Disable selinux relabeling by default for directory images

author Daan De Meyer <daan.j.demeyer@gmail.com>

Sun, 30 Mar 2025 15:10:00 +0000 (17:10 +0200)

committer Daan De Meyer <daan.j.demeyer@gmail.com>

Mon, 31 Mar 2025 11:47:22 +0000 (13:47 +0200)
author Daan De Meyer <daan.j.demeyer@gmail.com>
Sun, 30 Mar 2025 15:10:00 +0000 (17:10 +0200)
committer Daan De Meyer <daan.j.demeyer@gmail.com>
Mon, 31 Mar 2025 11:47:22 +0000 (13:47 +0200)
diff --git a/mkosi/config.py b/mkosi/config.py

index cb92faff1ca3ebff236daad8a7bd58c66eb5770e..66016b8df857025c3218a17019034c251197f6a1 100644 (file)
--- a/mkosi/config.py
+++ b/mkosi/config.py
@@ -5646,11 +5646,16 @@ def json_type_transformer(refcls: Union[type[Args], type[Config]]) -> Callable[[
  
  
  def want_selinux_relabel(
-    config: Config, root: Path, fatal: bool = True
+    config: Config,
+    root: Path,
+    fatal: bool = True,
  ) -> Optional[tuple[Path, str, Path, Path]]:
      if config.selinux_relabel == ConfigFeature.disabled:
          return None
  
+    if config.selinux_relabel == ConfigFeature.auto and config.output_format == OutputFormat.directory:
+        return None
+
      selinux = root / "etc/selinux/config"
      if not selinux.exists():
          if fatal and config.selinux_relabel == ConfigFeature.enabled:
diff --git a/mkosi/resources/man/mkosi.1.md b/mkosi/resources/man/mkosi.1.md

index d22ee789b3c6c8af12dca7dc7f3410f06d2d57d3..9c113e6bd71345990678b89c98efa797f4bddc49 100644 (file)
--- a/mkosi/resources/man/mkosi.1.md
+++ b/mkosi/resources/man/mkosi.1.md
@@ -1165,9 +1165,10 @@ boolean argument: either `1`, `yes`, or `true` to enable, or `0`, `no`,
      disabled, files will not relabeled. If enabled, an SELinux policy has
      to be installed in the image and **setfiles** has to be available to
      relabel files. If any errors occur during **setfiles**, the build will
-    fail. If set to `auto`, files will be relabeled if an SELinux policy
-    is installed in the image and if **setfiles** is available. Any errors
-    occurred during **setfiles** will be ignored.
+    fail. If set to `auto`, files will be relabeled if mkosi is not
+    building a directory image, an SELinux policy is installed in the
+    image and if **setfiles** is available. Any errors occurred during
+    **setfiles** will be ignored.
  
      Note that when running unprivileged, **setfiles** will fail to set any
      labels that are not in the host's SELinux policy. To ensure **setfiles**
diff --git a/mkosi/resources/mkosi-tools/mkosi.conf b/mkosi/resources/mkosi-tools/mkosi.conf

index a7359327da24c12c59cd49a2e9e92493e8f772fa..6cfd27eb8416cdf0683bc28962b51752a1c87e8b 100644 (file)
--- a/mkosi/resources/mkosi-tools/mkosi.conf
+++ b/mkosi/resources/mkosi-tools/mkosi.conf
@@ -6,7 +6,6 @@ Output=mkosi.tools
  
  [Content]
  Bootable=no
-SELinuxRelabel=no
  Packages=
          ca-certificates
          coreutils
author	Daan De Meyer <daan.j.demeyer@gmail.com>
	Sun, 30 Mar 2025 15:10:00 +0000 (17:10 +0200)
committer	Daan De Meyer <daan.j.demeyer@gmail.com>
	Mon, 31 Mar 2025 11:47:22 +0000 (13:47 +0200)
mkosi/config.py		patch \| blob \| blame \| history
mkosi/resources/man/mkosi.1.md		patch \| blob \| blame \| history
mkosi/resources/mkosi-tools/mkosi.conf		patch \| blob \| blame \| history