Jyields system_u:object_r:container_file_t:s0:c119,c174. seems wrong, but i don't know what i'm talking about on this.
AIt is wrong indeed
Acontainer_file_t is the default label for files created by a container
AAsystem_u:object_r:xdm_exec_t,s0
Shey? when updating my distrobox fedora 39 container it says: Unpack error: shadow-utils-2:4.13-8.fc39.x86_64 and in the logs its cpio: cap_set_file failed - No data available
Jright, well i suppose we have our reproducer then
ACould you try
rpm -E '%{with selinux}' inside the container?AI’m looking at different ways that this could be skipped
AIf that commands prints 0 then that could be the reason
Jit does print 0
ACould you try on your fedora system? It should print 1
AIf this prints 0 the package will skip selinux labeling
Sis this like official https://marketplace.visualstudio.com/items?itemName=skellock.just
Extension for Visual Studio Code - Provides syntax and recipe launcher for Just scripts.
Sprobably not
Sjust looking for extensions for just
AMm prints 0 on my fedora system (outside the container too)
Jsestatus reports disabled, though i'm not sure selinux has to be reported as enabled to have proper file labeling
AIt does, sort of - but the report can inaccurate from within a container
AThe kernel actually needs to have selinux enabled at least in permissive mode or it won’t do any file labeling
AWithin a container the report may be inaccurate due to lack of permissions, even if the underlying kernel has selinux enabled it can report disabled
Bi replied... i do have mild concern... mostly that it's not adding clear value and could add confusion.
Amm
getenforce and sestatus just straight up lie in a container contextAAah,
libselinux is looking for two things:/sys/fs/selinux needs to be mounted and /etc/selinux/config also needs to be mountedAbut even after this:
Athe bug is actually reproducible on regular fedora container
Aand it is also reproducible by installing gdm
Jyeah i mean the fact that everything is getting labeled similarly is good since it's not a snowflake problem. but i have no idea how to fix this - assuming the container labeling is related to preventing breakouts
GThere was an issue for this
AI’m not really sure what relabels the file
GIn rpm-ostree
GGitHub
Host system details State: idle Deployments: ● ostree-unverified-image:containers-storage:localhost/swtpm-test Digest: sha256:142d1951e54e6cdb10cfe7f385d1be569772f8928b73ac5708625ed87e37d553 Versio...
ANo, this is reproducible in a regular fedora container
AAh I remember this swtpm issue
AI can use that to verify too
AIn a regular fedora container that is running as unconfined_u the resulting files should have unlabeled_t as part of their context
ABut instead it gives me container_file_t
GSo it's a podman issue?
Arestorecon fails due to
lsetxattr() call failing
AI do think so
AI’m not sure why lsetxattr is failing when my container is running as rootful and —privileged
GGitHub
Issue Description In CI, with updated Rawhide, and Fedora images (c20230706t200047z-f38f37d13 at time of opening issue), the entire matrix fails on three tests with the same/similar error: Failed t...
GNvm
GDoesn't seem to be the right issue
AYeah looks like they actually get unlabeled_t there when they shouldn’t
Athe weird thing is that if I do like
touch test then that file is unlabeled_tABut the files installed via rpm get container_file_t
GWhar
Show initate a release-please action manually?
