Skip to content

Commit

Permalink
manifests: add selinux-workaround.yaml for >= F41
Browse files Browse the repository at this point in the history
Recent changes in the SELinux policy have broken a lot of our code.
Revert the affected domains back to permissive mode so we can
continue to build and test `releasever >= 41` until
fedora-selinux/selinux-policy#2257 merges
and the domains are reverted upstream or until the issue is resolved
altogether.

Add the workaround for `afterburn_t` as well so we can unblock
coreos/fedora-coreos-tracker#1784
  • Loading branch information
marmijo committed Sep 3, 2024
1 parent e726f1f commit 1e43d1c
Show file tree
Hide file tree
Showing 2 changed files with 25 additions and 0 deletions.
2 changes: 2 additions & 0 deletions manifests/fedora-coreos.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,8 @@ conditional-include:
include: wifi-firmwares.yaml
- if: releasever >= 41
include: composefs.yaml
- if: releasever >= 41
include: selinux-workaround.yaml

ostree-layers:
- overlay/15fcos
Expand Down
23 changes: 23 additions & 0 deletions manifests/selinux-workaround.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
# Recent changes in the SELinux policy have broken a lot of our code.
# Revert the affected domains back to permissive mode so we can
# continue to build and test `releasever >= 41` until
# https://github.com/fedora-selinux/selinux-policy/pull/2257 merges
# and the domains are reverted upstream or until the issue is resolved
# altogether
postprocess:
- |
#!/usr/bin/env bash
set -xeuo pipefail
cat > /tmp/fcos-workarounds.cil << EOF
; https://bugzilla.redhat.com/show_bug.cgi?id=2300306
(typeattributeset cil_gen_require bootupd_t)
(typepermissive bootupd_t)
; https://bugzilla.redhat.com/show_bug.cgi?id=2305385
(typeattributeset cil_gen_require coreos_installer_t)
(typepermissive coreos_installer_t)
; https://bugzilla.redhat.com/show_bug.cgi?id=2306352
(typeattributeset cil_gen_require afterburn_t)
(typepermissive afterburn_t)
EOF
/usr/sbin/semodule -i /tmp/fcos-workarounds.cil
rm /tmp/fcos-workarounds.cil

0 comments on commit 1e43d1c

Please sign in to comment.