OSTree is an atomic upgrade system that goes below RPM, but above block storage. Among other things, it was designed from the ground up for SELinux. In order to work though, it needs "mac_admin", because the *new* chroot it's constructing may have contexts that don't exist in the *current* policy. And that's a normal condition. I think we should start with an ostree_t that's just unconfined_t + mac_admin.
Yes, we will need to create a policy and allow mac_admin for it.
If you label your binaries as livecd_exec_t does everything work?
(In reply to Daniel Walsh from comment #2) > If you label your binaries as livecd_exec_t does everything work? It appears to work as is (run as unconfined_t) - except it will just blow up if an upgrade includes *new* labels not known by current policy =/ Is livecd_t already unconfined? I need something that's like rpm_t except also with mac_admin.
Yes livecd_t is just an unconfined domain that will not transition and is allowed to put down "bad" labels.
Colin, you you test it with the latest rawhide build together with install_exec_t label?
(In reply to Miroslav Grepl from comment #5) > Colin, > you you test it with the latest rawhide build together with install_exec_t > label? That appears to work fine. Also, can we give /usr/bin/rpm-ostree the same label? Thanks!
As a user who hit this I'd like to copy some of the error output here so that others might find this bug and thus a solution/workaround sooner. The error I was seeing was the following: [root@localhost yum.repos.d]# rpm -q ostree ostree-2014.5.39.gd5e813c-3.fc22.x86_64 [root@localhost yum.repos.d]# ostree pull dustyserver fedora-atomic/rawhide/x86_64/base/core error: fsetxattr: Invalid argument I was pointed[1] to this bug and also told to workaround by disabling selinux temporarily, which worked fine. [1] - https://mail.gnome.org/archives/ostree-list/2014-July/msg00006.html
Note that some SELinux policy versions may have install_t but *not* have a domain transition from unconfined_t -> (install_exec_t) -> install_t. If that's the case, a cleaner workaround that does not involve full permissive mode is: # runcon -r system_r -t install_t rpm-ostree upgrade
Strange that we have the transition rule in fedora but not in rhel.
(In reply to Daniel Walsh from comment #9) > Strange that we have the transition rule in fedora but not in rhel. Do we need this in rhel? I am "playing" with the centos Atomic image (unreleased) from [1] and I just hit this: -bash-4.2# rpm-ostree upgrade Updating from: centos-atomic-host:centos/7/atomic/x86_64/cloud-docker-host Receiving objects: 13% (649/4806) 409.7 kB/s 17.2 MB error: fsetxattr: Invalid argument [1] - http://buildlogs.centos.org/rolling/7/isos/x86_64/CentOS-7-x86_64-AtomicHost-20150228_01.qcow2.xz
What does rpm -q selinux-policy-targeted
See https://lists.projectatomic.io/projectatomic-archives/atomic/2015-April/msg00000.html