tree: import changes from testing-devel at cd12e34d9c

manifests/fedora-coreos-base.yaml

@@ -19,15 +19,21 @@ ostree-layers:
   - overlay/30lvmdevices
 
 conditional-include:
-  - if: releasever > 42
+  - if: releasever < 44
     include:
       postprocess:
-        # Hack to avoid running out of space on aarch64. This should save us about 29M.
-        # https://github.com/coreos/fedora-coreos-tracker/issues/2004
+        # Enable SELinux booleans used by OpenShift
+        # https://github.com/coreos/fedora-coreos-tracker/issues/284
+        # This definition is no longer used to actually effect change
+        # in the OpenShift Node images so let's drop it in 44+. The
+        # config for the OpenShift Node image is now in:
+        # https://github.com/openshift/os/blob/c96e35987fb1093beb7631f27aecf324ae8a44f5/packages-openshift.yaml#L98-L103
         - |
-          #!/usr/bin/env bash
+          #!/usr/bin/bash
           set -eux -o pipefail
-          rm -vrf /usr/lib/modules/*aarch64/dtb/qcom/
+          setsebool -P -N container_use_cephfs on  # RHBZ#1692369
+          setsebool -P -N virt_use_samba on  # RHBZ#1754825
+          rm -f /etc/selinux/targeted/semanage.*.LOCK
 
 
 # Be minimal
@@ -36,15 +42,6 @@ recommends: false
 # ⚠⚠⚠ ONLY TEMPORARY HACKS ALLOWED HERE; ALL ENTRIES NEED TRACKER LINKS ⚠⚠⚠
 # See also the version of this in fedora-coreos.yaml
 postprocess:
-  # Enable SELinux booleans used by OpenShift
-  # https://github.com/coreos/fedora-coreos-tracker/issues/284
-  - |
-    #!/usr/bin/bash
-    set -eux -o pipefail
-    setsebool -P -N container_use_cephfs on  # RHBZ#1692369
-    setsebool -P -N virt_use_samba on  # RHBZ#1754825
-    rm -f /etc/selinux/targeted/semanage.*.LOCK
-
   # Mask dnsmasq. We include dnsmasq for host services that use the dnsmasq
   # binary but intentionally mask the systemd service so users can't easily
   # use it as an external dns server. We prefer they use a container for that.
@@ -77,6 +74,13 @@ postprocess:
       grep sudo /usr/lib/group >> /etc/group
     fi
 
+  # Hack to avoid running out of space on aarch64. This should save us about 29M.
+  # https://github.com/coreos/fedora-coreos-tracker/issues/2004
+  - |
+    #!/usr/bin/env bash
+    set -eux -o pipefail
+    rm -vrf /usr/lib/modules/*aarch64/dtb/qcom/
+
 # Packages listed here should be specific to Fedore CoreOS (as in not yet
 # available in RHCOS or not desired in RHCOS). All other packages should go
 # into one of the sub-manifests listed at the top.

manifests/fedora-coreos.yaml

@@ -4,8 +4,6 @@
 
 include: fedora-coreos-base.yaml
 conditional-include:
-  - if: releasever >= 41
-    include: selinux-workaround.yaml
   # If not on a production stream then disable Zincati
   - if:
       - stream != "stable"

manifests/selinux-workaround.yaml

@@ -1,23 +0,0 @@
-# Recent changes in the SELinux policy have broken a lot of our code.
-# Revert the affected domains back to permissive mode so we can
-# continue to build and test `releasever >= 41` until
-# https://github.com/fedora-selinux/selinux-policy/pull/2257 merges
-# and the domains are reverted upstream or until the issue is resolved
-# altogether
-postprocess:
-  - |
-    #!/usr/bin/bash
-    set -eux -o pipefail
-    cat > /tmp/fcos-workarounds.cil << EOF
-    ; https://bugzilla.redhat.com/show_bug.cgi?id=2300306
-    (typeattributeset cil_gen_require bootupd_t)
-    (typepermissive bootupd_t)
-    ; https://bugzilla.redhat.com/show_bug.cgi?id=2305385
-    (typeattributeset cil_gen_require coreos_installer_t)
-    (typepermissive coreos_installer_t)
-    ; https://bugzilla.redhat.com/show_bug.cgi?id=2306352
-    (typeattributeset cil_gen_require afterburn_t)
-    (typepermissive afterburn_t)
-    EOF
-    /usr/sbin/semodule -i /tmp/fcos-workarounds.cil
-    rm /tmp/fcos-workarounds.cil

manifests/shared-el10.yaml

@@ -2,3 +2,30 @@
 packages:
   # GPU Firmware files (not broken out into subpackage of linux-firmware in RHEL yet)
   - amd-gpu-firmware intel-gpu-firmware nvidia-gpu-firmware
+
+# Recent changes in the SELinux policy have broken a lot of our code.
+# Revert the affected domains back to permissive mode so we can
+# continue to build and test `releasever >= 41` until
+# https://github.com/fedora-selinux/selinux-policy/pull/2257 merges
+# and the domains are reverted upstream or until the issue is resolved
+# altogether
+postprocess:
+  - |
+    #!/usr/bin/bash
+    set -eux -o pipefail
+    cat > /tmp/fcos-workarounds.cil << EOF
+    ; https://bugzilla.redhat.com/show_bug.cgi?id=2300306
+    (typeattributeset cil_gen_require bootupd_t)
+    (typepermissive bootupd_t)
+    ; https://bugzilla.redhat.com/show_bug.cgi?id=2305385
+    (typeattributeset cil_gen_require coreos_installer_t)
+    (typepermissive coreos_installer_t)
+    ; https://bugzilla.redhat.com/show_bug.cgi?id=2306352
+    (typeattributeset cil_gen_require afterburn_t)
+    (typepermissive afterburn_t)
+    EOF
+    /usr/sbin/semodule -i /tmp/fcos-workarounds.cil
+    rm /tmp/fcos-workarounds.cil
+    # Also remove created LOCK files as we don't want those
+    # to end up in /usr/etc
+    rm -f /etc/selinux/targeted/semanage.*.LOCK