point for the release notes. Replace the paragraph by a release notes bullet point.
pothos
reviewed
Jan 3, 2022
| @@ -0,0 +1,10 @@ | |||
| The policycoreutils ebuild calls semodule in postinst to update SELinux stores. | |||
Contributor
There was a problem hiding this comment.
This changelog entry format is not really useful for the release notes. This paragraph is good for the PR description or a commit message, but here should be a bullet point for the release notes, e.g., - SDK: Fixed build error popping up in the new SDK Container because policycoreutils used the wrong ROOT to update the SELinux store ([PR#1502](https://github.com/flatcar-linux/coreos-overlay/pull/1502))
I'll file a PR for that here: #1537
pothos
added a commit
that referenced
this pull request
Jan 25, 2022
The used changelog entry format in #1502 is not really useful for the release notes. This paragraph is good for the PR description or a commit message, but here should be a bullet point for the release notes. Replace the paragraph by a release notes bullet point.
pothos
added a commit
that referenced
this pull request
Jan 25, 2022
The used changelog entry format in #1502 is not really useful for the release notes. This paragraph is good for the PR description or a commit message, but here should be a bullet point for the release notes. Replace the paragraph by a release notes bullet point.
t-lo
pushed a commit
to flatcar/scripts
that referenced
this pull request
Apr 13, 2023
The used changelog entry format in flatcar-archive/coreos-overlay#1502 is not really useful for the release notes. This paragraph is good for the PR description or a commit message, but here should be a bullet point for the release notes. Replace the paragraph by a release notes bullet point.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The policycoreutils ebuild calls
semodulein postinst to update SELinux stores.It does not, however, tells
semodulethe correct ROOT to use, so builds that go into/build/[arch]-usrend up updating the SDK's store.Fixes
libsemanage.semanage_commit_sandbox: Error while renaming /var/lib/selinux/targeted/active to /var/lib/selinux/targeted/previous. (Invalid cross-device link)
observed when using the SDK Container to build the OS image.
It now also updates the correct store, which it previously did not.
We should consider cherry-picking this patch to flatcar-3033, flatcar-3066, and flatcar-3087.
CI (running): http://jenkins.infra.kinvolk.io:8080/job/os/job/manifest/4397/cldsv/