Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix install_t again #284

Merged
merged 3 commits into from
Jan 25, 2024
Merged

Fix install_t again #284

merged 3 commits into from
Jan 25, 2024

Commits on Jan 24, 2024

  1. lsm: Make setenforce 0 fallback require BOOTC_SETENFORCE0_FALLBACK 

    We shouldn't perform global system mutation without an opt-in.
As painful as it is.

Signed-off-by: Colin Walters <walters@verbum.org>
    @cgwalters
    cgwalters committed Jan 24, 2024
    Configuration menu
    Copy the full SHA
    f45f0f0 View commit details
    Browse the repository at this point in the history

  2. lsm: Test if we have install_t capability 

    Hardcoding `install_t` is a bit ugly; maybe at some point
things change so that `spc_t` has `install_t` privileges.

Let's do a runtime check if we can set an invalid label; if
so then we're good.

Signed-off-by: Colin Walters <walters@verbum.org>
    @cgwalters
    cgwalters committed Jan 24, 2024
    Configuration menu
    Copy the full SHA
    8aff5dd View commit details
    Browse the repository at this point in the history

Commits on Jan 25, 2024

  1. lsm: Make a not-nosuid /tmp 

    This was the thing that was breaking our `unconfined_t` -> `install_t`
transition; the host `/tmp` is `nosuid`.  It simplifies things
here to just make our own, so do that.

Signed-off-by: Colin Walters <walters@verbum.org>
    @cgwalters
    cgwalters committed Jan 25, 2024
    Configuration menu
    Copy the full SHA
    f2d5949 View commit details
    Browse the repository at this point in the history