Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Make sure selinux policy is effectively applied #2406

Merged
merged 2 commits into from
Dec 17, 2023
Merged

Make sure selinux policy is effectively applied #2406

merged 2 commits into from
Dec 17, 2023

Conversation

schaefi
Copy link
Collaborator

@schaefi schaefi commented Dec 15, 2023

setup_selinux_file_contexts is now called after the config.sh script. This makes sure that eventual policy related changes done in the optional config.sh are covered by a late setfiles call. In addition setup_selinux_file_contexts is called again at the end of any chroot based script hook. So we assume that any optional script target can change the system in a way that a new setfiles call might be required. It can happen that setfiles is called more often than required but as we cannot know what custom scripts does, it's better to call it more often compared to not often enough. This Fixes bsc#1210604

@schaefi schaefi self-assigned this Dec 15, 2023
@schaefi schaefi mentioned this pull request Dec 15, 2023
Closed
@Vogtinator
Copy link
Collaborator

Does this effectively run after fstab.script now? If so, should work

@schaefi
Copy link
Collaborator Author

schaefi commented Dec 15, 2023

Does this effectively run after fstab.script now? If so, should work

Good point, the fstab script execution is done differently than all others, this also needs to change. I will add that.

@schaefi
Copy link
Collaborator Author

schaefi commented Dec 15, 2023

@Vogtinator ok done, like with any other script hook the fstab script is called through the same method and runs setfiles after execution if there is a policy and the tooling

@schaefi
Copy link
Collaborator Author

schaefi commented Dec 15, 2023

I have to test the change to make sure no regressions are introduced

Conan-Kudo
Conan-Kudo previously approved these changes Dec 15, 2023
View reviewed changes
@Conan-Kudo Conan-Kudo self-requested a review December 15, 2023 12:17
@schaefi
Make sure selinux policy is effectively applied
2a22901 
setup_selinux_file_contexts is now called after the config.sh
script. This makes sure that eventual policy related changes
done in the optional config.sh are covered by a late setfiles
call. In addition setup_selinux_file_contexts is called again
at the end of any chroot based script hook. So we assume that
any optional script target can change the system in a way that
a new setfiles call might be required. It can happen that
setfiles is called more often than required but as we cannot
know what custom scripts does, it's better to call it more
often compared to not often enough. This Fixes bsc#1210604
@schaefi
Copy link
Collaborator Author

schaefi commented Dec 17, 2023

Tested the code and works for me now

@Conan-Kudo Conan-Kudo merged commit a54e8d8 into master Dec 17, 2023
18 checks passed
@Conan-Kudo Conan-Kudo deleted the run_setfiles_late branch December 17, 2023 16:16
@ignatenkobrain ignatenkobrain mentioned this pull request Dec 29, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Conan-Kudo Conan-Kudo Conan-Kudo approved these changes

@Vogtinator Vogtinator Awaiting requested review from Vogtinator

@davidcassany davidcassany Awaiting requested review from davidcassany

Assignees

@schaefi schaefi

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@schaefi @Vogtinator @Conan-Kudo