Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Relabel / and /rw if needed #541

Open
wants to merge 1 commit into
base: main
Choose a base branch
from

Conversation

DemiMarie
Copy link
Contributor

Creating /.autorelabel must cause a Qubes OS VM to relabel everything, as otherwise users will not be able to troubleshoot their systems and upstream packages that create it will break. However, it was ignored, so fix that.

Furthermore, relabel the filesystem of a TemplateBasedVM whenever its TemplateVM has been relabeled since the TemplateBasedVM was. This ensures that policy changes propagate to TemplateBasedVMs too.

@marmarek
Copy link
Member

This fails to build...

But also, shouldn't this reference #9663 ?
And additionally, I think we need the updater to support handling reboot for relabeling after an update that requires it...

@DemiMarie DemiMarie marked this pull request as draft December 23, 2024 01:51
@DemiMarie
Copy link
Contributor Author

I meant for this to be a draft because I hadn’t tested it, hence the build failure.

@DemiMarie DemiMarie force-pushed the relabel-rw-if-needed branch from 2abb91f to ee39235 Compare December 23, 2024 02:14
@DemiMarie
Copy link
Contributor Author

I didn’t reference #9663 because I don’t know if this actually fixes that issue.

@DemiMarie DemiMarie force-pushed the relabel-rw-if-needed branch 3 times, most recently from 523b6d5 to da46272 Compare December 27, 2024 14:09
Copy link

codecov bot commented Dec 27, 2024

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 70.57%. Comparing base (74d07bb) to head (31bb12a).

Additional details and impacted files
@@           Coverage Diff           @@
##             main     #541   +/-   ##
=======================================
  Coverage   70.57%   70.57%           
=======================================
  Files           3        3           
  Lines         469      469           
=======================================
  Hits          331      331           
  Misses        138      138           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@@ -0,0 +1,6 @@
#!/bin/bash --
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What bash features you use here? I'd prefer /bin/sh (and consequently shellcheck noticing non-POSIX features) in scritpts that don't absolutely need bash (for example to have proper arrays).

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

-nt is not part of POSIX.

init/relabel-rw.sh Outdated Show resolved Hide resolved
@DemiMarie DemiMarie force-pushed the relabel-rw-if-needed branch from da46272 to d3212f6 Compare January 5, 2025 18:30
@DemiMarie DemiMarie force-pushed the relabel-rw-if-needed branch 2 times, most recently from b026dca to 360c8aa Compare January 7, 2025 19:07
@DemiMarie DemiMarie marked this pull request as ready for review January 8, 2025 03:26
@DemiMarie DemiMarie force-pushed the relabel-rw-if-needed branch from 360c8aa to 6a12d32 Compare January 8, 2025 03:28
@DemiMarie DemiMarie requested a review from marmarek January 8, 2025 03:29
@marmarek
Copy link
Member

marmarek commented Jan 8, 2025

shellcheck needs a comment near sourcing /etc/selinux/config

@DemiMarie DemiMarie force-pushed the relabel-rw-if-needed branch 3 times, most recently from 612c68c to 93141bd Compare January 8, 2025 17:57
Creating /.autorelabel must cause a Qubes OS VM to relabel everything,
as otherwise users will not be able to troubleshoot their systems and
upstream packages that create it will break.  However, it was ignored,
so fix that.

Furthermore, relabel the filesystem of a TemplateBasedVM whenever its
TemplateVM has been relabeled since the TemplateBasedVM was.  This
ensures that policy changes propagate to TemplateBasedVMs too.
@qubesos-bot
Copy link

qubesos-bot commented Jan 11, 2025

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants