Do not remove SELinux from the runtime #1496
Conversation
Pull Request Test Coverage Report for Build 18475283503Details
💛 - Coveralls |
|
This is a part of the effort to have bootc support: rhinstaller/anaconda#6298 |
|
I don't like adding this to the grub cmdline, I think it should be possible to write /etc/selinux/config with the right settings so that it is the default. |
|
@bcl Thanks for the review - to be honest I am not an SELinux expert so any suggestions how to do it right are welcome:) Bootc requires SELinux to be presented in runtime but at the same time we want to keep it turned off as we are not using it. Can you elaborate on this |
|
I think the same affect could be achieved with: ETA: I meant permissive here. No idea how I typoed that. |
elkoniu
force-pushed
the
do-not-remove-selinux-runtime
branch
from
91ae644 to
f215669
Compare
|
Without the kernel parameters I am getting this result: |
elkoniu
force-pushed
the
do-not-remove-selinux-runtime
branch
from
f215669 to
d8f6dde
Compare
|
Ok, now with updated code it works better. |
|
@bcl please share you thoughts about the current version :) |
|
Note: we want to keep it turned off as many, many things break when it's turned on. Too many things to diagnose in a release cycle. And it's also probably mostly pointless. The installer is expected to have complete control to modify the current system and use the network to do so. There's not a lot of limitation we could impose on the installer with SELinux that wouldn't cause problems. |
share/templates.d/99-generic/config_files/common/selinux.config
Outdated
Show resolved
Hide resolved
I do not believe this is a good idea:
We experimented with I see another part of this PR adds installing the selinux config file. Was that not being installed before? So maybe we need to test with |
|
I have no idea why I pasted 'disabled' there. I meant permissive. @abadger is correct, with it disabled the labels during a normal install won't get set at all. I'd forgotten that config file existed. According to commit d6584e1 it wasn't working because it would get removed with the selinux-policy package removal -- but now that we are leaving the package in place it should be ok to install it. |
|
@bcl so the right set of flags in the config it should be |
elkoniu
force-pushed
the
do-not-remove-selinux-runtime
branch
from
d8f6dde to
e7b6b1c
Compare
* Do not remove SELinux packages when ISO is created
* Make sure that /etc/selinux/config is being deployed
* /etc/selinux/config file content shall be:
* SELINUX=permissive
* SELINUXTYPE=targeted
* Add extra packages which may be required by selinux policies
processing
elkoniu
force-pushed
the
do-not-remove-selinux-runtime
branch
from
e7b6b1c to
6aa06a9
Compare
|
@bcl I think now it is working fine. |
Correct.
Nothing extra should be needed, that's the point of putting it into permissive, it will do everything except enforce the restrictions so that the installed files should have the correct labels. |
bcl
left a comment
bcl
left a comment
There was a problem hiding this comment.
This looks good to me and I've tested it locally.
|
Hey @bcl just checking if this will be headed to the rhel10 refresh as well? |
not at this time. That depends on Anaconda requesting a backport and filing an issue for it. |
|
What about ELN lorax-templates-rhel for RHEL 11? ELN anaconda tracks rawhide. |
|
I think it should be added to the ELN templates as well ? Or are we waiting for it to potentially hit RHEL 10 first ? |
7 participants
selinux=1 enforcing=0