centos-bootc - cockpit-ws does not work - selinux problems

[spmfox]

Hello, when trying to use cockpit on centos-bootc, I get this error:

setroubleshoot[1163]: SELinux is preventing /usr/libexec/cockpit-session from using the transition access on a process.
                                                           
                                                           *****  Plugin restorecon_source (99.5 confidence) suggests   *****************
                                                           
                                                           If you want to fix the label. 
                                                           /usr/libexec/cockpit-session default label should be cockpit_session_exec_t.
                                                           Then you can run restorecon.
                                                           Do
                                                           # /sbin/restorecon -v /usr/libexec/cockpit-session

Using bootc usr-overlay, I can do a restorecon (as suggested by setroubleshoot) but this does not fix the problem. It does appear that all of the cockpit related files in /usr have the wrong context. I suspect something is breaking during the installation of cockpit-ws.

I can fix this by doing a dnf reinstall cockpit-ws (with usr-overlay). After the reinstall it seems that all the cockpit files in /usr have the correct context. I have tried doing the restorecon during the container build, however it seems the context is correct because they do not change. Once deployed onto a system, then they are broken. This has me puzzled. The container build machine has selinux set to enforcing.

Containerfile to reproduce this:

FROM quay.io/centos-bootc/centos-bootc:stream9
RUN dnf -y install cockpit cockpit-ws

[spmfox]

Digging in a bit more, it looks like doing the restorecon during the build process will do nothing as the labels are completely different when the container is running.

I found ostreedev/ostree-rs-ext#510

So now I'm wondering if cockpit ships its policy as a binary just like greetd.

[cgwalters]

Yes, this is a dup of ostreedev/ostree-rs-ext#510

That said, it's probably important enough to have a tracker here too.

[martinpitt]

Complete tangent: We don't see this in our Cockpit CI image for centos-9-bootc because we don't install cockpit-ws as an RPM there, but as a container. This mostly has historic reasons (it's preferable to do that on CoreOS), but for bootc it'd actually make more sense to include cockpit-ws.rpm right into the OCI image.

@spmfox So perhaps using https://quay.io/repository/cockpit/ws is at least a temporary workaround for you until this gets sorted out.

[spmfox]

@martinpitt I was able to get this working, thank you for the information - I was unaware there was a container version of cockpit-ws.

[cgwalters]

This one should be fixed as of the latest bootc 1.1 - see ostreedev/ostree-rs-ext#669 which bootc 1.1 rolled in.

[spmfox]

I can confirm, selinux errors no longer happen.

For anyone else looking at this later - this did not solve the problem for cockpit-ws. Same problem, no selinux errors though. I opened an issue with cockpit now (see above).