Skip to content

Commit

Permalink
install: Add BOOTC_SKIP_SELINUX_HOST_CHECK
Browse files Browse the repository at this point in the history
We're going to investigate supporting installing SELinux-enabled
targets from a SELinux-disabled host.  This environment
variable will allow bypassing the check.

xref ostreedev/ostree#3151
  • Loading branch information
cgwalters committed Jan 31, 2024
1 parent 2ef5b3d commit cc19a4b
Show file tree
Hide file tree
Showing 2 changed files with 16 additions and 0 deletions.
7 changes: 7 additions & 0 deletions .github/workflows/ci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -137,3 +137,10 @@ jobs:
--karg=foo=bar --disable-selinux --replace=alongside /target
ls -al /boot/loader/
sudo grep foo=bar /boot/loader/entries/*.conf
# TODO fix https://github.com/containers/bootc/pull/137
chattr -i / /ostree/deploy/default/deploy/*
rm /ostree/deploy/default -rf
sudo podman run --rm -ti --privileged --env BOOTC_SKIP_SELINUX_HOST_CHECK=1 --env RUST_LOG=debug -v /:/target -v /var/lib/containers:/var/lib/containers -v ./usr/bin/bootc:/usr/bin/bootc --pid=host --security-opt label=disable \
quay.io/centos-bootc/fedora-bootc-dev:eln bootc install to-filesystem \
--replace=alongside /target
sudo ls -ldZ / /ostree/deploy/default/deploy/* /ostree/deploy/default/deploy/*/etc
9 changes: 9 additions & 0 deletions lib/src/install.rs
Original file line number Diff line number Diff line change
Expand Up @@ -707,6 +707,10 @@ pub(crate) fn reexecute_self_for_selinux_if_needed(
let mut ret_did_override = false;
// If the target state has SELinux enabled, we need to check the host state.
let mut g = None;
// We don't currently quite support installing SELinux enabled systems
// from SELinux disabled hosts, but this environment variable can be set
// to test it out anyways.
let skip_check_envvar = "BOOTC_SKIP_SELINUX_HOST_CHECK";
if srcdata.selinux {
let host_selinux = crate::lsm::selinux_enabled()?;
tracing::debug!("Target has SELinux, host={host_selinux}");
Expand All @@ -722,6 +726,11 @@ pub(crate) fn reexecute_self_for_selinux_if_needed(
} else if override_disable_selinux {
ret_did_override = true;
println!("notice: Target has SELinux enabled, overriding to disable")
} else if std::env::var_os(skip_check_envvar).is_some() {
eprintln!(
"Host kernel does not have SELinux support, but target enables it by default; {} is set, continuing anyways",
skip_check_envvar
);
} else {
anyhow::bail!(
"Host kernel does not have SELinux support, but target enables it by default"
Expand Down

0 comments on commit cc19a4b

Please sign in to comment.