Skip to content

Run restorecon after materialising files #2394

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 11 commits into
base: main
Choose a base branch
from
Open

Run restorecon after materialising files #2394

wants to merge 11 commits into from

Conversation

hedge-sparrow
Copy link
Member

@hedge-sparrow hedge-sparrow commented Jun 30, 2025
edited
Loading

What this PR does / why we need it:

Enables Embedded Cluster to install in selinux environments by:

  • Setting selinux bin_t file context on our bin directory.
  • Restoring selinux contexts for data-dir after creation.

Which issue(s) this PR fixes:

Does this PR require a test?

Does this PR require a release note?

Does this PR require documentation?

@github-actions GitHub Actions
Copy link

github-actions bot commented Jun 30, 2025
edited
Loading

This PR has been released (on staging) and is available for download with a embedded-cluster-smoke-test-staging-app license ID.

Online Installer:

curl "https://staging.replicated.app/embedded/embedded-cluster-smoke-test-staging-app/ci/appver-dev-f5b7038" -H "Authorization: $EC_SMOKE_TEST_LICENSE_ID" -o embedded-cluster-smoke-test-staging-app-ci.tgz

Airgap Installer (may take a few minutes before the airgap bundle is built):

curl "https://staging.replicated.app/embedded/embedded-cluster-smoke-test-staging-app/ci-airgap/appver-dev-f5b7038?airgap=true" -H "Authorization: $EC_SMOKE_TEST_LICENSE_ID" -o embedded-cluster-smoke-test-staging-app-ci.tgz

Happy debugging!

@hedge-sparrow
Copy link
Member Author

hedge-sparrow commented Jul 1, 2025
edited
Loading

TODO:

  • work out how we test this.
  • add preflights to catch incorrect path contexts post materialisation

@hedge-sparrow
Copy link
Member Author

The preflight would have to be a run collector that checks:

  • is selinux present on the system
  • is it in enforcing mode
  • if both are true, check file contexts on $data-dir/bin

ajp-io
ajp-io reviewed Jul 2, 2025
View reviewed changes
@hedge-sparrow hedge-sparrow marked this pull request as ready for review July 3, 2025 14:09
@hedge-sparrow hedge-sparrow requested a review from ajp-io July 3, 2025 14:09
@hedge-sparrow hedge-sparrow force-pushed the ash/restorecon branch 2 times, most recently from e285016 to b8560c5 Compare July 7, 2025 14:50
@hedge-sparrow
Copy link
Member Author

I've rolled back my test changes after a discussion with @chris-sanders.

I've performed manual testing on selinux enabled systems that prove that this works, but was having significant trouble porting the single node alma linux test over to the cmx testing framework so that we can test automatically with selinux enabled.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ajp-io ajp-io Awaiting requested review from ajp-io

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
type::feature
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@hedge-sparrow @ajp-io