Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix SELinux #2

Open
samcday opened this issue Aug 13, 2024 · 1 comment
Open

Fix SELinux #2

samcday opened this issue Aug 13, 2024 · 1 comment

Comments

@samcday
Copy link
Owner

samcday commented Aug 13, 2024

SELinux is decidedly broken in OCI images booted with bootc or rpm-ostree.

For now I'm going to just disable it entirely, since keeping it happy by working around the labelling issues is a Sisyphean task. I've already run into both the examples listed in the linked issue: swtpm and greetd problems.

My understanding is that rechunk (#1) should fix this, but I haven't managed to get that working yet.
samcday added a commit that referenced this issue Aug 13, 2024
@samcday
remove swtpm hacks (#2)
fae28b0
@samcday
Copy link
Owner Author

samcday commented Aug 13, 2024

Sadly, rechunk seems to have made things significantly worse. I just tried booting the first image processed with rechunk + SELinux enabled. Things were so broken that agetty couldn't spawn on a VT. Trying to SSH in yielded "A valid context for sam could not be obtained.".

I think I'm sadly coming to the same conclusion here as I have with CoreOS: defense in depth would be great but having a computer that actually works is more important. SELinux is just so not worth the trouble.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@samcday