Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

coreos-boot-edit.sh creates /boot/.root_uuid as unlabeled_t #1770

Closed
travier opened this issue Jul 31, 2024 · 8 comments · Fixed by coreos/fedora-coreos-config#3155
Closed
Assignees
Labels

Comments

@travier
Copy link
Member

travier commented Jul 31, 2024

Describe the bug

https://github.com/coreos/fedora-coreos-config/blob/testing-devel/overlay.d/05core/usr/lib/dracut/modules.d/35coreos-ignition/coreos-boot-edit.sh likely runs before we've loaded the SELinux policy and writes /boot/.root_uuid which ends up not being labeled (unlabeled_t).

Reproduction steps

Boot FCOS. Run:

ls -alhZ /boot

Expected behavior

All files are correctly labeled.

Actual behavior

/boot/.root_uuid is unlabeled_t.

System details

N/A

Butane or Ignition config

None

Additional information

No response

@jlebon
Copy link
Member

jlebon commented Aug 6, 2024

A coreos-relabel would fix it for new systems, but I think that'd require changing coreos-boot-edit to actually do the temporary boot mount under /sysroot/boot instead of /mnt/boot_partition so the expected path lines up. (Though there's a bit of a layering violation in that the script would have to know that rdcore bind-boot writes that file; rdcore could itself call coreos-relabel instead, but that command so far hasn't really escaped this repo.)

We should probably fix it on existing systems, but it doesn't seem worth a barrier. We could bundle it in whatever the next barrier release we do.

@dustymabe
Copy link
Member

We should probably fix it on existing systems, but it doesn't seem worth a barrier. We could bundle it in whatever the next barrier release we do.

@jbtrystram is working on a migration script to fixup labels on systems for #1771 and various other issues so we can fix these too.

We kind of need all of these root causes of the unlabeled files fixed too before we can release the migration script (i.e. freshly installed systems at a certain point should have no unlabeled_t once installed).

What's the proper fix for this root cause?

jlebon added a commit to jlebon/fedora-coreos-config that referenced this issue Sep 10, 2024
The `rdcore bind-boot` command write files to the bootfs but currently
doesn't relabel them. Let's just relabel it from this side for now.
In the future we could look at having `rdcore` call `setfiles` like
Ignition does, or better, make `coreos-relabel` a more public API.

This fixes coreos/fedora-coreos-tracker#1770
for new installs.

Refrained from adding tests for this. I think instead what we need is
once all these relabeling issues are fixed, a test that verifies that
*everything* is labeled.
@jlebon
Copy link
Member

jlebon commented Sep 10, 2024

Opened coreos/fedora-coreos-config#3155 for this.

@jlebon
Copy link
Member

jlebon commented Sep 10, 2024

coreos/fedora-coreos-config#3155 only fixed the new installs case. We should still fix it on existing installs.

@jlebon jlebon reopened this Sep 10, 2024
dustymabe added a commit to dustymabe/fedora-coreos-config that referenced this issue Sep 26, 2024
/boot/efi and /sysroot dir and subfiles are unlabeled_t since
40.20240504.3.0. This is likely due to some missing scaffolding
in the OSBuild software and definitions that we started using in
[1]. These issues [2] [3] were addressed in [4] for new image
builds, but we still need to fix upgrading systems, which we
do here in this migration script.

Note that we also fix a few files in /boot that were left
unlabeled by `rdcore` [5] while we are in here.

[1] coreos/fedora-coreos-tracker#1653.
[2] coreos/fedora-coreos-tracker#1771
[3] coreos/fedora-coreos-tracker#1772
[4] coreos/coreos-assembler#3885
[5] coreos/fedora-coreos-tracker#1770

Co-authored-by: Dusty Mabe <[email protected]>
dustymabe added a commit to jbtrystram/fedora-coreos-config that referenced this issue Sep 26, 2024
/boot/efi and /sysroot dir and subfiles are unlabeled_t since
40.20240504.3.0. This is likely due to some missing scaffolding
in the OSBuild software and definitions that we started using in
[1]. These issues [2] [3] were addressed in [4] for new image
builds, but we still need to fix upgrading systems, which we
do here in this migration script.

Note that we also fix a few files in /boot that were left
unlabeled by `rdcore` [5] while we are in here.

[1] coreos/fedora-coreos-tracker#1653.
[2] coreos/fedora-coreos-tracker#1771
[3] coreos/fedora-coreos-tracker#1772
[4] coreos/coreos-assembler#3885
[5] coreos/fedora-coreos-tracker#1770

Co-authored-by: Dusty Mabe <[email protected]>
dustymabe added a commit to jbtrystram/fedora-coreos-config that referenced this issue Sep 27, 2024
/boot/efi and /sysroot dir and subfiles are unlabeled_t since
40.20240504.3.0. This is likely due to some missing scaffolding
in the OSBuild software and definitions that we started using in
[1]. These issues [2] [3] were addressed in [4] for new image
builds, but we still need to fix upgrading systems, which we
do here in this migration script.

Note that we also fix a few files in /boot that were left
unlabeled by `rdcore` [5] while we are in here.

[1] coreos/fedora-coreos-tracker#1653.
[2] coreos/fedora-coreos-tracker#1771
[3] coreos/fedora-coreos-tracker#1772
[4] coreos/coreos-assembler#3885
[5] coreos/fedora-coreos-tracker#1770

Co-authored-by: Dusty Mabe <[email protected]>
dustymabe added a commit to jbtrystram/fedora-coreos-config that referenced this issue Sep 27, 2024
/boot/efi and /sysroot dir and subfiles are unlabeled_t since
40.20240504.3.0. This is likely due to some missing scaffolding
in the OSBuild software and definitions that we started using in
[1]. These issues [2] [3] were addressed in [4] for new image
builds, but we still need to fix upgrading systems, which we
do here in this migration script.

Note that we also fix a few files in /boot that were left
unlabeled by `rdcore` [5] while we are in here.

[1] coreos/fedora-coreos-tracker#1653.
[2] coreos/fedora-coreos-tracker#1771
[3] coreos/fedora-coreos-tracker#1772
[4] coreos/coreos-assembler#3885
[5] coreos/fedora-coreos-tracker#1770

Co-authored-by: Dusty Mabe <[email protected]>
dustymabe added a commit to jbtrystram/fedora-coreos-config that referenced this issue Sep 27, 2024
/boot/efi and /sysroot dir and subfiles are unlabeled_t since
40.20240504.3.0. This is likely due to some missing scaffolding
in the OSBuild software and definitions that we started using in
[1]. These issues [2] [3] were addressed in [4] for new image
builds, but we still need to fix upgrading systems, which we
do here in this migration script.

Note that we also fix a few files in /boot that were left
unlabeled by `rdcore` [5] while we are in here.

[1] coreos/fedora-coreos-tracker#1653.
[2] coreos/fedora-coreos-tracker#1771
[3] coreos/fedora-coreos-tracker#1772
[4] coreos/coreos-assembler#3885
[5] coreos/fedora-coreos-tracker#1770

Co-authored-by: Dusty Mabe <[email protected]>
dustymabe added a commit to jbtrystram/fedora-coreos-config that referenced this issue Sep 27, 2024
/boot/efi and /sysroot dir and subfiles are unlabeled_t since
40.20240504.3.0. This is likely due to some missing scaffolding
in the OSBuild software and definitions that we started using in
[1]. These issues [2] [3] were addressed in [4] for new image
builds, but we still need to fix upgrading systems, which we
do here in this migration script.

Note that we also fix a few files in /boot that were left
unlabeled by `rdcore` [5] while we are in here.

[1] coreos/fedora-coreos-tracker#1653.
[2] coreos/fedora-coreos-tracker#1771
[3] coreos/fedora-coreos-tracker#1772
[4] coreos/coreos-assembler#3885
[5] coreos/fedora-coreos-tracker#1770

Co-authored-by: Dusty Mabe <[email protected]>
dustymabe added a commit to dustymabe/fedora-coreos-config that referenced this issue Sep 27, 2024
/boot/efi and /sysroot dir and subfiles are unlabeled_t since
40.20240504.3.0. This is likely due to some missing scaffolding
in the OSBuild software and definitions that we started using in
[1]. These issues [2] [3] were addressed in [4] for new image
builds, but we still need to fix upgrading systems, which we
do here in this migration script.

Note that we also fix a few files in /boot that were left
unlabeled by `rdcore` [5] while we are in here.

[1] coreos/fedora-coreos-tracker#1653.
[2] coreos/fedora-coreos-tracker#1771
[3] coreos/fedora-coreos-tracker#1772
[4] coreos/coreos-assembler#3885
[5] coreos/fedora-coreos-tracker#1770

Co-authored-by: Dusty Mabe <[email protected]>
dustymabe added a commit to jbtrystram/fedora-coreos-config that referenced this issue Sep 27, 2024
/boot/efi and /sysroot dir and subfiles are unlabeled_t since
40.20240504.3.0. This is likely due to some missing scaffolding
in the OSBuild software and definitions that we started using in
[1]. These issues [2] [3] were addressed in [4] for new image
builds, but we still need to fix upgrading systems, which we
do here in this migration script.

Note that we also fix a few files in /boot that were left
unlabeled by `rdcore` [5] while we are in here.

[1] coreos/fedora-coreos-tracker#1653.
[2] coreos/fedora-coreos-tracker#1771
[3] coreos/fedora-coreos-tracker#1772
[4] coreos/coreos-assembler#3885
[5] coreos/fedora-coreos-tracker#1770

Co-authored-by: Dusty Mabe <[email protected]>
dustymabe added a commit to coreos/fedora-coreos-config that referenced this issue Sep 27, 2024
/boot/efi and /sysroot dir and subfiles are unlabeled_t since
40.20240504.3.0. This is likely due to some missing scaffolding
in the OSBuild software and definitions that we started using in
[1]. These issues [2] [3] were addressed in [4] for new image
builds, but we still need to fix upgrading systems, which we
do here in this migration script.

Note that we also fix a few files in /boot that were left
unlabeled by `rdcore` [5] while we are in here.

[1] coreos/fedora-coreos-tracker#1653.
[2] coreos/fedora-coreos-tracker#1771
[3] coreos/fedora-coreos-tracker#1772
[4] coreos/coreos-assembler#3885
[5] coreos/fedora-coreos-tracker#1770

Co-authored-by: Dusty Mabe <[email protected]>
dustymabe pushed a commit to dustymabe/fedora-coreos-config that referenced this issue Sep 28, 2024
/boot/efi and /sysroot dir and subfiles are unlabeled_t since
40.20240504.3.0. This is likely due to some missing scaffolding
in the OSBuild software and definitions that we started using in
[1]. These issues [2] [3] were addressed in [4] for new image
builds, but we still need to fix upgrading systems, which we
do here in this migration script.

Note that we also fix a few files in /boot that were left
unlabeled by `rdcore` [5] while we are in here.

[1] coreos/fedora-coreos-tracker#1653.
[2] coreos/fedora-coreos-tracker#1771
[3] coreos/fedora-coreos-tracker#1772
[4] coreos/coreos-assembler#3885
[5] coreos/fedora-coreos-tracker#1770

Co-authored-by: Dusty Mabe <[email protected]>
(cherry picked from commit 2e355fd)
dustymabe pushed a commit to coreos/fedora-coreos-config that referenced this issue Sep 30, 2024
/boot/efi and /sysroot dir and subfiles are unlabeled_t since
40.20240504.3.0. This is likely due to some missing scaffolding
in the OSBuild software and definitions that we started using in
[1]. These issues [2] [3] were addressed in [4] for new image
builds, but we still need to fix upgrading systems, which we
do here in this migration script.

Note that we also fix a few files in /boot that were left
unlabeled by `rdcore` [5] while we are in here.

[1] coreos/fedora-coreos-tracker#1653.
[2] coreos/fedora-coreos-tracker#1771
[3] coreos/fedora-coreos-tracker#1772
[4] coreos/coreos-assembler#3885
[5] coreos/fedora-coreos-tracker#1770

Co-authored-by: Dusty Mabe <[email protected]>
(cherry picked from commit 2e355fd)
@dustymabe
Copy link
Member

coreos/fedora-coreos-config@8d75174 fixes this for upgrading systems too.

@dustymabe dustymabe added status/pending-testing-release Fixed upstream. Waiting on a testing release. status/pending-next-release Fixed upstream. Waiting on a next release. labels Sep 30, 2024
dustymabe pushed a commit to dustymabe/fedora-coreos-config that referenced this issue Sep 30, 2024
/boot/efi and /sysroot dir and subfiles are unlabeled_t since
40.20240504.3.0. This is likely due to some missing scaffolding
in the OSBuild software and definitions that we started using in
[1]. These issues [2] [3] were addressed in [4] for new image
builds, but we still need to fix upgrading systems, which we
do here in this migration script.

Note that we also fix a few files in /boot that were left
unlabeled by `rdcore` [5] while we are in here.

[1] coreos/fedora-coreos-tracker#1653.
[2] coreos/fedora-coreos-tracker#1771
[3] coreos/fedora-coreos-tracker#1772
[4] coreos/coreos-assembler#3885
[5] coreos/fedora-coreos-tracker#1770

Co-authored-by: Dusty Mabe <[email protected]>
(cherry picked from commit 2e355fd)
dustymabe pushed a commit to coreos/fedora-coreos-config that referenced this issue Oct 1, 2024
/boot/efi and /sysroot dir and subfiles are unlabeled_t since
40.20240504.3.0. This is likely due to some missing scaffolding
in the OSBuild software and definitions that we started using in
[1]. These issues [2] [3] were addressed in [4] for new image
builds, but we still need to fix upgrading systems, which we
do here in this migration script.

Note that we also fix a few files in /boot that were left
unlabeled by `rdcore` [5] while we are in here.

[1] coreos/fedora-coreos-tracker#1653.
[2] coreos/fedora-coreos-tracker#1771
[3] coreos/fedora-coreos-tracker#1772
[4] coreos/coreos-assembler#3885
[5] coreos/fedora-coreos-tracker#1770

Co-authored-by: Dusty Mabe <[email protected]>
(cherry picked from commit 2e355fd)
@dustymabe
Copy link
Member

The fix for this went into next stream release 41.20241006.1.1. Please try out the new release and report issues.

@dustymabe
Copy link
Member

The fix for this went into testing stream release 40.20241006.2.1. Please try out the new release and report issues.

@dustymabe dustymabe added status/pending-stable-release Fixed upstream and in testing. Waiting on stable release. and removed status/pending-testing-release Fixed upstream. Waiting on a testing release. status/pending-next-release Fixed upstream. Waiting on a next release. labels Oct 18, 2024
@dustymabe
Copy link
Member

The fix for this went into stable stream release 40.20241006.3.0.

@dustymabe dustymabe removed the status/pending-stable-release Fixed upstream and in testing. Waiting on stable release. label Oct 28, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging a pull request may close this issue.

3 participants