From ee150f43b42669ebe7ce83105ef5786230853f5a Mon Sep 17 00:00:00 2001 From: Michael Vogt Date: Tue, 19 Mar 2024 11:23:16 +0100 Subject: [PATCH] manifest,osbuild: exclude /sysroot from selinux labeling This enusre that the buildroot container is setup without selinux warnings. --- pkg/manifest/build.go | 9 ++------- pkg/osbuild/selinux_stage.go | 1 + 2 files changed, 3 insertions(+), 7 deletions(-) diff --git a/pkg/manifest/build.go b/pkg/manifest/build.go index 0950106d2a..0e476d9f34 100644 --- a/pkg/manifest/build.go +++ b/pkg/manifest/build.go @@ -235,13 +235,7 @@ func (p *BuildrootFromContainer) serialize() osbuild.Pipeline { pipeline.Runner = p.runner.String() image := osbuild.NewContainersInputForSingleSource(p.containerSpecs[0]) - options := &osbuild.ContainerDeployOptions{ - // XXX: this cannot be used when "bootc install to-filesystem" - // is used. The issue is that this also contains the metadata - // that bootc install uses to install the filesystem - //Exclude: []string{"/sysroot"}, - } - + options := &osbuild.ContainerDeployOptions{} stage, err := osbuild.NewContainerDeployStage(image, options) if err != nil { panic(err) @@ -250,6 +244,7 @@ func (p *BuildrootFromContainer) serialize() osbuild.Pipeline { pipeline.AddStage(osbuild.NewSELinuxStage( &osbuild.SELinuxStageOptions{ FileContexts: "etc/selinux/targeted/contexts/files/file_contexts", + ExcludePaths: []string{"/sysroot"}, Labels: p.getSELinuxLabels(), }, )) diff --git a/pkg/osbuild/selinux_stage.go b/pkg/osbuild/selinux_stage.go index d5b0512cef..8126a730a3 100644 --- a/pkg/osbuild/selinux_stage.go +++ b/pkg/osbuild/selinux_stage.go @@ -6,6 +6,7 @@ package osbuild // the filesystem labels to apply to the image. type SELinuxStageOptions struct { FileContexts string `json:"file_contexts"` + ExcludePaths []string `json:"exclude_paths"` Labels map[string]string `json:"labels,omitempty"` ForceAutorelabel *bool `json:"force_autorelabel,omitempty"` }