From 99d30dfd556866091c558559810647bdde4e1ee1 Mon Sep 17 00:00:00 2001 From: ckyrouac Date: Thu, 15 May 2025 12:01:54 -0400 Subject: [PATCH] install: Fallback to no sepolicy when init imgstore Check for the policy csum to make sure there is actually a policy available to lookup when trying to label the bootc container storage. Fixes #1303 Signed-off-by: ckyrouac --- lib/src/store/mod.rs | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/lib/src/store/mod.rs b/lib/src/store/mod.rs index 4a994b22..62cb1c1d 100644 --- a/lib/src/store/mod.rs +++ b/lib/src/store/mod.rs @@ -92,17 +92,27 @@ impl Storage { let sepolicy = if self.sysroot.booted_deployment().is_none() { // fallback to policy from container root // this should only happen during cleanup of a broken install + tracing::trace!("falling back to container root's selinux policy"); let container_root = Dir::open_ambient_dir("/", cap_std::ambient_authority())?; &ostree::SePolicy::new_at(container_root.as_raw_fd(), gio::Cancellable::NONE)? } else { // load the sepolicy from the booted ostree deployment so the imgstorage can be // properly labeled with /var/lib/container/storage labels + tracing::trace!("loading sepolicy from booted ostree deployment"); let dep = self.sysroot.booted_deployment().unwrap(); let dep_fs = deployment_fd(&self.sysroot, &dep)?; &ostree::SePolicy::new_at(dep_fs.as_raw_fd(), gio::Cancellable::NONE)? }; - let imgstore = crate::imgstorage::Storage::create(&sysroot_dir, &self.run, Some(sepolicy))?; + let sepolicy = if sepolicy.csum().is_none() { + None + } else { + Some(sepolicy) + }; + + tracing::trace!("sepolicy in get_ensure_imgstore: {sepolicy:?}"); + + let imgstore = crate::imgstorage::Storage::create(&sysroot_dir, &self.run, sepolicy)?; Ok(self.imgstore.get_or_init(|| imgstore)) }