From e26efe09f3dd70b88e4feec75f314dd16d954491 Mon Sep 17 00:00:00 2001 From: Richard Maw Date: Tue, 30 Apr 2024 17:23:02 +0100 Subject: [PATCH] mkosi: Disable selinux labelling and install policy in initramfs It is necessary to install the selinux policy in the initramfs so that userland is entered with the correct label. SELinuxRelabel defaults to auto, which will skip if the relabelling command is not installed and will treat failure to relabel as non-fatal. We can't force it on because root privileges are required if the labels don't exist on the host system and we would like to be able to cross-build from other distributions. Since we are already committed to relabelling on first boot there is no value in even trying to label. --- .../10-centos-fedora/mkosi.conf.d/10-selinux.conf | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/mkosi.images/system/mkosi.conf.d/10-centos-fedora/mkosi.conf.d/10-selinux.conf b/mkosi.images/system/mkosi.conf.d/10-centos-fedora/mkosi.conf.d/10-selinux.conf index 3dc1143fc84..9fe5509695f 100644 --- a/mkosi.images/system/mkosi.conf.d/10-centos-fedora/mkosi.conf.d/10-selinux.conf +++ b/mkosi.images/system/mkosi.conf.d/10-centos-fedora/mkosi.conf.d/10-selinux.conf @@ -10,3 +10,11 @@ Packages= selinux-policy selinux-policy-targeted setools-console + +# We relabel on first boot instead of at build time because it is only possible to label without root +# if the labels exist in the host system, and we want to be able to cross-build to other distributions. +SELinuxRelabel=no + +InitrdPackages= + selinux-policy + selinux-policy-targeted -- 2.47.3