build_library: set correct SELinux contexts in final images#368
Closed
build_library: set correct SELinux contexts in final images#368
Conversation
8 tasks
pothos
reviewed
Jul 7, 2022
pothos
reviewed
Jul 7, 2022
pothos
reviewed
Jul 7, 2022
1 task
70075fc to
5a9381c
Compare
5a9381c to
4a2f054
Compare
jepio
reviewed
Aug 12, 2022
build_packages
Outdated
| # build and label the system before generating torcx image. | ||
| info "Label the build root" | ||
| sudo chroot "${BOARD_ROOT}" bash -c "cd /usr/share/selinux/mcs && semodule -s mcs -i *.pp" | ||
| sudo setfiles -Dv -r "${BOARD_ROOT}" "${BOARD_ROOT}"/etc/selinux/mcs/contexts/files/file_contexts "${BOARD_ROOT}" |
Member
There was a problem hiding this comment.
setfiles is a cool idea, but doing it in build_packages is not useful, because the images are not built from the files in BOARD_ROOT. This would have to happen somewhere in build_image and in build_torcx_store.
Member
There was a problem hiding this comment.
Also came across this: https://github.com/gardenlinux/gardenlinux/blob/main/bin/makepart#L20-L22
b7d9a63 to
42ff444
Compare
42ff444 to
67abbed
Compare
67abbed to
1f26e11
Compare
1f26e11 to
9a658e1
Compare
5134d91 to
b510a48
Compare
174c2a9 to
1b9c992
Compare
0eb84a0 to
d7e8a99
Compare
`setfiles` can be used to directly set the SELinux labels on a root filesystem based on the values in `file_contexts`. Signed-off-by: Mathieu Tortuyaux <mtortuyaux@microsoft.com>
d7e8a99 to
759559f
Compare
Contributor
Author
|
Closed in favor of #666 (:imp:) |
Member
Can you rather rebase? My PR only did the labeling for |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
build_packages: use setfiles to label the system
setfilescan be used to directly set the SELinux labels on a root filesystem based on the values infile_contexts.