From 374aac903479dbca2bc447902b3b8a113d91c515 Mon Sep 17 00:00:00 2001 From: Colin Walters Date: Tue, 13 Feb 2024 09:50:37 -0500 Subject: [PATCH] Ensure root_t label for /store The way osbuild works is to synthesize a filesystem tree in the store, then copy it to the disk. This ensures the label for the store is `root_t` which ends up being the labeling for the "infrastructure" bits in the `/ostree` repository in the target root. This in turn is blocking a lot of things. Closes: https://github.com/osbuild/bootc-image-builder/issues/149 --- bib/cmd/bootc-image-builder/main.go | 2 +- bib/internal/setup/setup.go | 10 +++++++++- 2 files changed, 10 insertions(+), 2 deletions(-) diff --git a/bib/cmd/bootc-image-builder/main.go b/bib/cmd/bootc-image-builder/main.go index 6db227c1a..2e68d3626 100644 --- a/bib/cmd/bootc-image-builder/main.go +++ b/bib/cmd/bootc-image-builder/main.go @@ -237,7 +237,7 @@ func cmdBuild(cmd *cobra.Command, args []string) error { if err := setup.Validate(); err != nil { return err } - if err := setup.EnsureEnvironment(); err != nil { + if err := setup.EnsureEnvironment(osbuildStore); err != nil { return err } diff --git a/bib/internal/setup/setup.go b/bib/internal/setup/setup.go index 944a64d0c..330f9a373 100644 --- a/bib/internal/setup/setup.go +++ b/bib/internal/setup/setup.go @@ -12,7 +12,7 @@ import ( // EnsureEnvironment mutates external filesystem state as necessary // to run in a container environment. This function is idempotent. -func EnsureEnvironment() error { +func EnsureEnvironment(storePath string) error { osbuildPath := "/usr/bin/osbuild" if util.IsMountpoint(osbuildPath) { return nil @@ -53,6 +53,14 @@ func EnsureEnvironment() error { if err := util.RunCmdSync("mount", "--bind", destPath, osbuildPath); err != nil { return err } + + // And we also forcibly label the store to ensure we're not grabbing container labels + rootType := "system_u:object_r:root_t:s0" + // This papers over the lack of ensuring correct labels for the /ostree root + // in the existing pipeline + if err := util.RunCmdSync("chcon", rootType, storePath); err != nil { + return err + } return nil }