Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

install: Change no-SELinux -> SELinux to a warning && serialize to aleph #420

Merged
merged 3 commits into from
Mar 25, 2024

Conversation

cgwalters
Copy link
Collaborator

install: Change no-SELinux -> SELinux to a warning

We believe we have almost all the labeling work here covered,
so degrade this to a warning.

Signed-off-by: Colin Walters [email protected]


install: Change SELinux state into enum, serialize to aleph

We want to support the "installing SELinux target from SELinux-disabled
host" - but in case we run into problems, let's serialize the state
of things at install time into the aleph data, for the same reason
we save other relevant environmental data like the kernel version.

Signed-off-by: Colin Walters [email protected]


@cgwalters
Copy link
Collaborator Author

cc osbuild/osbuild#1682 which motivated this

@cgwalters
Copy link
Collaborator Author

Also @ckyrouac - this issue was also what you hit originally right way back? I guess now that we have podman-bootc to streamline this it matters less, but I am curious if this direct support would help you now.

@cgwalters
Copy link
Collaborator Author

(Or of course, maybe we just try to kill off the "setenforce 0" path because it shouldn't be necessary anymore...)

@henrywang
Copy link
Contributor

TF can't deploy aarch64 runner this weekend. I'll ping TF guys on Monday.

We believe we have almost all the labeling work here covered,
so degrade this to a warning.

Signed-off-by: Colin Walters <[email protected]>
We want to support the "installing SELinux target from SELinux-disabled
host" - but in case we run into problems, let's serialize the state
of things at install time into the aleph data, for the same reason
we save other relevant environmental data like the kernel version.

Signed-off-by: Colin Walters <[email protected]>
This avoids a dead code warning on newer rustc.

Also, it's just better because if we fail to re-invoke `setenforce 1`
this should be a fatal error probably.

Signed-off-by: Colin Walters <[email protected]>
// At this point, all other threads should be gone.
if let Some(state) = Arc::into_inner(state) {
// If we had invoked `setenforce 0`, then let's re-enable it.
match state.selinux_state {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

clippy prefers if let here since it's only destructuring a single pattern... but there's also other preexisting things it's complaining about, so I'll just let a few accumulate and do a separate PR to clean them up all at once.

@jeckersb jeckersb merged commit 81fbd24 into containers:main Mar 25, 2024
15 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
area/install Issues related to `bootc install`
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants