Merge pull request #1556 from aleskandro/afterburn-fix-scos

OKD-223: Load custom SELinux rules in SCOS and workaround afterburn failures
openshift · Aug 7, 2024 · 1eaeec6 · 1eaeec6
2 parents 2399f3f + 2f5ea5f
commit 1eaeec6
Show file tree

Hide file tree

Showing 2 changed files with 25 additions and 0 deletions.
diff --git a/kola-denylist.yaml b/kola-denylist.yaml
@@ -18,6 +18,11 @@
   osversion:
     - c9s
 
+- pattern: fips.*
+  tracker: https://github.com/openshift/os/issues/1540
+  osversion:
+    - c9s
+
 # we're missing a cri-o rebuild for 4.17, which blocks on buildroot issues
 - pattern: ext.config.version.rhaos-pkgs-match-openshift
   tracker: https://issues.redhat.com/browse/RHEL-35883

diff --git a/manifest-c9s.yaml b/manifest-c9s.yaml
@@ -26,3 +26,23 @@ mutate-os-release: "9"
 
 packages:
  - centos-stream-release
+
+postprocess:
+  - |
+    #!/usr/bin/env bash
+    set -xeuo pipefail
+    cat > /tmp/scos-workarounds.cil << EOF
+    ; https://issues.redhat.com/browse/RHEL-49735
+    (typeattributeset cil_gen_require afterburn_t)
+    (typepermissive afterburn_t)
+
+    ; https://issues.redhat.com/browse/RHEL-38614
+    (typeattributeset cil_gen_require coreos_installer_t)
+    (typepermissive coreos_installer_t)
+
+    ; https://issues.redhat.com/browse/RHEL-47033
+    (typeattributeset cil_gen_require systemd_network_generator_t)
+    (typepermissive systemd_network_generator_t)
+    EOF
+    /usr/sbin/semodule -i /tmp/scos-workarounds.cil
+    rm /tmp/scos-workarounds.cil