Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

when selinux:false, rpm-ostree still looks for selinux policies and raises error #3261

Open
zlind0 opened this issue Dec 7, 2021 · 6 comments
Open

when selinux:false, rpm-ostree still looks for selinux policies and raises error #3261

zlind0 opened this issue Dec 7, 2021 · 6 comments

Comments

@zlind0
Copy link

zlind0 commented Dec 7, 2021
edited
Loading

Host system details
Fedora 33, rpm-ostree executed by fedora coreos assembler under its docker image (quay.io/coreos-assembler/coreos-assembler)

We would like to build a minimal os which excludes SELinux function. Our project is based on Fedora CoreOS, therefore, we use fedora coreos assembler. According to documentation, we set selinux:false in TREEFILE. However, while coreos assembler executes this command:

rpm-ostree compose tree 
--repo=/srv/tmp/repo 
--touch-if-changed /srv/tmp/treecompose.changed 
--cachedir=/srv/cache 
--unified-core /srv/tmp/override/coreos-assembler-override-manifest.yaml 
--cache-only 
--add-metadata-from-json /srv/tmp/build/tmp/commit-metadata-input.json 
--write-composejson-to /srv/tmp/compose.json 
--ex-write-lockfile-to /srv/tmp/repo/tmp/manifest-lock.generated.x86_64.json.tmp 
--ex-lockfile=/srv/src/config/manifest-lock.x86_64.json 
--no-parent 
--ex-lockfile=/srv/tmp/override/local-overrides.json

The error SELinux enabled, but no policy found is raised:

Writing rpmdb... done
error: Loading pkgcache branch rpmostree/pkg/libblkid/2.32.1-27.3.al8.x86__64: SELinux enabled, but no policy found

The expected behavior is that while setting selinux:false rpm-ostree don't look for any SELinux policies.

By looking into the code for days, we found that this patch solves this problem, but it is not likely to solve the problem fundamentally.

diff --color -ur rpm-ostree-2021.1/src/libpriv/rpmostree-core.cxx rpm-ostree-2021.1.new/src/libpriv/rpmostree-core.cxx
--- rpm-ostree-2021.1/src/libpriv/rpmostree-core.cxx	2021-12-03 13:48:20.179113126 +0800
+++ rpm-ostree-2021.1.new/src/libpriv/rpmostree-core.cxx	2021-12-03 13:49:18.261730774 +0800
@@ -1372,6 +1372,10 @@
   /* Init output here, since we have several early returns */
   *out_in_ostree = FALSE;
   /* If there's no sepolicy, then we always match */
+  gboolean selinux_switch;
+  g_variant_dict_lookup (self->spec->dict, "selinux", "b", &selinux_switch);
+  if (selinux_switch == FALSE)
+      sepolicy = NULL;
   *out_selinux_match = (sepolicy == NULL);
 
   /* NB: we're not using a pkgcache yet in the compose path */

In other words, in src/libpriv/rpmostree-core.cxx:1363:

static gboolean
find_pkg_in_ostree (RpmOstreeContext *self,
                    DnfPackage     *pkg,
                    OstreeSePolicy *sepolicy,
                    gboolean       *out_in_ostree,
                    gboolean       *out_selinux_match,
                    GError        **error)
  if (sepolicy)
    {
      if (!commit_has_matching_sepolicy (commit, sepolicy,
                                         out_selinux_match, error))
        return FALSE;
    }

sepolicy shoule be NULL when selinux set to false in TREEFILE, however, it has some value. We are frustrated when looking for the specific place where sepolicy was set.
@lucab
Copy link
Contributor

lucab commented Dec 7, 2021

Hi and welcome!
I'm not super-familiar with that specific option in the treefile, but I have a feeling that the sepolicy value may be coming from here:

rpm-ostree/src/app/rpmostree-compose-builtin-tree.cxx

Lines 454 to 458 in 06b7004

g_autoptr(OstreeSePolicy) sepolicy = NULL;
if (!rpmostree_prepare_rootfs_get_sepolicy (rootfs_dfd, &sepolicy, cancellable, error))
return FALSE;
rpmostree_context_set_sepolicy (self->corectx, sepolicy);

But overall I think those if (selinux) checks may be misleading, as a non-NULL value does not mean there is a policy available. In other places, this is the more complete check that is performed to detect SELinux policy presence:

rpm-ostree/src/libpriv/rpmostree-postprocess.cxx

Line 815 in 5ae5a8e

if (sepolicy && ostree_sepolicy_get_name (sepolicy) != NULL)

@cgwalters
Copy link
Member

I think this is a dup of #971

It makes sense to support, just needs a bit of investigation and care - and a new entry to the CI flow. As I commented in the previous issue, supporting rpm-ostree in-container - which is now a high priority due to https://github.com/coreos/enhancements/blob/main/os/coreos-layering.md - would also motivate this.

@jlebon
Copy link
Member

jlebon commented Dec 7, 2021

Short-term, it may be easier to leave it on during the compose but configure the OS to permissive mode.

@cheese
Copy link

cheese commented Mar 12, 2022

I met the same issue when I try to compose an image from CentOS Stream 9 packages:
error: Sorting packages: Loading pkgcache branch rpmostree/pkg/acl/2.3.1-3.el9.x86__64: Failed to find metadata key rpmostree.sepolicy (signature s)

Host is Fedora 35 with rpm-ostree-2022.5-1.fc35.x86_64 and with SELinux set to permissive.

@wanglmb
Copy link

wanglmb commented Sep 24, 2022

I met this issue aw well.

@duyiwei7w
Copy link

I met this issue aw well.

me too

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@lucab @cgwalters @cheese @jlebon @zlind0 @duyiwei7w @wanglmb