Skip to content

Commit

Permalink
Ensure root_t label for /store
Browse files Browse the repository at this point in the history
The way osbuild works is to synthesize a filesystem tree in the
store, then copy it to the disk.  This ensures the label for the
store is `root_t` which ends up being the labeling for
the "infrastructure" bits in the `/ostree` repository in the
target root.

This in turn is blocking a lot of things.

Closes: #149
  • Loading branch information
cgwalters committed Mar 6, 2024
1 parent 741b128 commit a2b72a5
Show file tree
Hide file tree
Showing 2 changed files with 12 additions and 3 deletions.
2 changes: 1 addition & 1 deletion bib/cmd/bootc-image-builder/main.go
Original file line number Diff line number Diff line change
Expand Up @@ -237,7 +237,7 @@ func cmdBuild(cmd *cobra.Command, args []string) error {
if err := setup.Validate(); err != nil {
return err
}
if err := setup.EnsureEnvironment(); err != nil {
if err := setup.EnsureEnvironment(osbuildStore); err != nil {
return err
}

Expand Down
13 changes: 11 additions & 2 deletions bib/internal/setup/setup.go
Original file line number Diff line number Diff line change
Expand Up @@ -12,13 +12,21 @@ import (

// EnsureEnvironment mutates external filesystem state as necessary
// to run in a container environment. This function is idempotent.
func EnsureEnvironment() error {
func EnsureEnvironment(storePath string) error {
osbuildPath := "/usr/bin/osbuild"
if util.IsMountpoint(osbuildPath) {
return nil
}

// A hardcoded security label from Fedora derivatives
// Forcibly label the store to ensure we're not grabbing container labels
rootType := "system_u:object_r:root_t:s0"
// This papers over the lack of ensuring correct labels for the /ostree root
// in the existing pipeline
if err := util.RunCmdSync("chcon", rootType, storePath); err != nil {
return err
}

// A hardcoded security label from Fedora derivatives for osbuild
// TODO: Avoid hardcoding this by using either host policy lookup
// Or eventually depend on privileged containers just having this capability.
//
Expand Down Expand Up @@ -53,6 +61,7 @@ func EnsureEnvironment() error {
if err := util.RunCmdSync("mount", "--bind", destPath, osbuildPath); err != nil {
return err
}

return nil
}

Expand Down

0 comments on commit a2b72a5

Please sign in to comment.