Mm I found: > label=nested: Allows SELinux modifications within the container. Containers are allow

A

akdevOP•7/30/23, 3:10 AM

This could be the solution

Aakdev Mm I found: > label=nested: Allows SELinux modifications within the container. ...

G

Gerblesh•7/30/23, 3:15 AM

Ah

G

Gerblesh•7/30/23, 3:15 AM

Do we want to try to fix the podman build action then?

A

akdevOP•7/30/23, 3:20 AM

I tried locally and it looks like it doesn't fix this

A

akdevOP•7/30/23, 3:43 AM

it's more complex than I thought:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/selinux_users_and_administrators_guide/sect-security-enhanced_linux-working_with_selinux-mounting_file_systems

To mount a file system with the specified context, overriding existing contexts if they exist, or to specify a different, default context for a file system that does not support extended attributes, as the root user, use the mount -o context=SELinux_user:role:type:level command when mounting the required file system.

Newly-created files and directories on this file system appear to have the SELinux context specified with -o context. However, since these changes are not written to disk, the context specified with this option does not persist between mounts.

so:

podman sets context=container_t
this stops restorecon from working
no clue what that means for ostree

A

akdevOP•7/30/23, 3:45 AM

on another note I found out this super cool podman usage:

sudo podman run \
  --privileged \
  --rm -it \
  --security-opt label=disable \
  -v /sys/fs/selinux:/sys/fs/selinux \
  -v /etc/selinux/config:/etc/selinux/config:ro \
  --userns=host \
  -v "$HOME:$HOME" \
  --rootfs /:O \
  /bin/bash

sudo podman run \
  --privileged \
  --rm -it \
  --security-opt label=disable \
  -v /sys/fs/selinux:/sys/fs/selinux \
  -v /etc/selinux/config:/etc/selinux/config:ro \
  --userns=host \
  -v "$HOME:$HOME" \
  --rootfs /:O \
  /bin/bash

sudo podman run \
  --privileged \
  --rm -it \
  --security-opt label=disable \
  -v /sys/fs/selinux:/sys/fs/selinux \
  -v /etc/selinux/config:/etc/selinux/config:ro \
  --userns=host \
  -v "$HOME:$HOME" \
  --rootfs /:O \
  /bin/bash

sudo podman run \
  --privileged \
  --rm -it \
  --security-opt label=disable \
  -v /sys/fs/selinux:/sys/fs/selinux \
  -v /etc/selinux/config:/etc/selinux/config:ro \
  --userns=host \
  -v "$HOME:$HOME" \
  --rootfs /:O \
  /bin/bash

the

--rootfs /:O

--rootfs /:O

--rootfs /:O

--rootfs /:O mounts the rootfs from your current system into a temporary overlay(rw) then puts you inside that

Aakdev on another note I found out this super cool podman usage: ```bash sudo podman r...

G

Gerblesh•7/30/23, 4:06 AM

Is there any way to get around this or is it just an inherent limitation then?

G

Gerblesh•7/30/23, 4:07 AM

How does ostree/rpm-ostree handle it?

G

Gerblesh•7/30/23, 4:07 AM

Because they do have SELinux policies loaded by default

G

Gerblesh•7/30/23, 4:08 AM

Idk of those are from the OCI

G

Gerblesh•7/30/23, 4:09 AM

Might want to see if there's a way to define it in ostree?

A

akdevOP•7/30/23, 4:10 AM

what I am thinking that happens is that ostree is running restorecon on the deployment

G

Gerblesh•7/30/23, 4:12 AM

Hmmmm

G

Gerblesh•7/30/23, 4:12 AM

How do we define it in ostree?

G

Gerblesh•7/30/23, 4:13 AM

That's the question

A

akdevOP•7/30/23, 4:17 AM

looks like I was right about that, they relabel on deployment:

https://github.com/ostreedev/ostree/blob/a2663e8041ffadb764c71a055dd63dba4e7ff378/src/libostree/ostree-sysroot-deploy.c#L799

https://github.com/ostreedev/ostree/blob/a2663e8041ffadb764c71a055dd63dba4e7ff378/src/libostree/ostree-sysroot-deploy.c#L737C8-L737C34

https://github.com/ostreedev/ostree/blob/main/src/libostree/ostree-sepolicy.c#L593

A

akdevOP•7/30/23, 4:17 AM

mm I think

ostree_sepolicy_restorecon()

ostree_sepolicy_restorecon()

ostree_sepolicy_restorecon()

ostree_sepolicy_restorecon() might be buggy from ostree

A

akdevOP•7/30/23, 4:19 AM

according to this ostree is trying to follow the selinux policy

A

akdevOP•7/30/23, 4:20 AM

this is reimplementing

restorecon

restorecon

restorecon

restorecon

G

Gerblesh•7/30/23, 4:26 AM

So the issue was in the right place?

G

Gerblesh•7/30/23, 4:27 AM

rpm-ostree?

A

akdevOP•7/30/23, 4:28 AM

no, just plain ostree

G

Gerblesh•7/30/23, 4:29 AM

Ah

R

Robert•7/30/23, 10:04 AM

That could have been bad...

S

Sofie•7/30/23, 1:00 PM

https://media.discordapp.net/attachments/1074422586894712912/1135190591974682734/Screenshot_20230730_154148.png

S

Sofie•7/30/23, 1:00 PM

How do I fix this?

RRobert 😬 That could have been bad...

A

akdevOP•7/30/23, 1:01 PM

Didn’t it delete your homedir?

Aakdev Didn’t it delete your homedir?

R

Robert•7/30/23, 1:02 PM

Na. Luckily it wasn't my silverblue system

GGerblesh rpm-ostree?

A

akdevOP•7/30/23, 1:58 PM

ok I think i figured it out, ostree unpacks the tar file inside the container image and looks at the selinux policy inside

/usr/etc/selinux

/usr/etc/selinux

/usr/etc/selinux

/usr/etc/selinux based on this it will relabel the final system

greetd

greetd

greetd

greetd doesn't actually ship any policy (huh?) but rather they just label their files at build time and hope that the destination will keep those changes but

podman

podman

basically destroys that information due to overlayfs

A

akdevOP•7/30/23, 2:00 PM

the workaround is to ship this file: https://src.fedoraproject.org/rpms/greetd/blob/rawhide/f/greetd.fc

in

/usr/etc/selinux/targeted/contexts/files/file_contexts.greetd

/usr/etc/selinux/targeted/contexts/files/file_contexts.greetd

/usr/etc/selinux/targeted/contexts/files/file_contexts.greetd

/usr/etc/selinux/targeted/contexts/files/file_contexts.greetd

A

akdevOP•7/30/23, 2:01 PM

this should make ostree pickup the correct label at deployment time

A

akdevOP•7/30/23, 2:08 PM

oh they actually ship the policy but it is in binary form

A

akdevOP•7/30/23, 2:21 PM

https://github.com/ostreedev/ostree-rs-ext/issues/510

A

akdevOP•7/30/23, 2:24 PM

now I know a lot about ostree I guess

T

tn•7/30/23, 5:18 PM

Does

rpm-ostree install

rpm-ostree install

have an equivalent to dnf's

--enablerepo

--enablerepo

--enablerepo

--enablerepo flag to specify which repo a package should come from? I'm trying to replace a single library with one from rawhide in a custom image.

T

tn•7/30/23, 5:19 PM

I could probably just grab the rpm file directly by url but I'd like to make sure it stays up to date

Ttn Does `rpm-ostree install` have an equivalent to dnf's `--enablerepo` flag to spe...

K

Kyle Gospo•7/30/23, 5:21 PM

install doesn't but replace does

K

Kyle Gospo•7/30/23, 5:21 PM

hold on

K

Kyle Gospo•7/30/23, 5:21 PM

# Install newer Xwayland
RUN rpm-ostree override replace --experimental --from repo=copr:copr.fedorainfracloud.org:kylegospo:gnome-vrr xorg-x11-server-Xwayland

# Install newer Xwayland
RUN rpm-ostree override replace --experimental --from repo=copr:copr.fedorainfracloud.org:kylegospo:gnome-vrr xorg-x11-server-Xwayland

# Install newer Xwayland
RUN rpm-ostree override replace --experimental --from repo=copr:copr.fedorainfracloud.org:kylegospo:gnome-vrr xorg-x11-server-Xwayland

# Install newer Xwayland
RUN rpm-ostree override replace --experimental --from repo=copr:copr.fedorainfracloud.org:kylegospo:gnome-vrr xorg-x11-server-Xwayland

B

bsherman•7/30/23, 5:27 PM

Hey y'all... so I put together a draft PR in response to an "investigate" ticket...

I think the implementation is fine, though I'm personally on the fence about whether or not we actually want the change. I'm truly indifferent.

I'd love to get some feedback, a vote maybe, on this one.

https://github.com/ublue-os/config/pull/81

GitHub

feat: add repair and uninstall unused flatpak maintenance tasks by ...

Improves upon the existing flatpak update service unit.
closes #14

KKyle Gospo ```# Install newer Xwayland RUN rpm-ostree override replace --experimental --fro...

T

tn•7/30/23, 5:31 PM

Looks like for rawhide I have to install the rawhide repo into

/etc/yum.repos.d

/etc/yum.repos.d

then use the

--from repo='rawhide'

--from repo='rawhide'

--from repo='rawhide'

--from repo='rawhide' flag

T

tn•7/30/23, 5:31 PM

Does anyone know if rawhide is added to yum.repos.d will other packages installed with

rpm-ostree install

rpm-ostree install

still come from the stable repos?

T

tn•7/30/23, 5:32 PM

I would hope that's the case, will test real quick

T

tn•7/30/23, 5:42 PM

Ok I think I'm just going to sed rawhide's enabled to 1, install what I need, and sed it back to 0

T

tn•7/30/23, 5:42 PM

Looks like it's 0 by default

T

tn•7/30/23, 5:46 PM

Got it, wlroots is compiling now

T

tn•7/30/23, 5:47 PM

Making an image for nvidia-patched hyprland btw

T

tn•7/30/23, 6:19 PM

Also it seems like

mkdir -p

mkdir -p

mkdir -p

mkdir -p isn't working right in scripts. I'm trying to create /usr/local/include but I'm getting

 mkdir: cannot create directory '/usr/local': File exists

mkdir: cannot create directory '/usr/local': File exists

 mkdir: cannot create directory '/usr/local': File exists

mkdir: cannot create directory '/usr/local': File exists . I thought the p flag was supposed to ignore these errors

J

j0rge•7/30/23, 6:22 PM

you can't do

/usr/local

/usr/local

T

tn•7/30/23, 6:28 PM

In that case what would be the approprate place for the

include

include

directory?

Mm I found: > label=nested: Allows SELinux modifications within the container. Containers are allow

Similar Threads

Similar Threads

Similar Threads