[MCO-396] firstboot update does not handle major SELinux policy changes

Type: Story
Resolution: Done
Priority: Normal
Fix Version/s: None
Affects Version/s: openshift-4.12
Labels:
None

Blocked:
False
Blocked Reason:
None
Ready:
False

WSJF:
0

SFDC Cases Links:
SFDC Cases Open:
SFDC Cases Counter:

We saw this in an OKD job:

https://github.com/openshift/machine-config-operator/pull/3358#issuecomment-1267532305

It's simple to reproduce, from say a current RHCOS 4.12 doing:

[root@cosa-devsh ~]# podman run --privileged --pid=host --net=host --rm -v /:/run/host quay.io/fedora/fedora-coreos:testing-devel "rpm-ostree" "ex" "deploy-from-self" "/run/host"
NOTICE: Experimental commands are subject to change.
error: Writing content object: Setting xattrs: fsetxattr(security.selinux): Invalid argument

I've tried doing `--security-opt label=type:unconfined_t` which gives the same error (of course), but using `install_t` I get:

[root@cosa-devsh ~]# podman run --privileged --security-opt label=type:install_t --pid=host --net=host --rm -v /:/run/host quay.io/fedora/fedora-coreos:testing-devel "rpm-ostree" "ex" "deploy-from-self" "/run/host"
exec /usr/bin/rpm-ostree: permission denied
[root@cosa-devsh ~]#

I'm really tempted to just `setenforce 0` for the first OS update...

links to

https://bugzilla.redhat.com/show_bug.cgi?id=2132185

openshift/machine-config-operator#3358: MCO-396: daemon: FCOS workaround, plus SELinux workaround

Brenton Leanhardt added a comment - 2022/10/31 2:18 PM

Hi walters@redhat.com, Is this task still a priority Blocker for the MCO team? If so, I think moving it to a bug and setting Release Blocker: Approved would be the best way for it to get the visibility it needs. I'm happy to make the necessary changes if you like.

Brenton Leanhardt added a comment - 2022/10/31 2:18 PM Hi walters@redhat.com , Is this task still a priority Blocker for the MCO team? If so, I think moving it to a bug and setting Release Blocker: Approved would be the best way for it to get the visibility it needs. I'm happy to make the necessary changes if you like.

Colin Walters added a comment - 2022/10/04 8:53 PM

https://github.com/openshift/machine-config-operator/pull/3358#issuecomment-1267565131

Colin Walters added a comment - 2022/10/04 8:53 PM https://github.com/openshift/machine-config-operator/pull/3358#issuecomment-1267565131

Colin Walters added a comment - 2022/10/04 8:38 PM

Previously https://bugzilla.redhat.com/show_bug.cgi?id=1839065

Colin Walters added a comment - 2022/10/04 8:38 PM Previously https://bugzilla.redhat.com/show_bug.cgi?id=1839065

Assignee:: Colin Walters

Reporter:: Colin Walters

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Created:: 2022/10/04 8:35 PM

Updated:: 2025/03/30 3:55 PM

Resolved:: 2024/02/14 11:52 PM

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

Collapse comment: Brenton Leanhardt added a comment - 2022/10/31 2:18 PM

Expand comment: Brenton Leanhardt added a comment - 2022/10/31 2:18 PM

Collapse comment: Colin Walters added a comment - 2022/10/04 8:53 PM

Expand comment: Colin Walters added a comment - 2022/10/04 8:53 PM

Collapse comment: Colin Walters added a comment - 2022/10/04 8:38 PM

Expand comment: Colin Walters added a comment - 2022/10/04 8:38 PM

People

Dates