From d515c319e7423059d791acbf52e9e08a31b873e7 Mon Sep 17 00:00:00 2001 From: Colin Walters Date: Mon, 29 Jan 2024 15:46:03 -0500 Subject: [PATCH] install: Ensure we label `/` (and `/boot`) This came out of a discussion with bootc-image-builder, which has this issue right now: https://github.com/osbuild/bootc-image-builder/issues/149 As I noted in that issue, I think it's basically been working here because we always write to a real fresh filesystem, but let's be very explicit. There's a notable tricky bootstrapping we're solving here around "what's the label of `/`" because we know we are running the target OS as a container image already. Signed-off-by: Colin Walters --- lib/src/install.rs | 10 ++++++++++ tests/kolainst/install | 3 +++ 2 files changed, 13 insertions(+) diff --git a/lib/src/install.rs b/lib/src/install.rs index a95f5a59a..f432898d4 100644 --- a/lib/src/install.rs +++ b/lib/src/install.rs @@ -445,6 +445,10 @@ async fn initialize_ostree_root_from_self( let rootfs = root_setup.rootfs.as_path(); let cancellable = gio::Cancellable::NONE; + // Ensure that the physical root is labeled. + // Another implementation: https://github.com/coreos/coreos-assembler/blob/3cd3307904593b3a131b81567b13a4d0b6fe7c90/src/create_disk.sh#L295 + state.lsm_label(rootfs, "/".into(), false)?; + // TODO: make configurable? let stateroot = STATEROOT_DEFAULT; Task::new_and_run( @@ -453,6 +457,12 @@ async fn initialize_ostree_root_from_self( ["admin", "init-fs", "--modern", rootfs.as_str()], )?; + // And also label /boot AKA xbootldr, if it exists + let bootdir = rootfs.join("boot"); + if bootdir.try_exists()? { + state.lsm_label(&bootdir, "/boot".into(), false)?; + } + // Default to avoiding grub2-mkconfig etc., but we need to use zipl on s390x. // TODO: Lower this logic into ostree proper. let bootloader = if cfg!(target_arch = "s390x") { diff --git a/tests/kolainst/install b/tests/kolainst/install index 121dc2af7..545f723b4 100755 --- a/tests/kolainst/install +++ b/tests/kolainst/install @@ -40,6 +40,9 @@ EOF grep -Ee '^linux /boot/ostree' /var/mnt/loader/entries/*.conf umount /var/mnt echo "ok install" + mount /dev/vda4 /var/mnt + ls -dZ /var/mnt |grep ':root_t:' + umount /var/mnt # Now test install to-filesystem # Wipe the device