Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package microos-tools for openSUSE:Factory
checked in at 2024-10-08 17:23:02
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/microos-tools (Old)
and /work/SRC/openSUSE:Factory/.microos-tools.new.19354 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "microos-tools"
Tue Oct 8 17:23:02 2024 rev:37 rq:1206112 version:4.0
Changes:
--------
--- /work/SRC/openSUSE:Factory/microos-tools/microos-tools.changes
2024-09-26 18:52:49.763944848 +0200
+++ /work/SRC/openSUSE:Factory/.microos-tools.new.19354/microos-tools.changes
2024-10-08 17:23:17.410227720 +0200
@@ -1,0 +2,13 @@
+Mon Oct 07 13:51:51 UTC 2024 - Fabian Vogt <fv...@suse.com>
+
+- Update to version 4.0:
+ * Release version 4.0
+ * Have the autorelabel hook propagate failure from relabelling
+ * Split SELinux relabelling code into separate package
+ * Make 98selinux-microos usable on non-transactional systems
+ * selinux-autorelabel-generator: Don't hardcode mountpoints
+ * Consistently use tabs in selinux-autorelabel-generator
+ * Add automated testing of SELinux relabelling functionality
+ * Fix OBS workflow for pushes to master
+
+-------------------------------------------------------------------
Old:
----
microos-tools-2.21+git16.obscpio
New:
----
microos-tools-4.0.obscpio
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ microos-tools.spec ++++++
--- /var/tmp/diff_new_pack.MAbcMX/_old 2024-10-08 17:23:17.918248922 +0200
+++ /var/tmp/diff_new_pack.MAbcMX/_new 2024-10-08 17:23:17.922249089 +0200
@@ -19,7 +19,7 @@
%{!?_distconfdir: %global _distconfdir %{_prefix}%{_sysconfdir}}
Name: microos-tools
-Version: 2.21+git16
+Version: 4.0
Release: 0
Summary: Files and Scripts for openSUSE MicroOS
License: GPL-2.0-or-later
@@ -33,12 +33,22 @@
BuildRequires: pkgconfig(rpm)
BuildRequires: pkgconfig(systemd)
Requires: read-only-root-fs
+Requires: selinux-autorelabel = %{version}
# for man-online
Requires: mandoc-bin
%description
Files, scripts and directories for openSUSE MicroOS.
+%package -n selinux-autorelabel
+Summary: Automatic SELinux relabelling during early boot
+Requires: /usr/bin/findmnt
+Requires: policycoreutils
+
+%description -n selinux-autorelabel
+This package contains a dracut module and systemd generator for relabelling
+the system during early boot.
+
%package -n microos-devel-tools
Summary: Tools to develop MicroOS
@@ -86,7 +96,6 @@
%service_del_postun microos-ro.service
%files
-%license COPYING
%dir %{_sysconfdir}/selinux
%config %{_sysconfdir}/selinux/fixfiles_exclude_dirs
%{_unitdir}/printenv.service
@@ -98,12 +107,15 @@
%dir %{_distconfdir}/tukit.conf.d
%{_distconfdir}/tukit.conf.d/salt-tukit.conf
%{_sbindir}/setup-systemd-proxy-env
+%{_bindir}/man-online
+%{_distconfdir}/profile.d/man-online.sh
+
+%files -n selinux-autorelabel
+%license COPYING
%dir %{_prefix}/lib/dracut
%dir %{_prefix}/lib/dracut/modules.d
%{_prefix}/lib/dracut/modules.d/98selinux-microos
%{_systemdgeneratordir}/selinux-autorelabel-generator
-%{_bindir}/man-online
-%{_distconfdir}/profile.d/man-online.sh
%files -n microos-devel-tools
%{_unitdir}/microos-ro.service
++++++ _servicedata ++++++
--- /var/tmp/diff_new_pack.MAbcMX/_old 2024-10-08 17:23:17.982251593 +0200
+++ /var/tmp/diff_new_pack.MAbcMX/_new 2024-10-08 17:23:17.986251760 +0200
@@ -1,7 +1,7 @@
<servicedata>
<service name="tar_scm">
<param name="url">https://github.com/openSUSE/microos-tools.git</param>
- <param
name="changesrevision">7d23be033a4701998eabd3f1dadea01afce2c910</param></service>
+ <param
name="changesrevision">2415b7e4e235ea0cba7fd94fe6f9114c4cd3b752</param></service>
</servicedata>
(No newline at EOF)
++++++ microos-tools-2.21+git16.obscpio -> microos-tools-4.0.obscpio ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/microos-tools-2.21+git16/.github/workflows/test.yml
new/microos-tools-4.0/.github/workflows/test.yml
--- old/microos-tools-2.21+git16/.github/workflows/test.yml 1970-01-01
01:00:00.000000000 +0100
+++ new/microos-tools-4.0/.github/workflows/test.yml 2024-10-07
15:45:24.000000000 +0200
@@ -0,0 +1,25 @@
+name: MicroOS in QEMU
+on:
+ push:
+ branches: [ master ]
+ pull_request:
+ branches: [ master ]
+jobs:
+ build:
+ runs-on: ubuntu-latest
+ container:
+ image: opensuse/tumbleweed
+ options: --privileged
+ steps:
+ - uses: actions/checkout@v4
+ - name: Install dependencies
+ run: |
+ zypper in -y autoconf automake e2fsprogs gcc make dracut qemu-img
qemu-x86 rpm-devel wget
+ - name: Build
+ run: |
+ ./autogen.sh
+ ./configure --sysconfdir=/etc
+ make -j$(nproc)
+ - name: Test
+ run: |
+ bash test/test.sh
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/microos-tools-2.21+git16/.obs/workflows.yml
new/microos-tools-4.0/.obs/workflows.yml
--- old/microos-tools-2.21+git16/.obs/workflows.yml 2024-09-25
14:27:11.000000000 +0200
+++ new/microos-tools-4.0/.obs/workflows.yml 2024-10-07 15:45:24.000000000
+0200
@@ -9,10 +9,9 @@
master_workflow:
steps:
- - branch_package:
- source_project: devel:microos:ci:microos-tools
- source_package: microos-tools
- target_project: devel:microos:ci:microos-tools
+ - trigger_services:
+ project: devel:microos:ci:microos-tools
+ package: microos-tools
filters:
event: push
branches:
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/microos-tools-2.21+git16/NEWS
new/microos-tools-4.0/NEWS
--- old/microos-tools-2.21+git16/NEWS 2024-09-25 14:27:11.000000000 +0200
+++ new/microos-tools-4.0/NEWS 2024-10-07 15:45:24.000000000 +0200
@@ -1,3 +1,22 @@
+Version 4.0:
+- Some refactoring of the SELinux relabelling code
+- The SELinux relabelling code is now usable on non-transactional systems as
well
+- Split SELinux relabelling code into separate package
+- Add automated testing of SELinux relabelling functionality
+- Use multiple threads for SELinux relabelling
+- Don't relabel in the zipl initrd "initgrub" mode
+- 98selinux-microos: Avoid "/sysroot-selinux: not mounted" on new util-linux
+- Install man-online alias only for bash
+- Add man-online command
+- Drop support for sle15 builds
+- Add OBS CI workflow
+- 98selinux-microos: Set mount propagation properly
+- 98selinux-microos: Convert tabs to spaces
+- 98selinux-microos: Don't include setenforce unnecessarily
+- Add spec file
+- systemd-proxy-env: fix typos in setup-systemd-proxy-env
+- Bump version to 4.0 to have a higher version than the previous
selinux-autorelabel
+
Version 2.21:
- 98selinux-microos: Work around overlayfs bug [bsc#1210690]
- 98selinux-microos: Create .relabelled marker before relabelling
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/microos-tools-2.21+git16/README.md
new/microos-tools-4.0/README.md
--- old/microos-tools-2.21+git16/README.md 2024-09-25 14:27:11.000000000
+0200
+++ new/microos-tools-4.0/README.md 2024-10-07 15:45:24.000000000 +0200
@@ -11,10 +11,13 @@
## SELinux
-MicroOS has preliminary support for SELinux.
+MicroOS has support for SELinux.
If the file `/etc/selinux/.autorelabel` exists, the dracut module
`98selinux-microos` will label the root filesystem including
-`/etc` and `/var`.
+`/etc` and `/var`. The selinux-autorelabel-generator will generate
+services to relabel other mountpoints during boot.
+
+There is a script for automated testing of this in test/test.sh.
## locale-check
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/microos-tools-2.21+git16/configure.ac
new/microos-tools-4.0/configure.ac
--- old/microos-tools-2.21+git16/configure.ac 2024-09-25 14:27:11.000000000
+0200
+++ new/microos-tools-4.0/configure.ac 2024-10-07 15:45:24.000000000 +0200
@@ -1,5 +1,5 @@
dnl Process this file with autoconf to produce a configure script.
-AC_INIT([microos-tools], [2.21])
+AC_INIT([microos-tools], [4.0])
AM_INIT_AUTOMAKE
AC_PREFIX_DEFAULT(/usr)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/microos-tools-2.21+git16/microos-tools.spec
new/microos-tools-4.0/microos-tools.spec
--- old/microos-tools-2.21+git16/microos-tools.spec 2024-09-25
14:27:11.000000000 +0200
+++ new/microos-tools-4.0/microos-tools.spec 2024-10-07 15:45:24.000000000
+0200
@@ -19,7 +19,7 @@
%{!?_distconfdir: %global _distconfdir %{_prefix}%{_sysconfdir}}
Name: microos-tools
-Version: 2.21+git0
+Version: 4.0
Release: 0
Summary: Files and Scripts for openSUSE MicroOS
License: GPL-2.0-or-later
@@ -33,12 +33,22 @@
BuildRequires: pkgconfig(rpm)
BuildRequires: pkgconfig(systemd)
Requires: read-only-root-fs
+Requires: selinux-autorelabel = %{version}
# for man-online
Requires: mandoc-bin
%description
Files, scripts and directories for openSUSE MicroOS.
+%package -n selinux-autorelabel
+Summary: Automatic SELinux relabelling during early boot
+Requires: /usr/bin/findmnt
+Requires: policycoreutils
+
+%description -n selinux-autorelabel
+This package contains a dracut module and systemd generator for relabelling
+the system during early boot.
+
%package -n microos-devel-tools
Summary: Tools to develop MicroOS
@@ -86,7 +96,6 @@
%service_del_postun microos-ro.service
%files
-%license COPYING
%dir %{_sysconfdir}/selinux
%config %{_sysconfdir}/selinux/fixfiles_exclude_dirs
%{_unitdir}/printenv.service
@@ -98,12 +107,15 @@
%dir %{_distconfdir}/tukit.conf.d
%{_distconfdir}/tukit.conf.d/salt-tukit.conf
%{_sbindir}/setup-systemd-proxy-env
+%{_bindir}/man-online
+%{_distconfdir}/profile.d/man-online.sh
+
+%files -n selinux-autorelabel
+%license COPYING
%dir %{_prefix}/lib/dracut
%dir %{_prefix}/lib/dracut/modules.d
%{_prefix}/lib/dracut/modules.d/98selinux-microos
%{_systemdgeneratordir}/selinux-autorelabel-generator
-%{_bindir}/man-online
-%{_distconfdir}/profile.d/man-online.sh
%files -n microos-devel-tools
%{_unitdir}/microos-ro.service
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/microos-tools-2.21+git16/selinux/98selinux-microos/module-setup.sh
new/microos-tools-4.0/selinux/98selinux-microos/module-setup.sh
--- old/microos-tools-2.21+git16/selinux/98selinux-microos/module-setup.sh
2024-09-25 14:27:11.000000000 +0200
+++ new/microos-tools-4.0/selinux/98selinux-microos/module-setup.sh
2024-10-07 15:45:24.000000000 +0200
@@ -3,6 +3,25 @@
# called by dracut
check() {
test -f /etc/selinux/config || return 1
+
+ # Relabelling /etc and /var from the initrd needs support for mounting,
+ # "chroot mount /..." still loads modules from the initrd.
+ # Dracut handles /etc already, but for /var we need to DIY.
+ if [[ -f $dracutsysrootdir/etc/fstab ]]; then
+ _dev="$(findmnt --fstab --noheadings --output SOURCE /var --tab-file
"$dracutsysrootdir/etc/fstab")"
+ if [[ -n $_dev ]]; then
+ _fstype="$(findmnt --fstab --noheadings --output FSTYPE /var
--tab-file "$dracutsysrootdir/etc/fstab")"
+ _dev="$(expand_persistent_dev "$_dev")"
+ _dev="$(readlink -f "$_dev")"
+ if [[ -b $_dev ]]; then
+ push_host_devs "$_dev"
+ if [[ -z ${host_fs_types["$_dev"]} ]]; then
+ host_fs_types["$_dev"]="$_fstype"
+ fi
+ fi
+ fi
+ fi
+
return 0
}
@@ -14,5 +33,5 @@
# called by dracut
install() {
inst_hook pre-pivot 50 "$moddir/selinux-microos-relabel.sh"
- inst_multiple chroot cut grep
+ inst_multiple chroot cut findmnt grep
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/microos-tools-2.21+git16/selinux/98selinux-microos/selinux-microos-relabel.sh
new/microos-tools-4.0/selinux/98selinux-microos/selinux-microos-relabel.sh
---
old/microos-tools-2.21+git16/selinux/98selinux-microos/selinux-microos-relabel.sh
2024-09-25 14:27:11.000000000 +0200
+++ new/microos-tools-4.0/selinux/98selinux-microos/selinux-microos-relabel.sh
2024-10-07 15:45:24.000000000 +0200
@@ -26,10 +26,19 @@
{
info "SELinux: relabeling root filesystem"
+ root_is_btrfs=
+ if [ "$(findmnt --noheadings --output FSTYPE --target "$NEWROOT")" =
"btrfs" ]; then
+ root_is_btrfs=y
+ fi
+ etc_is_overlay=
+ if [ "$(findmnt --fstab --noheadings --output FSTYPE /etc --tab-file
"${NEWROOT}/etc/fstab")" = "overlay" ]; then
+ etc_is_overlay=y
+ fi
+
# If this doesn't exist because e.g. it's not mounted yet due to a bug
# (boo#1197309), the exclusion is ignored. If it gets mounted during
# the relabel, it gets wrong labels assigned.
- if ! [ -d "$NEWROOT/var/lib/overlay" ]; then
+ if [ -n "$etc_is_overlay" ] && ! [ -d "$NEWROOT/var/lib/overlay" ]; then
warn "ERROR: /var/lib/overlay doesn't exist - /var not mounted (yet)?"
return 1
fi
@@ -49,23 +58,40 @@
fi
done
if [ $ret -eq 0 ]; then
+ # Mount /var and /etc, need to be relabelled as well for booting.
+ for mp in /var /etc; do
+ if ! findmnt "${ROOT_SELINUX}${mp}" >/dev/null \
+ && findmnt --fstab --output TARGET --tab-file
"${ROOT_SELINUX}/etc/fstab" "$mp" >/dev/null; then
+ chroot "$ROOT_SELINUX" mount "$mp" || ret=1
+ fi
+ done
+ fi
+ if [ $ret -eq 0 ]; then
info "SELinux: mount root read-write and relabel"
mount -o remount,rw "${ROOT_SELINUX}"
- oldrovalue="$(btrfs prop get "${ROOT_SELINUX}" ro | cut -d= -f2)"
- btrfs prop set "${ROOT_SELINUX}" ro false
+ if [ -n "$root_is_btrfs" ]; then
+ oldrovalue="$(btrfs prop get "${ROOT_SELINUX}" ro | cut -d= -f2)"
+ btrfs prop set "${ROOT_SELINUX}" ro false
+ fi
FORCE=
[ -e "${ROOT_SELINUX}"/etc/selinux/.autorelabel ] && FORCE="$(cat
"${ROOT_SELINUX}"/etc/selinux/.autorelabel)"
. "${ROOT_SELINUX}"/etc/selinux/config
# Marker when we had relabelled the filesystem. This is relabelled as
well.
> "${ROOT_SELINUX}"/etc/selinux/.relabelled
- LANG=C chroot "$ROOT_SELINUX" /sbin/setfiles $FORCE -T 0 -e
/var/lib/overlay -e /proc -e /sys -e /dev -e /etc
"/etc/selinux/${SELINUXTYPE}/contexts/files/file_contexts" $(chroot
"$ROOT_SELINUX" cut -d" " -f2 /proc/mounts)
- # On overlayfs, st_dev isn't consistent so setfiles thinks it's a
different mountpoint, ignoring it.
- # st_dev changes also on copy-up triggered by setfiles itself, so the
only way to relabel properly
- # is to list every file explicitly.
- # That's not all: There's a kernel bug that security.selinux of parent
directories is lost on copy-up (bsc#1210690).
- # Work around that by visiting children first and only then the parent
directories.
- LANG=C chroot "$ROOT_SELINUX" find /etc -depth -exec /sbin/setfiles
$FORCE "/etc/selinux/${SELINUXTYPE}/contexts/files/file_contexts" \{\} +
- btrfs prop set "${ROOT_SELINUX}" ro "${oldrovalue}"
+ if [ -n "$etc_is_overlay" ]; then
+ LANG=C chroot "$ROOT_SELINUX" /sbin/setfiles $FORCE -T 0 -e
/var/lib/overlay -e /proc -e /sys -e /dev -e /etc
"/etc/selinux/${SELINUXTYPE}/contexts/files/file_contexts" $(chroot
"$ROOT_SELINUX" cut -d" " -f2 /proc/mounts)
+ # On overlayfs, st_dev isn't consistent so setfiles thinks it's a
different mountpoint, ignoring it.
+ # st_dev changes also on copy-up triggered by setfiles itself, so
the only way to relabel properly
+ # is to list every file explicitly.
+ # That's not all: There's a kernel bug that security.selinux of
parent directories is lost on copy-up (bsc#1210690).
+ # Work around that by visiting children first and only then the
parent directories.
+ LANG=C chroot "$ROOT_SELINUX" find /etc -depth -exec
/sbin/setfiles $FORCE
"/etc/selinux/${SELINUXTYPE}/contexts/files/file_contexts" \{\} +
+ else
+ LANG=C chroot "$ROOT_SELINUX" /sbin/setfiles $FORCE -T 0 -e /proc
-e /sys -e /dev "/etc/selinux/${SELINUXTYPE}/contexts/files/file_contexts"
$(chroot "$ROOT_SELINUX" cut -d" " -f2 /proc/mounts)
+ fi
+ if [ -n "$root_is_btrfs" ]; then
+ btrfs prop set "${ROOT_SELINUX}" ro "${oldrovalue}"
+ fi
fi
umount -R "${ROOT_SELINUX}"
@@ -79,23 +105,25 @@
return $ret
}
-if test -e "$NEWROOT"/.autorelabel -a "$NEWROOT"/.autorelabel -nt
"$NEWROOT"/etc/selinux/.relabelled ; then
- cp -a "$NEWROOT"/.autorelabel "$NEWROOT"/etc/selinux/.autorelabel
+if [ -e "$NEWROOT"/.autorelabel ] && [ "$NEWROOT"/.autorelabel -nt
"$NEWROOT"/etc/selinux/.relabelled ]; then
+ mount -o remount,rw "$NEWROOT" || return 1
+ cp -a "$NEWROOT"/.autorelabel "$NEWROOT"/etc/selinux/.autorelabel ||
return 1
rm -f "$NEWROOT"/.autorelabel 2>/dev/null
fi
if rd_is_selinux_enabled; then
- if test -f "$NEWROOT"/etc/selinux/.autorelabel; then
- rd_microos_relabel
- elif getarg "autorelabel" > /dev/null; then
- rd_microos_relabel
+ if [ -f "$NEWROOT"/etc/selinux/.autorelabel ] || getarg "autorelabel" >
/dev/null; then
+ if ! rd_microos_relabel; then
+ warn "SELinux autorelabelling failed!"
+ return 1
+ fi
fi
elif test -e "$NEWROOT"/etc/selinux/.relabelled; then
# SELinux is off but looks like some labeling took place before.
# So probably a boot with manually disabled SELinux. Make sure
# the system gets relabelled next time SELinux is on.
> "$NEWROOT"/etc/selinux/.autorelabel
- warn "SElinux is off in labelled system!"
+ warn "SELinux is off in labelled system!"
fi
return 0
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/microos-tools-2.21+git16/selinux/selinux-autorelabel-generator
new/microos-tools-4.0/selinux/selinux-autorelabel-generator
--- old/microos-tools-2.21+git16/selinux/selinux-autorelabel-generator
2024-09-25 14:27:11.000000000 +0200
+++ new/microos-tools-4.0/selinux/selinux-autorelabel-generator 2024-10-07
15:45:24.000000000 +0200
@@ -1,5 +1,5 @@
-#!/bin/sh
-set -e
+#!/bin/bash
+set -euo pipefail
# This systemd.generator(7) detects if SELinux is running and if the
# user requested an autorelabel. If so, services will be enabled to
@@ -8,65 +8,67 @@
# If invoked with no arguments (for testing) write to /tmp.
generatordir="/tmp"
-if [ -n "$1" ]; then
- generatordir="$1"
+if [ -n "${1-}" ]; then
+ generatordir="$1"
fi
enable_units() {
- mkdir -p "${generatordir}"/local-fs.target.requires
+ mkdir -p "${generatordir}"/local-fs.target.requires
- relabel_unit_list=""
+ relabel_unit_list=""
- for realdir in "/.snapshots" "/home" "/opt" "/root" "/srv" "/usr/local" \
- "/boot/grub2/i386-pc" "/boot/grub2/x86_64-efi" \
- "/boot/grub2/arm64-efi" "/boot/writable"; do
- # Make sure the directory exist, else we create
- # services for non existing mount points
- test -d "${realdir}" || continue
- mountunit=$(systemd-escape --path ${realdir})
- unitfile="${mountunit}-relabel.service"
- relabel_unit_list="$unitfile $relabel_unit_list"
+ while read -r realdir; do
+ # Skip non-fs (swap) mounts, /, /var, /etc (already done in the
initrd) and mountpoints with noauto
+ if [ "${realdir:0:1}" != "/" ] \
+ || [ "${realdir}" = "/" ] || [ "${realdir}" = "/var" ] || [
"${realdir}" = "/etc" ] \
+ || findmnt --fstab --noheadings --output OPTIONS --target
"${realdir}" | grep -qw noauto; then
+ continue
+ fi
+
+ mountunit=$(systemd-escape --path "${realdir}")
+ unitfile="${mountunit}-relabel.service"
+ relabel_unit_list="$unitfile $relabel_unit_list"
+
+ opts="-T 0"
+ [ "${realdir}" == "/.snapshots" ] && opts="${opts} -x"
+
+ cat >"${generatordir}/${unitfile}" <<-EOF
+ [Unit]
+ Description=Relabel ${realdir}
+ DefaultDependencies=no
+ RequiresMountsFor=${realdir}
+ Before=local-fs.target
+ ConditionSecurity=selinux
+
+ [Service]
+ Type=oneshot
+ ExecStart=/sbin/restorecon -R ${opts} ${realdir}
+ EOF
- opts="-T 0"
- [ "${realdir}" == "/.snapshots" ] && opts="${opts} -x"
+ ln -sf ../"${unitfile}"
"${generatordir}"/local-fs.target.requires/"${unitfile}"
+ done < <(findmnt --fstab --noheadings --output TARGET)
+ unitfile="mark-autorelabel-done.service"
cat >"${generatordir}/${unitfile}" <<-EOF
[Unit]
- Description=Relabel ${realdir}
+ Description=Mark autorelabel as done
DefaultDependencies=no
- RequiresMountsFor=${realdir}
Before=local-fs.target
+ After=${relabel_unit_list}
+ Requires=${relabel_unit_list}
ConditionSecurity=selinux
+ ConditionPathExists=/etc/selinux/.autorelabel
[Service]
Type=oneshot
- ExecStart=/sbin/restorecon -R ${opts} ${realdir}
- EOF
-
- ln -sf ../"${unitfile}"
"${generatordir}"/local-fs.target.requires/"${unitfile}"
- done
-
- unitfile="mark-autorelabel-done.service"
- cat >"${generatordir}/${unitfile}" <<-EOF
- [Unit]
- Description=Mark autorelabel as done
- DefaultDependencies=no
- Before=local-fs.target
- After=${relabel_unit_list}
- Requires=${relabel_unit_list}
- ConditionSecurity=selinux
- ConditionPathExists=/etc/selinux/.autorelabel
-
- [Service]
- Type=oneshot
- ExecStart=/usr/bin/rm /etc/selinux/.autorelabel
+ ExecStart=/usr/bin/rm /etc/selinux/.autorelabel
EOF
- ln -sf "../${unitfile}"
"${generatordir}/local-fs.target.requires/${unitfile}"
+ ln -sf "../${unitfile}"
"${generatordir}/local-fs.target.requires/${unitfile}"
}
if [ -x /usr/sbin/selinuxenabled ] && /usr/sbin/selinuxenabled; then
- if [ -f /etc/selinux/.autorelabel ] || grep -wq autorelabel /proc/cmdline;
then
- enable_units
- fi
+ if [ -f /etc/selinux/.autorelabel ] || grep -wq autorelabel
/proc/cmdline; then
+ enable_units
+ fi
fi
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/microos-tools-2.21+git16/test/test.sh
new/microos-tools-4.0/test/test.sh
--- old/microos-tools-2.21+git16/test/test.sh 1970-01-01 01:00:00.000000000
+0100
+++ new/microos-tools-4.0/test/test.sh 2024-10-07 15:45:24.000000000 +0200
@@ -0,0 +1,98 @@
+#!/bin/bash
+set -euxo pipefail
+
+# Some basic testing, mostly for the SELinux relabelling on first boot:
+# 1. Download the latest MicroOS image
+# 2. Use combustion to install microos-selinux, regenerate the initrd
+# and transfer kernel + initrd to the host using 9pfs
+# 3. Revert the image to the original state
+# 4. Boot the image with the new initrd and use combustion to perform
+# some tests to ensure the system booted correctly and was properly
+# labelled.
+
+# Skip the generation of a new initrd with the changed combustion.
+# Only useful when iterating this test script.
+reuseinitrd=
+if [ "${1-}" = "--reuseinitrd" ]; then
+ reuseinitrd=1
+ shift
+fi
+
+# Working dir which is also exposed to the VM through 9pfs.
+# If not specified, create a temporary directory which is deleted on exit.
+if [ -n "${1-}" ]; then
+ tmpdir="$(realpath "$1")"
+else
+ tmpdir="$(mktemp -d)"
+ cleanup() {
+ rm -rf "$tmpdir"
+ }
+ trap cleanup EXIT
+fi
+
+QEMU_BASEARGS=(
+ # -accel tcg was here after -accel kvm but the fallback hid a weird bug
+ # that in GH actions only the first instance of QEMU was able to access
/dev/kvm.
+ -accel kvm -nographic -m 1024 -smp 4
+ # Reading from stdin doesn't work, configure serial and monitor
appropriately.
+ -chardev null,id=serial,logfile=/dev/stdout,logappend=on -serial
chardev:serial -monitor none
+ -virtfs
"local,path=${tmpdir},mount_tag=tmpdir,security_model=mapped-xattr")
+
+# Prepare the temporary dir: Install microos-tools and copy resources.
+testdir="$(dirname "$0")"
+make -C "${testdir}/.." install "DESTDIR=${tmpdir}/install"
+cp "${testdir}/testscript" "${tmpdir}"
+cd "$tmpdir"
+
+# Download latest MicroOS image
+if ! [ -f openSUSE-MicroOS.x86_64-kvm-and-xen.qcow2 ]; then
+ wget --progress=bar:force:noscroll
https://download.opensuse.org/tumbleweed/appliances/openSUSE-MicroOS.x86_64-kvm-and-xen.qcow2
+ qemu-img snapshot -c initial openSUSE-MicroOS.x86_64-kvm-and-xen.qcow2
+else
+ qemu-img snapshot -a initial openSUSE-MicroOS.x86_64-kvm-and-xen.qcow2
+fi
+
+# First step: Use combustion in the downloaded image to generate an initrd
with the new 98selinux-microos.
+if ! [ -n "${reuseinitrd}" ] || ! [ -e "${tmpdir}/vmlinuz" ] || ! [ -e
"${tmpdir}/initrd" ]; then
+ rm -f "${tmpdir}/done"
+ cat >create-initrd <<'EOF'
+#!/bin/bash
+# Workaround for https://bugzilla.opensuse.org/show_bug.cgi?id=1230912
+# combustion: network
+set -euxo pipefail
+exec &>/dev/ttyS0
+trap '[ $? -eq 0 ] || poweroff -f' EXIT
+mount -t 9p -o trans=virtio tmpdir /mnt
+cp -av /mnt/install/usr /
+cp /usr/lib/modules/$(uname -r)/vmlinuz /mnt/vmlinuz
+dracut -f --no-hostonly /mnt/initrd
+touch /mnt/done
+umount /mnt
+SYSTEMD_IGNORE_CHROOT=1 poweroff -f
+EOF
+
+ timeout 300 qemu-system-x86_64 "${QEMU_BASEARGS[@]}" -drive
if=virtio,file=openSUSE-MicroOS.x86_64-kvm-and-xen.qcow2 \
+ -fw_cfg
name=opt/org.opensuse.combustion/script,file=create-initrd
+
+ if ! [ -e "${tmpdir}/done" ]; then
+ echo "Initrd generation failed"
+ exit 1
+ fi
+fi
+
+# Test using a config drive
+rm -f "${tmpdir}/done"
+qemu-img snapshot -a initial openSUSE-MicroOS.x86_64-kvm-and-xen.qcow2
+
+mkdir -p configdrv/combustion/
+cp testscript configdrv/combustion/script
+/sbin/mkfs.ext4 -F -d configdrv -L ignition combustion.raw 16M
+
+timeout 300 qemu-system-x86_64 "${QEMU_BASEARGS[@]}" -drive
if=virtio,file=openSUSE-MicroOS.x86_64-kvm-and-xen.qcow2 \
+ -kernel vmlinuz -initrd initrd -append "root=LABEL=ROOT console=ttyS0
security=selinux selinux=1 quiet systemd.show_status=1
systemd.log_target=console systemd.journald.forward_to_console=1
rd.emergency=poweroff rd.shell=0" \
+ -drive if=virtio,file=combustion.raw
+
+if ! [ -e "${tmpdir}/done" ]; then
+ echo "Test failed"
+ exit 1
+fi
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/microos-tools-2.21+git16/test/testscript
new/microos-tools-4.0/test/testscript
--- old/microos-tools-2.21+git16/test/testscript 1970-01-01
01:00:00.000000000 +0100
+++ new/microos-tools-4.0/test/testscript 2024-10-07 15:45:24.000000000
+0200
@@ -0,0 +1,42 @@
+#!/bin/bash
+# Work around for https://bugzilla.opensuse.org/show_bug.cgi?id=1230912
+# combustion: network
+set -euxo pipefail
+exec &>/dev/ttyS0
+# Poweroff immediately on any failure to avoid unnecessary waiting.
+trap '[ $? -eq 0 ] || poweroff -f' EXIT
+
+# Remove old microos-tools
+rpm -e --nodeps --noscripts --nodb microos-tools
+# Install microos-tools
+mount -t 9p -o trans=virtio tmpdir /mnt
+chown -R root:root /mnt/install/usr
+cp -av /mnt/install/usr /
+umount /mnt
+
+# Make sure that the system comes up good, leave a marker in the shared FS
+# and power off the VM.
+cat >>/usr/bin/combustion-validate <<'EOF'
+#!/bin/bash
+set -euxo pipefail
+exec &>/dev/ttyS0
+trap '[ $? -eq 0 ] || poweroff -f' EXIT
+# Print a list of files which have SELinux label mismatches
+if restorecon -nvR -e /.snapshots -e /run / | grep -v wtmpdb | grep "Would
relabel"; then
+ echo "Some labels aren't correct?"
+ exit 1
+fi
+mount -t 9p -o trans=virtio tmpdir /mnt
+touch /mnt/done
+umount /mnt
+poweroff -f
+EOF
+chmod a+x /usr/bin/combustion-validate
+
+cat >>/etc/systemd/system/combustion-validate.service <<'EOF'
+[Service]
+ExecStart=/usr/bin/combustion-validate
+[Install]
+RequiredBy=default.target
+EOF
+systemctl enable combustion-validate.service
++++++ microos-tools.obsinfo ++++++
--- /var/tmp/diff_new_pack.MAbcMX/_old 2024-10-08 17:23:18.114257102 +0200
+++ /var/tmp/diff_new_pack.MAbcMX/_new 2024-10-08 17:23:18.118257269 +0200
@@ -1,5 +1,5 @@
name: microos-tools
-version: 2.21+git16
-mtime: 1727267231
-commit: 7d23be033a4701998eabd3f1dadea01afce2c910
+version: 4.0
+mtime: 1728308724
+commit: 2415b7e4e235ea0cba7fd94fe6f9114c4cd3b752
