See the linked https://issues.redhat.com/browse/RHEL-117251 for more information.

Basically the "install_t" aka

capability has been a serious pain the entire time I've been maintaining ostree and now bootc. See e.g. https://github.com/bootc-dev/bootc/blob/78f34396676586be316438d672558d60be8ba45e/crates/lib/src/lsm.rs#L57

Historically we relied on rpm-ostree being a daemon, and I think systemd automatically does a domain transition when it's run.

But for bootc, we aren't a daemon by default - and we allow/encourage people to wrap it in their own systemd services - where the entrypoint binary won't necessarily be `install_t`.

$ cat > /usr/bin/testservice << EOF
#!/bin/bash
set -xeuo pipefail
id -Z
EOF
$ chmod a+x /usr/bin/testservice
$ chcon -t install_exec_t /usr/bin/testservice
$ systemd-run -u testservice -qPG -- /usr/bin/testservice
system_u:system_r:install_t:s0

As expected, but:

$ systemd-run -u testservice -qPG -- /bin/sh -c '/usr/bin/testservice && echo done'
system_u:system_r:initrc_t:s0
done

What'd be ideal here is that we still do a domain transition from this wrapper service to install_t.

—

It's really especially painful that lacking install_t will only generally fail if one is skipping OS major versions.

Anyways, please ensure that there's a supported and easy way for me to gain install_t from both inside and outside of a systemd unit. For example we could make this work:

$ systemd-run -qPG runcon -t install_t true
/usr/bin/runcon: ‘true’: Permission denied