From 55a4433ebf7458f69c791dc69cff32d522afdfd0 Mon Sep 17 00:00:00 2001 From: Benjamin Sherman Date: Sat, 26 Oct 2024 15:53:58 -0500 Subject: [PATCH] fix: handle new F41 selinux policies for sulogin-generator (#654) --- install.sh | 6 ++ .../system-generators/ublue-sulogin-generator | 65 ------------------- 2 files changed, 6 insertions(+), 65 deletions(-) delete mode 100755 sys_files/usr/lib/systemd/system-generators/ublue-sulogin-generator diff --git a/install.sh b/install.sh index 6f511ed7..d09d96ed 100755 --- a/install.sh +++ b/install.sh @@ -66,6 +66,12 @@ fi ## install packages direct from github /ctx/github-release-install.sh sigstore/cosign x86_64 +# use CoreOS' generator for emergency/rescue boot +# see detail: https://github.com/ublue-os/main/issues/653 +CSFG=/usr/lib/systemd/system-generators/coreos-sulogin-force-generator +curl -sSLo ${CSFG} https://raw.githubusercontent.com/coreos/fedora-coreos-config/refs/heads/stable/overlay.d/05core/usr/lib/systemd/system-generators/coreos-sulogin-force-generator +chmod +x ${CSFG} + if [[ "${KERNEL_VERSION}" == "${QUALIFIED_KERNEL}" ]]; then /ctx/initramfs.sh fi diff --git a/sys_files/usr/lib/systemd/system-generators/ublue-sulogin-generator b/sys_files/usr/lib/systemd/system-generators/ublue-sulogin-generator deleted file mode 100755 index ebee5d35..00000000 --- a/sys_files/usr/lib/systemd/system-generators/ublue-sulogin-generator +++ /dev/null @@ -1,65 +0,0 @@ -#!/usr/bin/bash - -# This systemd.generator(7) detects if rescue or emergency targets were -# requested from the kernel cmdline; if so, it overrides the respective -# target to set force sulogin, allowing use of rescue/emergency targets -# on systems with locked root password (as is Fedora default). -# -# This does NOT bypass locked root password on a fsck failure, but WILL -# bypass when rescue/emergency targets are chosen from kernel cmdline. -# Since this requires console/grub access, it is assumed to be at least -# as secure as a user reset of the root password using grub to modify -# the kernel cmdline with init=/bin/bash . -# -# NOTE: the SYSTEMD_SULOGIN_FORCE method used here does not bypass any -# assigned password; root password is only bypassed when locked/unset. - -export PATH="/usr/bin:/usr/sbin:${PATH}" -if [ -n "$1" ]; then - # If invoked with arguments (not testing) log to kmsg - # https://github.com/systemd/systemd/issues/15638 - exec 1>/dev/kmsg; exec 2>&1 -fi - -# If invoked with no arguments (for testing) write to /tmp -UNIT_DIR="${1:-/tmp}" - -set -euo pipefail - -have_some_karg() { - local args=("$@") - IFS=" " read -r -a cmdline <<< "$( "${out_dir}/sulogin-force.conf" <