From 51393923aa79cb169dad9f216b1959b7c151875f Mon Sep 17 00:00:00 2001 From: CoreOS Bot Date: Mon, 7 Oct 2024 16:21:17 +0000 Subject: [PATCH] tree: promote changes from testing-devel at 3b47bb1c33dacf5d973d14991411249fa8636fc0 --- kola-denylist.yaml | 8 +- manifest-lock.aarch64.json | 56 +++--- manifest-lock.overrides.yaml | 12 +- manifest-lock.ppc64le.json | 58 +++--- manifest-lock.s390x.json | 56 +++--- manifest-lock.x86_64.json | 54 +++--- manifests/shared-workarounds.yaml | 2 + .../35coreos-multipath/module-setup.sh | 4 + .../40-fix-selinux-labels.preset | 8 + .../system/coreos-fix-selinux-labels.service | 16 ++ .../usr/libexec/coreos-fix-selinux-labels | 165 ++++++++++++++++++ overlay.d/README.md | 11 ++ .../security/coreos-update-ca-trust/test.sh | 2 +- tests/kola/selinux/file-context-policy-match | 50 ++++++ .../selinux/{default => unmodified-policy} | 0 tests/kola/upgrade/extended/test.sh | 54 ++++++ 16 files changed, 435 insertions(+), 121 deletions(-) create mode 100644 overlay.d/07fix-selinux-labels/usr/lib/systemd/system-preset/40-fix-selinux-labels.preset create mode 100644 overlay.d/07fix-selinux-labels/usr/lib/systemd/system/coreos-fix-selinux-labels.service create mode 100755 overlay.d/07fix-selinux-labels/usr/libexec/coreos-fix-selinux-labels create mode 100755 tests/kola/selinux/file-context-policy-match rename tests/kola/selinux/{default => unmodified-policy} (100%) diff --git a/kola-denylist.yaml b/kola-denylist.yaml index 0147c67d7f..93f67e3340 100644 --- a/kola-denylist.yaml +++ b/kola-denylist.yaml @@ -5,12 +5,6 @@ tracker: https://github.com/coreos/coreos-assembler/pull/1478 - pattern: podman.workflow tracker: https://github.com/coreos/coreos-assembler/pull/1478 -- pattern: coreos.ignition.ssh.key - tracker: https://github.com/coreos/fedora-coreos-tracker/issues/1553 - # snooze: 2024-10-01 (disabled on promotion) - # warn: true (disabled on promotion) - platforms: - - azure - pattern: coreos.boot-mirror* tracker: https://github.com/coreos/fedora-coreos-tracker/issues/1659 # warn: true (disabled on promotion) @@ -18,7 +12,7 @@ - ppc64le - pattern: ext.config.kdump.crash tracker: https://github.com/coreos/fedora-coreos-tracker/issues/1791 - # snooze: 2024-09-26 (disabled on promotion) + # snooze: 2024-10-14 (disabled on promotion) # warn: true (disabled on promotion) streams: - rawhide diff --git a/manifest-lock.aarch64.json b/manifest-lock.aarch64.json index fc02a876da..a7b7a06199 100644 --- a/manifest-lock.aarch64.json +++ b/manifest-lock.aarch64.json @@ -55,13 +55,13 @@ } }, "afterburn": { - "evra": "5.6.0-1.fc40.aarch64", + "evra": "5.7.0-1.fc40.aarch64", "metadata": { "sourcerpm": "rust-afterburn" } }, "afterburn-dracut": { - "evra": "5.6.0-1.fc40.aarch64", + "evra": "5.7.0-1.fc40.aarch64", "metadata": { "sourcerpm": "rust-afterburn" } @@ -211,7 +211,7 @@ } }, "ca-certificates": { - "evra": "2023.2.62_v7.0.401-6.fc40.noarch", + "evra": "2024.2.69_v8.0.401-1.0.fc40.noarch", "metadata": { "sourcerpm": "ca-certificates" } @@ -325,13 +325,13 @@ } }, "containers-common": { - "evra": "5:0.60.1-1.fc40.noarch", + "evra": "5:0.60.2-2.fc40.noarch", "metadata": { "sourcerpm": "containers-common" } }, "containers-common-extra": { - "evra": "5:0.60.1-1.fc40.noarch", + "evra": "5:0.60.2-2.fc40.noarch", "metadata": { "sourcerpm": "containers-common" } @@ -349,13 +349,13 @@ } }, "coreutils": { - "evra": "9.4-7.fc40.aarch64", + "evra": "9.4-8.fc40.aarch64", "metadata": { "sourcerpm": "coreutils" } }, "coreutils-common": { - "evra": "9.4-7.fc40.aarch64", + "evra": "9.4-8.fc40.aarch64", "metadata": { "sourcerpm": "coreutils" } @@ -721,7 +721,7 @@ } }, "fwupd": { - "evra": "1.9.23-1.fc40.aarch64", + "evra": "1.9.25-1.fc40.aarch64", "metadata": { "sourcerpm": "fwupd" } @@ -769,7 +769,7 @@ } }, "git-core": { - "evra": "2.46.1-1.fc40.aarch64", + "evra": "2.46.2-1.fc40.aarch64", "metadata": { "sourcerpm": "git" } @@ -877,7 +877,7 @@ } }, "hwdata": { - "evra": "0.387-1.fc40.noarch", + "evra": "0.388-1.fc40.noarch", "metadata": { "sourcerpm": "hwdata" } @@ -1045,25 +1045,25 @@ } }, "kernel": { - "evra": "6.10.10-200.fc40.aarch64", + "evra": "6.10.12-200.fc40.aarch64", "metadata": { "sourcerpm": "kernel" } }, "kernel-core": { - "evra": "6.10.10-200.fc40.aarch64", + "evra": "6.10.12-200.fc40.aarch64", "metadata": { "sourcerpm": "kernel" } }, "kernel-modules": { - "evra": "6.10.10-200.fc40.aarch64", + "evra": "6.10.12-200.fc40.aarch64", "metadata": { "sourcerpm": "kernel" } }, "kernel-modules-core": { - "evra": "6.10.10-200.fc40.aarch64", + "evra": "6.10.12-200.fc40.aarch64", "metadata": { "sourcerpm": "kernel" } @@ -1513,25 +1513,25 @@ } }, "libselinux": { - "evra": "3.6-4.fc40.aarch64", + "evra": "3.7-5.fc40.aarch64", "metadata": { "sourcerpm": "libselinux" } }, "libselinux-utils": { - "evra": "3.6-4.fc40.aarch64", + "evra": "3.7-5.fc40.aarch64", "metadata": { "sourcerpm": "libselinux" } }, "libsemanage": { - "evra": "3.6-3.fc40.aarch64", + "evra": "3.7-2.fc40.aarch64", "metadata": { "sourcerpm": "libsemanage" } }, "libsepol": { - "evra": "3.6-3.fc40.aarch64", + "evra": "3.7-2.fc40.aarch64", "metadata": { "sourcerpm": "libsepol" } @@ -1669,7 +1669,7 @@ } }, "libuv": { - "evra": "1:1.48.0-1.fc40.aarch64", + "evra": "1:1.49.0-1.fc40.aarch64", "metadata": { "sourcerpm": "libuv" } @@ -1987,13 +1987,13 @@ } }, "ostree": { - "evra": "2024.7-1.fc40.aarch64", + "evra": "2024.8-1.fc40.aarch64", "metadata": { "sourcerpm": "ostree" } }, "ostree-libs": { - "evra": "2024.7-1.fc40.aarch64", + "evra": "2024.8-1.fc40.aarch64", "metadata": { "sourcerpm": "ostree" } @@ -2089,13 +2089,13 @@ } }, "podman": { - "evra": "5:5.2.2-1.fc40.aarch64", + "evra": "5:5.2.3-1.fc40.aarch64", "metadata": { "sourcerpm": "podman" } }, "policycoreutils": { - "evra": "3.6-3.fc40.aarch64", + "evra": "3.7-3.fc40.aarch64", "metadata": { "sourcerpm": "policycoreutils" } @@ -2155,7 +2155,7 @@ } }, "qemu-user-static-x86": { - "evra": "2:8.2.6-3.fc40.aarch64", + "evra": "2:8.2.7-1.fc40.aarch64", "metadata": { "sourcerpm": "qemu" } @@ -2563,7 +2563,7 @@ } }, "xxhash-libs": { - "evra": "0.8.2-2.fc40.aarch64", + "evra": "0.8.2-4.fc40.aarch64", "metadata": { "sourcerpm": "xxhash" } @@ -2618,16 +2618,16 @@ } }, "metadata": { - "generated": "2024-09-20T00:00:00Z", + "generated": "2024-10-06T00:00:00Z", "rpmmd_repos": { "fedora": { "generated": "2024-04-14T18:51:04Z" }, "fedora-coreos-pool": { - "generated": "2024-09-20T18:00:42Z" + "generated": "2024-10-06T18:08:03Z" }, "fedora-updates": { - "generated": "2024-09-20T01:51:29Z" + "generated": "2024-10-06T02:06:30Z" } } } diff --git a/manifest-lock.overrides.yaml b/manifest-lock.overrides.yaml index 62cfbe5a1d..c0c32c2430 100644 --- a/manifest-lock.overrides.yaml +++ b/manifest-lock.overrides.yaml @@ -8,4 +8,14 @@ # in the `metadata.reason` key, though it's acceptable to omit a `reason` # for FCOS-specific packages (ignition, afterburn, etc.). -packages: {} +packages: + afterburn: + evr: 5.7.0-1.fc40 + metadata: + bodhi: https://bodhi.fedoraproject.org/updates/FEDORA-2024-0a97eadb73 + type: fast-track + afterburn-dracut: + evr: 5.7.0-1.fc40 + metadata: + bodhi: https://bodhi.fedoraproject.org/updates/FEDORA-2024-0a97eadb73 + type: fast-track diff --git a/manifest-lock.ppc64le.json b/manifest-lock.ppc64le.json index c7d85dd4d8..92f251769b 100644 --- a/manifest-lock.ppc64le.json +++ b/manifest-lock.ppc64le.json @@ -55,13 +55,13 @@ } }, "afterburn": { - "evra": "5.6.0-1.fc40.ppc64le", + "evra": "5.7.0-1.fc40.ppc64le", "metadata": { "sourcerpm": "rust-afterburn" } }, "afterburn-dracut": { - "evra": "5.6.0-1.fc40.ppc64le", + "evra": "5.7.0-1.fc40.ppc64le", "metadata": { "sourcerpm": "rust-afterburn" } @@ -217,7 +217,7 @@ } }, "ca-certificates": { - "evra": "2023.2.62_v7.0.401-6.fc40.noarch", + "evra": "2024.2.69_v8.0.401-1.0.fc40.noarch", "metadata": { "sourcerpm": "ca-certificates" } @@ -331,13 +331,13 @@ } }, "containers-common": { - "evra": "5:0.60.1-1.fc40.noarch", + "evra": "5:0.60.2-2.fc40.noarch", "metadata": { "sourcerpm": "containers-common" } }, "containers-common-extra": { - "evra": "5:0.60.1-1.fc40.noarch", + "evra": "5:0.60.2-2.fc40.noarch", "metadata": { "sourcerpm": "containers-common" } @@ -355,13 +355,13 @@ } }, "coreutils": { - "evra": "9.4-7.fc40.ppc64le", + "evra": "9.4-8.fc40.ppc64le", "metadata": { "sourcerpm": "coreutils" } }, "coreutils-common": { - "evra": "9.4-7.fc40.ppc64le", + "evra": "9.4-8.fc40.ppc64le", "metadata": { "sourcerpm": "coreutils" } @@ -697,7 +697,7 @@ } }, "fwupd": { - "evra": "1.9.23-1.fc40.ppc64le", + "evra": "1.9.25-1.fc40.ppc64le", "metadata": { "sourcerpm": "fwupd" } @@ -745,7 +745,7 @@ } }, "git-core": { - "evra": "2.46.1-1.fc40.ppc64le", + "evra": "2.46.2-1.fc40.ppc64le", "metadata": { "sourcerpm": "git" } @@ -853,7 +853,7 @@ } }, "hwdata": { - "evra": "0.387-1.fc40.noarch", + "evra": "0.388-1.fc40.noarch", "metadata": { "sourcerpm": "hwdata" } @@ -1021,25 +1021,25 @@ } }, "kernel": { - "evra": "6.10.10-200.fc40.ppc64le", + "evra": "6.10.12-200.fc40.ppc64le", "metadata": { "sourcerpm": "kernel" } }, "kernel-core": { - "evra": "6.10.10-200.fc40.ppc64le", + "evra": "6.10.12-200.fc40.ppc64le", "metadata": { "sourcerpm": "kernel" } }, "kernel-modules": { - "evra": "6.10.10-200.fc40.ppc64le", + "evra": "6.10.12-200.fc40.ppc64le", "metadata": { "sourcerpm": "kernel" } }, "kernel-modules-core": { - "evra": "6.10.10-200.fc40.ppc64le", + "evra": "6.10.12-200.fc40.ppc64le", "metadata": { "sourcerpm": "kernel" } @@ -1495,25 +1495,25 @@ } }, "libselinux": { - "evra": "3.6-4.fc40.ppc64le", + "evra": "3.7-5.fc40.ppc64le", "metadata": { "sourcerpm": "libselinux" } }, "libselinux-utils": { - "evra": "3.6-4.fc40.ppc64le", + "evra": "3.7-5.fc40.ppc64le", "metadata": { "sourcerpm": "libselinux" } }, "libsemanage": { - "evra": "3.6-3.fc40.ppc64le", + "evra": "3.7-2.fc40.ppc64le", "metadata": { "sourcerpm": "libsemanage" } }, "libsepol": { - "evra": "3.6-3.fc40.ppc64le", + "evra": "3.7-2.fc40.ppc64le", "metadata": { "sourcerpm": "libsepol" } @@ -1657,7 +1657,7 @@ } }, "libuv": { - "evra": "1:1.48.0-1.fc40.ppc64le", + "evra": "1:1.49.0-1.fc40.ppc64le", "metadata": { "sourcerpm": "libuv" } @@ -1957,19 +1957,19 @@ } }, "ostree": { - "evra": "2024.7-1.fc40.ppc64le", + "evra": "2024.8-1.fc40.ppc64le", "metadata": { "sourcerpm": "ostree" } }, "ostree-grub2": { - "evra": "2024.7-1.fc40.ppc64le", + "evra": "2024.8-1.fc40.ppc64le", "metadata": { "sourcerpm": "ostree" } }, "ostree-libs": { - "evra": "2024.7-1.fc40.ppc64le", + "evra": "2024.8-1.fc40.ppc64le", "metadata": { "sourcerpm": "ostree" } @@ -2065,13 +2065,13 @@ } }, "podman": { - "evra": "5:5.2.2-1.fc40.ppc64le", + "evra": "5:5.2.3-1.fc40.ppc64le", "metadata": { "sourcerpm": "podman" } }, "policycoreutils": { - "evra": "3.6-3.fc40.ppc64le", + "evra": "3.7-3.fc40.ppc64le", "metadata": { "sourcerpm": "policycoreutils" } @@ -2143,7 +2143,7 @@ } }, "qemu-user-static-x86": { - "evra": "2:8.2.6-3.fc40.ppc64le", + "evra": "2:8.2.7-1.fc40.ppc64le", "metadata": { "sourcerpm": "qemu" } @@ -2539,7 +2539,7 @@ } }, "xxhash-libs": { - "evra": "0.8.2-2.fc40.ppc64le", + "evra": "0.8.2-4.fc40.ppc64le", "metadata": { "sourcerpm": "xxhash" } @@ -2594,16 +2594,16 @@ } }, "metadata": { - "generated": "2024-09-20T00:00:00Z", + "generated": "2024-10-06T00:00:00Z", "rpmmd_repos": { "fedora": { "generated": "2024-04-14T18:51:03Z" }, "fedora-coreos-pool": { - "generated": "2024-09-20T17:57:07Z" + "generated": "2024-10-06T18:05:42Z" }, "fedora-updates": { - "generated": "2024-09-20T01:51:39Z" + "generated": "2024-10-06T02:06:41Z" } } } diff --git a/manifest-lock.s390x.json b/manifest-lock.s390x.json index 16c1d8b524..e4fb9466da 100644 --- a/manifest-lock.s390x.json +++ b/manifest-lock.s390x.json @@ -55,13 +55,13 @@ } }, "afterburn": { - "evra": "5.6.0-1.fc40.s390x", + "evra": "5.7.0-1.fc40.s390x", "metadata": { "sourcerpm": "rust-afterburn" } }, "afterburn-dracut": { - "evra": "5.6.0-1.fc40.s390x", + "evra": "5.7.0-1.fc40.s390x", "metadata": { "sourcerpm": "rust-afterburn" } @@ -211,7 +211,7 @@ } }, "ca-certificates": { - "evra": "2023.2.62_v7.0.401-6.fc40.noarch", + "evra": "2024.2.69_v8.0.401-1.0.fc40.noarch", "metadata": { "sourcerpm": "ca-certificates" } @@ -325,13 +325,13 @@ } }, "containers-common": { - "evra": "5:0.60.1-1.fc40.noarch", + "evra": "5:0.60.2-2.fc40.noarch", "metadata": { "sourcerpm": "containers-common" } }, "containers-common-extra": { - "evra": "5:0.60.1-1.fc40.noarch", + "evra": "5:0.60.2-2.fc40.noarch", "metadata": { "sourcerpm": "containers-common" } @@ -349,13 +349,13 @@ } }, "coreutils": { - "evra": "9.4-7.fc40.s390x", + "evra": "9.4-8.fc40.s390x", "metadata": { "sourcerpm": "coreutils" } }, "coreutils-common": { - "evra": "9.4-7.fc40.s390x", + "evra": "9.4-8.fc40.s390x", "metadata": { "sourcerpm": "coreutils" } @@ -691,7 +691,7 @@ } }, "fwupd": { - "evra": "1.9.23-1.fc40.s390x", + "evra": "1.9.25-1.fc40.s390x", "metadata": { "sourcerpm": "fwupd" } @@ -721,7 +721,7 @@ } }, "git-core": { - "evra": "2.46.1-1.fc40.s390x", + "evra": "2.46.2-1.fc40.s390x", "metadata": { "sourcerpm": "git" } @@ -799,7 +799,7 @@ } }, "hwdata": { - "evra": "0.387-1.fc40.noarch", + "evra": "0.388-1.fc40.noarch", "metadata": { "sourcerpm": "hwdata" } @@ -961,25 +961,25 @@ } }, "kernel": { - "evra": "6.10.10-200.fc40.s390x", + "evra": "6.10.12-200.fc40.s390x", "metadata": { "sourcerpm": "kernel" } }, "kernel-core": { - "evra": "6.10.10-200.fc40.s390x", + "evra": "6.10.12-200.fc40.s390x", "metadata": { "sourcerpm": "kernel" } }, "kernel-modules": { - "evra": "6.10.10-200.fc40.s390x", + "evra": "6.10.12-200.fc40.s390x", "metadata": { "sourcerpm": "kernel" } }, "kernel-modules-core": { - "evra": "6.10.10-200.fc40.s390x", + "evra": "6.10.12-200.fc40.s390x", "metadata": { "sourcerpm": "kernel" } @@ -1429,25 +1429,25 @@ } }, "libselinux": { - "evra": "3.6-4.fc40.s390x", + "evra": "3.7-5.fc40.s390x", "metadata": { "sourcerpm": "libselinux" } }, "libselinux-utils": { - "evra": "3.6-4.fc40.s390x", + "evra": "3.7-5.fc40.s390x", "metadata": { "sourcerpm": "libselinux" } }, "libsemanage": { - "evra": "3.6-3.fc40.s390x", + "evra": "3.7-2.fc40.s390x", "metadata": { "sourcerpm": "libsemanage" } }, "libsepol": { - "evra": "3.6-3.fc40.s390x", + "evra": "3.7-2.fc40.s390x", "metadata": { "sourcerpm": "libsepol" } @@ -1579,7 +1579,7 @@ } }, "libuv": { - "evra": "1:1.48.0-1.fc40.s390x", + "evra": "1:1.49.0-1.fc40.s390x", "metadata": { "sourcerpm": "libuv" } @@ -1867,13 +1867,13 @@ } }, "ostree": { - "evra": "2024.7-1.fc40.s390x", + "evra": "2024.8-1.fc40.s390x", "metadata": { "sourcerpm": "ostree" } }, "ostree-libs": { - "evra": "2024.7-1.fc40.s390x", + "evra": "2024.8-1.fc40.s390x", "metadata": { "sourcerpm": "ostree" } @@ -1969,13 +1969,13 @@ } }, "podman": { - "evra": "5:5.2.2-1.fc40.s390x", + "evra": "5:5.2.3-1.fc40.s390x", "metadata": { "sourcerpm": "podman" } }, "policycoreutils": { - "evra": "3.6-3.fc40.s390x", + "evra": "3.7-3.fc40.s390x", "metadata": { "sourcerpm": "policycoreutils" } @@ -2035,7 +2035,7 @@ } }, "qemu-user-static-x86": { - "evra": "2:8.2.6-3.fc40.s390x", + "evra": "2:8.2.7-1.fc40.s390x", "metadata": { "sourcerpm": "qemu" } @@ -2437,7 +2437,7 @@ } }, "xxhash-libs": { - "evra": "0.8.2-2.fc40.s390x", + "evra": "0.8.2-4.fc40.s390x", "metadata": { "sourcerpm": "xxhash" } @@ -2492,16 +2492,16 @@ } }, "metadata": { - "generated": "2024-09-20T00:00:00Z", + "generated": "2024-10-06T00:00:00Z", "rpmmd_repos": { "fedora": { "generated": "2024-04-14T18:51:01Z" }, "fedora-coreos-pool": { - "generated": "2024-09-20T17:57:03Z" + "generated": "2024-10-06T18:05:26Z" }, "fedora-updates": { - "generated": "2024-09-20T01:51:50Z" + "generated": "2024-10-06T02:06:53Z" } } } diff --git a/manifest-lock.x86_64.json b/manifest-lock.x86_64.json index 24d8317176..027eccb2ea 100644 --- a/manifest-lock.x86_64.json +++ b/manifest-lock.x86_64.json @@ -55,13 +55,13 @@ } }, "afterburn": { - "evra": "5.6.0-1.fc40.x86_64", + "evra": "5.7.0-1.fc40.x86_64", "metadata": { "sourcerpm": "rust-afterburn" } }, "afterburn-dracut": { - "evra": "5.6.0-1.fc40.x86_64", + "evra": "5.7.0-1.fc40.x86_64", "metadata": { "sourcerpm": "rust-afterburn" } @@ -217,7 +217,7 @@ } }, "ca-certificates": { - "evra": "2023.2.62_v7.0.401-6.fc40.noarch", + "evra": "2024.2.69_v8.0.401-1.0.fc40.noarch", "metadata": { "sourcerpm": "ca-certificates" } @@ -331,13 +331,13 @@ } }, "containers-common": { - "evra": "5:0.60.1-1.fc40.noarch", + "evra": "5:0.60.2-2.fc40.noarch", "metadata": { "sourcerpm": "containers-common" } }, "containers-common-extra": { - "evra": "5:0.60.1-1.fc40.noarch", + "evra": "5:0.60.2-2.fc40.noarch", "metadata": { "sourcerpm": "containers-common" } @@ -355,13 +355,13 @@ } }, "coreutils": { - "evra": "9.4-7.fc40.x86_64", + "evra": "9.4-8.fc40.x86_64", "metadata": { "sourcerpm": "coreutils" } }, "coreutils-common": { - "evra": "9.4-7.fc40.x86_64", + "evra": "9.4-8.fc40.x86_64", "metadata": { "sourcerpm": "coreutils" } @@ -727,7 +727,7 @@ } }, "fwupd": { - "evra": "1.9.23-1.fc40.x86_64", + "evra": "1.9.25-1.fc40.x86_64", "metadata": { "sourcerpm": "fwupd" } @@ -775,7 +775,7 @@ } }, "git-core": { - "evra": "2.46.1-1.fc40.x86_64", + "evra": "2.46.2-1.fc40.x86_64", "metadata": { "sourcerpm": "git" } @@ -895,7 +895,7 @@ } }, "hwdata": { - "evra": "0.387-1.fc40.noarch", + "evra": "0.388-1.fc40.noarch", "metadata": { "sourcerpm": "hwdata" } @@ -1063,25 +1063,25 @@ } }, "kernel": { - "evra": "6.10.10-200.fc40.x86_64", + "evra": "6.10.12-200.fc40.x86_64", "metadata": { "sourcerpm": "kernel" } }, "kernel-core": { - "evra": "6.10.10-200.fc40.x86_64", + "evra": "6.10.12-200.fc40.x86_64", "metadata": { "sourcerpm": "kernel" } }, "kernel-modules": { - "evra": "6.10.10-200.fc40.x86_64", + "evra": "6.10.12-200.fc40.x86_64", "metadata": { "sourcerpm": "kernel" } }, "kernel-modules-core": { - "evra": "6.10.10-200.fc40.x86_64", + "evra": "6.10.12-200.fc40.x86_64", "metadata": { "sourcerpm": "kernel" } @@ -1531,25 +1531,25 @@ } }, "libselinux": { - "evra": "3.6-4.fc40.x86_64", + "evra": "3.7-5.fc40.x86_64", "metadata": { "sourcerpm": "libselinux" } }, "libselinux-utils": { - "evra": "3.6-4.fc40.x86_64", + "evra": "3.7-5.fc40.x86_64", "metadata": { "sourcerpm": "libselinux" } }, "libsemanage": { - "evra": "3.6-3.fc40.x86_64", + "evra": "3.7-2.fc40.x86_64", "metadata": { "sourcerpm": "libsemanage" } }, "libsepol": { - "evra": "3.6-3.fc40.x86_64", + "evra": "3.7-2.fc40.x86_64", "metadata": { "sourcerpm": "libsepol" } @@ -1687,7 +1687,7 @@ } }, "libuv": { - "evra": "1:1.48.0-1.fc40.x86_64", + "evra": "1:1.49.0-1.fc40.x86_64", "metadata": { "sourcerpm": "libuv" } @@ -2011,13 +2011,13 @@ } }, "ostree": { - "evra": "2024.7-1.fc40.x86_64", + "evra": "2024.8-1.fc40.x86_64", "metadata": { "sourcerpm": "ostree" } }, "ostree-libs": { - "evra": "2024.7-1.fc40.x86_64", + "evra": "2024.8-1.fc40.x86_64", "metadata": { "sourcerpm": "ostree" } @@ -2113,13 +2113,13 @@ } }, "podman": { - "evra": "5:5.2.2-1.fc40.x86_64", + "evra": "5:5.2.3-1.fc40.x86_64", "metadata": { "sourcerpm": "podman" } }, "policycoreutils": { - "evra": "3.6-3.fc40.x86_64", + "evra": "3.7-3.fc40.x86_64", "metadata": { "sourcerpm": "policycoreutils" } @@ -2581,7 +2581,7 @@ } }, "xxhash-libs": { - "evra": "0.8.2-2.fc40.x86_64", + "evra": "0.8.2-4.fc40.x86_64", "metadata": { "sourcerpm": "xxhash" } @@ -2636,16 +2636,16 @@ } }, "metadata": { - "generated": "2024-09-20T00:00:00Z", + "generated": "2024-10-06T00:00:00Z", "rpmmd_repos": { "fedora": { "generated": "2024-04-14T18:51:11Z" }, "fedora-coreos-pool": { - "generated": "2024-09-20T17:59:04Z" + "generated": "2024-10-06T18:07:54Z" }, "fedora-updates": { - "generated": "2024-09-20T01:52:00Z" + "generated": "2024-10-06T02:07:04Z" } } } diff --git a/manifests/shared-workarounds.yaml b/manifests/shared-workarounds.yaml index 500582942b..a0457797b4 100644 --- a/manifests/shared-workarounds.yaml +++ b/manifests/shared-workarounds.yaml @@ -1,2 +1,4 @@ # This manifest is a list of shared workarounds that are needed in both Fedora CoreOS # and downstreams (i.e. Red Hat CoreOS). +ostree-layers: + - overlay/07fix-selinux-labels diff --git a/overlay.d/05core/usr/lib/dracut/modules.d/35coreos-multipath/module-setup.sh b/overlay.d/05core/usr/lib/dracut/modules.d/35coreos-multipath/module-setup.sh index b04ba58e96..7ba39528bc 100755 --- a/overlay.d/05core/usr/lib/dracut/modules.d/35coreos-multipath/module-setup.sh +++ b/overlay.d/05core/usr/lib/dracut/modules.d/35coreos-multipath/module-setup.sh @@ -2,6 +2,10 @@ # -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*- # ex: ts=8 sw=4 sts=4 et filetype=sh +depends() { + echo multipath +} + install_unit() { local unit=$1; shift local target=${1:-initrd} diff --git a/overlay.d/07fix-selinux-labels/usr/lib/systemd/system-preset/40-fix-selinux-labels.preset b/overlay.d/07fix-selinux-labels/usr/lib/systemd/system-preset/40-fix-selinux-labels.preset new file mode 100644 index 0000000000..d7d1d2ba0a --- /dev/null +++ b/overlay.d/07fix-selinux-labels/usr/lib/systemd/system-preset/40-fix-selinux-labels.preset @@ -0,0 +1,8 @@ +# Fix incorrect SELinux labels in /boot and /sysroot +# - https://github.com/coreos/fedora-coreos-tracker/issues/1772 +# - https://github.com/coreos/fedora-coreos-tracker/issues/1771 +# We need this for both FCOS and RHCOS and it needs to live for +# some time (not just a single FCOS barrier release) so that we +# can ensure RHCOS 4.16 aleph nodes and some early 4.17 aleph +# nodes have been fixed. +enable coreos-fix-selinux-labels.service diff --git a/overlay.d/07fix-selinux-labels/usr/lib/systemd/system/coreos-fix-selinux-labels.service b/overlay.d/07fix-selinux-labels/usr/lib/systemd/system/coreos-fix-selinux-labels.service new file mode 100644 index 0000000000..38683b5e60 --- /dev/null +++ b/overlay.d/07fix-selinux-labels/usr/lib/systemd/system/coreos-fix-selinux-labels.service @@ -0,0 +1,16 @@ +[Unit] +Description=Fix mislabeled or unlabeled SELinux contexts on files +Documentation=https://github.com/coreos/fedora-coreos-tracker/issues/1771 +Documentation=https://github.com/coreos/fedora-coreos-tracker/issues/1772 +ConditionPathExists=!/var/lib/coreos-fix-selinux-labels.stamp + +[Service] +Type=oneshot +# Don't run this more than once, even if it fails +ExecStartPre=/bin/touch /var/lib/coreos-fix-selinux-labels.stamp +ExecStart=/usr/libexec/coreos-fix-selinux-labels +RemainAfterExit=yes +MountFlags=slave + +[Install] +WantedBy=multi-user.target diff --git a/overlay.d/07fix-selinux-labels/usr/libexec/coreos-fix-selinux-labels b/overlay.d/07fix-selinux-labels/usr/libexec/coreos-fix-selinux-labels new file mode 100755 index 0000000000..958ac8b452 --- /dev/null +++ b/overlay.d/07fix-selinux-labels/usr/libexec/coreos-fix-selinux-labels @@ -0,0 +1,165 @@ +#!/usr/bin/bash + +# Script to help fix selinux labels on systems that were created with +# OSBuild before https://github.com/coreos/coreos-assembler/commit/d3302e0fc9bedec2d4e935e3528eb5abd44e7ae8 +# was put in place to ensure images didn't get created with unlabeled +# or mislabeled files. See also +# - https://github.com/coreos/fedora-coreos-tracker/issues/1771 +# - https://github.com/coreos/fedora-coreos-tracker/issues/1772 +# +# Also handle /boot/.root_uuid and /boot/grub2/bootuuid.cfg created +# by rdcore for some time without labels. +# - https://github.com/coreos/fedora-coreos-tracker/issues/1770 +# - https://github.com/coreos/fedora-coreos-config/pull/3155 + +set -eu -o pipefail + +print_header() { + echo '------------------------------------' + echo "$1" + echo +} + +get_context() { + path=$1 + getfattr -n security.selinux --absolute-name --only-values "${path}" | \ + tr -d '\0' # Trim the null byte from the ouptut to prevent bash warning +} + +path_unlabeled() { + test -e "$1" || return 1 # no exist so not unlabeled + if [ "$(get_context "$1")" == "system_u:object_r:unlabeled_t:s0" ]; then + return 0 + else + return 1 + fi +} + +any_unlabeled() { + # shellcheck disable=SC2068 + for file in $@; do + path_unlabeled "${file}" && return 0 + done + return 1 # none were unlabeled +} + +# Check a few known paths. If /sysroot is unlabeled then we need to +# clean up the mess that OSBuild left behind #1771,#1772. If /boot/.root_uuid +# or /boot/grub2/bootuuid.cfg are unlabeled we need to fix those two #1770. +if ! any_unlabeled '/sysroot' '/boot/.root_uuid' '/boot/grub2/bootuuid.cfg'; then + echo "This CoreOS installation is properly labeled. Exiting" + exit 0 +fi + +print_header "Remounting filesystems read/write" +# Note we don't need to remount them read-only later +# because we are running with MountFlags=slave so +# changes here won't propagate to the rest of the system +mount -v -o remount,rw /boot +mount -v -o remount,rw /sysroot + +# Fix the few ones we know about. Some of these are from #1770 +# and some from #1772, but it's easier to just combine the code. +print_header "Fixing label for files on the /boot filesystem" +for file in '.root_uuid' 'grub2/bootuuid.cfg' 'lost+found'; do + if path_unlabeled "/boot/${file}"; then + context=$(matchpathcon -n "/boot/${file}") + echo "Changing context of /boot/${file} to ${context}" + /usr/bin/chcon -h -v "${context}" "/boot/${file}" + fi +done +# Also handle coreos/platforms.json, which could have the wrong label +if [ -e "/boot/coreos/platforms.json" ]; then + restorecon -v "/boot/coreos/platforms.json" +fi + +if ! path_unlabeled "/sysroot"; then + # We don't need to go further with the other fixes since + # this system doesn't appear to be affected by #1771,#1772. + echo "coreos-fix-selinux-labels finished successfully" > /var/lib/coreos-fix-selinux-labels.stamp + exit 0 +fi + +print_header "Mounting boot partition separately to check shadowed /boot/efi" +boot_mount_point=$(mktemp --directory) +mount -v /dev/disk/by-label/boot "$boot_mount_point" +if path_unlabeled "${boot_mount_point}/efi"; then + echo "Fixing label on shadowed /boot/efi" + context=$(matchpathcon -n "/boot/efi") + echo "Changing context of /boot/efi to ${context}" + /usr/bin/chcon -h -v "${context}" "${boot_mount_point}/efi" +fi +umount -v "$boot_mount_point" +rmdir "$boot_mount_point" + +# The underlying /boot directory on the root filesystem can be wrong +print_header "Checking shadowed /boot" +if path_unlabeled "/sysroot/boot"; then + echo "Fixing the label for the /boot mount point on the root filesystem" + context=$(matchpathcon -n "/boot/") + echo "Changing context of /sysroot/boot to ${context}" + /usr/bin/chcon -h -v "${context}" "/sysroot/boot" +fi + +# Fix unlabeled files. The find commands are hand crafted to try +# to catch all unlabeled files, but not touch any objects in the +# ostree repo and also not traverse too deep in the filesystem, +# which could take more time than we'd like. +# +# - /ostree/repo/refs/ to capture the container/blob/ files +# - /ostree/boot* to capture boot.x and bootx.x files +# - /ostree/repo/{.lock,config} - two known offenders +# - .aleph-version.json, .coreos-aleph-version.json - two more +# - -type l -or -type d - all directories and symlinks in the repo +# - -type f -regex '.*\.\(commitmeta\|commit\|dirmeta\|dirtree\|origin\)$' +# - all .commitmeta, .commit, .dirmeta, .dirtree, .origin +# files in the repo and no other files (objects) +# +# Note that we explicitly prune /sysroot/ostree/deploy/*/var so we +# don't consider anything under that path for our operation. Note +# also some of these are left unquoted to allow for shell expansion. +# +context=$(matchpathcon -n "/") +tmpfile=$(mktemp) +print_header "Changing context of unlabeled files to ${context}" +( + find "/sysroot/ostree/repo/refs" \ + "/sysroot/.aleph-version.json" \ + "/sysroot/.coreos-aleph-version.json" \ + /sysroot/ostree/repo/{.lock,config} \ + /sysroot/ostree/boot* \ + -context '*:unlabeled_t:*' -print0; + find "/sysroot/" -maxdepth 7 -path /sysroot/ostree/deploy/*/var -prune -o \ + \( \ + -context '*:unlabeled_t:*' \ + \( \ + -type l -or -type d -or \ + \( -type f -regex '.*\.\(commitmeta\|commit\|dirmeta\|dirtree\|origin\)$' \) \ + \) \ + -print0 \ + \) +) | xargs --null -I{} chcon -v -h "${context}" {} > "${tmpfile}" +# Print something here for the journal, but not the full list of files +# because that would be a lot. We'll dump those in the stamp file later. +echo "Relabeled $(wc -l < "${tmpfile}") files to ${context}" + +# Update the stamp file with a record of what was done up until this point +journalctl -b0 -u coreos-fix-selinux-labels.service >> /var/lib/coreos-fix-selinux-labels.stamp +print_header "The following are the unlabeled files that were fixed" >> /var/lib/coreos-fix-selinux-labels.stamp +cat "${tmpfile}" >> /var/lib/coreos-fix-selinux-labels.stamp +rm -f "${tmpfile}" +timestamp=$(date +%s) + +print_header "Checking the repository for consistency" +if ! ostree fsck; then + echo "OSTree fsck found corruption. Please reprovision if you can or" 1>&2 + echo "ask for help at https://discussion.fedoraproject.org/tag/coreos" 1>&2 + echo "coreos-fix-selinux-labels finished with failure" > /var/lib/coreos-fix-selinux-labels.stamp + exit 1 +fi + +# Capture the final bits in the stamp file +journalctl --since="@${timestamp}" -u coreos-fix-selinux-labels.service >> /var/lib/coreos-fix-selinux-labels.stamp + +# This will go to both the journal and the stamp file +echo "coreos-fix-selinux-labels finished successfully" | tee -a /var/lib/coreos-fix-selinux-labels.stamp diff --git a/overlay.d/README.md b/overlay.d/README.md index 9597731fdf..8e1182c78e 100644 --- a/overlay.d/README.md +++ b/overlay.d/README.md @@ -10,6 +10,17 @@ This overlay matches `fedora-coreos-base.yaml`; core Ignition+ostree bits. This overlay is shared with RHCOS/SCOS 9. +07fix-selinux-labels +-------------------- + +Fix incorrect SELinux labels in /boot and /sysroot +- https://github.com/coreos/fedora-coreos-tracker/issues/1772 +- https://github.com/coreos/fedora-coreos-tracker/issues/1771 +We need this for both FCOS and RHCOS and it needs to live for +some time (not just a single FCOS barrier release) so that we +can ensure RHCOS 4.16 aleph nodes and some early 4.17 aleph +nodes have been fixed. Remove it in the 4.19 cycle. + 08nouveau --------- diff --git a/tests/kola/security/coreos-update-ca-trust/test.sh b/tests/kola/security/coreos-update-ca-trust/test.sh index 93f63fe86a..c721733712 100755 --- a/tests/kola/security/coreos-update-ca-trust/test.sh +++ b/tests/kola/security/coreos-update-ca-trust/test.sh @@ -12,7 +12,7 @@ set -xeuo pipefail if ! systemctl show coreos-update-ca-trust.service -p ActiveState | grep ActiveState=active; then fatal "coreos-update-ca-trust.service not active" fi -if ! grep '^# coreos.com$' /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt; then +if ! grep '^# coreos.com$' /etc/pki/tls/certs/ca-bundle.crt; then fatal "expected coreos.com in ca-bundle" fi ok "coreos-update-ca-trust.service" diff --git a/tests/kola/selinux/file-context-policy-match b/tests/kola/selinux/file-context-policy-match new file mode 100755 index 0000000000..f2a978964f --- /dev/null +++ b/tests/kola/selinux/file-context-policy-match @@ -0,0 +1,50 @@ +#!/bin/bash +## kola: +## exclusive: false +## tags: "platform-independent" +## description: Verify there are no unlabeled or mislabeled files on the system. + +# See https://github.com/coreos/fedora-coreos-tracker/issues/1772 + +set -xeuo pipefail + +# shellcheck disable=SC1091 +. "$KOLA_EXT_DATA/commonlib.sh" + +# Add the `-not -regex '.*.0/var/mnt'` here to have an exception for +# the /sysroot/ostree/deploy/*/deploy/*.0/var/mnt directory existing +# and being unlabeled. This is created by systemd pre-v254 during +# pivoting (and so before the policy is loaded) as a temporary +# mountpoint. We can remove it once we support el10+ only. +unlabeled="$(find /sysroot -context '*unlabeled_t*' -not -regex '.*.0/var/mnt' -print0 | xargs --null -I{} ls -ldZ '{}')" +if [ -n "${unlabeled}" ]; then + fatal "Some unlabeled files were found" +fi + +mislabeled="$(restorecon -vnr /var/ /etc/ /usr/ /boot/)" +if [ -n "${mislabeled}" ]; then + # Exceptions for files that could be wrong + # On RHCOS + # - Would relabel /var/opt/cni from system_u:object_r:usr_t:s0 to system_u:object_r:var_t:s0 + # - https://github.com/openshift/os/issues/1624 + # - Would relabel /etc/iscsi/initiatorname.iscsi from system_u:object_r:etc_runtime_t:s0 to system_u:object_r:etc_t:s0 + # - Fixed by https://github.com/openshift/os/pull/1622 + # - Remove when the oldest supported RHCOS release is 4.18 or newer + declare -A exceptions=( + ['/var/opt/cni']=1 + ['/etc/iscsi/initiatorname.iscsi']=1 + ) + paths="$(echo "${mislabeled}" | grep "Would relabel" | cut -d ' ' -f 3)" + found="" + while read -r path; do + if [[ "${exceptions[$path]:-noexception}" == 'noexception' ]]; then + echo "Unexpected mislabeled file found: ${path}" + found="1" + fi + done <<< "${paths}" + if [ "${found}" == "1" ];then + fatal "Some unexpected mislabeled files were found." + fi +fi + +ok "No unlabeled or mislabeled files found!" diff --git a/tests/kola/selinux/default b/tests/kola/selinux/unmodified-policy similarity index 100% rename from tests/kola/selinux/default rename to tests/kola/selinux/unmodified-policy diff --git a/tests/kola/upgrade/extended/test.sh b/tests/kola/upgrade/extended/test.sh index 988acaaee1..c72ee200ef 100755 --- a/tests/kola/upgrade/extended/test.sh +++ b/tests/kola/upgrade/extended/test.sh @@ -154,6 +154,58 @@ move-to-cgroups-v2() { fi } +selinux-sanity-check() { + # First make sure the migrations/fix script has finished (if it is going + # to run) before doing the checks + systemd-run --wait --property=After=coreos-fix-selinux-labels.service \ + echo "Waited for coreos-fix-selinux-labels.service to finish" + # Verify SELinux labels are sane. Migration scripts should have cleaned + # up https://github.com/coreos/fedora-coreos-tracker/issues/1772 + unlabeled="$(find /sysroot -context '*unlabeled_t*' -print0 | xargs --null -I{} ls -ldZ '{}')" + if [ -n "${unlabeled}" ]; then + fatal "Some unlabeled files were found" + fi + mislabeled="$(restorecon -vnr /var/ /etc/ /usr/ /boot/)" + if [ -n "${mislabeled}" ]; then + # Exceptions for files that could be wrong (sometimes upgrades are messy) + # Would relabel /var/lib/cni from system_u:object_r:var_lib_t:s0 to system_u:object_r:container_var_lib_t:s0 + # Would relabel /etc/selinux/targeted/semanage.read.LOCK from system_u:object_r:semanage_trans_lock_t:s0 to system_u:object_r:selinux_config_t:s0 + # Would relabel /etc/selinux/targeted/semanage.trans.LOCK from system_u:object_r:semanage_trans_lock_t:s0 to system_u:object_r:selinux_config_t:s0 + # Would relabel /etc/systemd/journald.conf.d from system_u:object_r:etc_t:s0 to system_u:object_r:systemd_conf_t:s0 + # Would relabel /etc/systemd/journald.conf.d/forward-to-console.conf from system_u:object_r:etc_t:s0 to system_u:object_r:systemd_conf_t:s0 + # Would relabel /boot/lost+found from system_u:object_r:unlabeled_t:s0 to system_u:object_r:lost_found_t:s0' ']' + # Would relabel /var/lib/systemd/home from system_u:object_r:init_var_lib_t:s0 to system_u:object_r:systemd_homed_library_dir_t:s0 + # - 39.20230916.1.1->41.20240928.10.1 + # - https://github.com/fedora-selinux/selinux-policy/commit/3ba70ae27d067f7edc0a52ff722511c5ada724f2 + declare -A exceptions=( + ['/var/lib/cni']=1 + ['/etc/selinux/targeted/semanage.read.LOCK']=1 + ['/etc/selinux/targeted/semanage.trans.LOCK']=1 + ['/etc/systemd/journald.conf.d']=1 + ['/etc/systemd/journald.conf.d/forward-to-console.conf']=1 + ['/boot/lost+found']=1 + ['/var/lib/systemd/home']=1 + ) + paths="$(echo "${mislabeled}" | grep "Would relabel" | cut -d ' ' -f 3)" + found="" + while read -r path; do + # Add in a few temporary glob exceptions + # https://github.com/coreos/fedora-coreos-tracker/issues/1806 + [[ "${path}" =~ /etc/selinux/targeted/active/ ]] && continue + # https://github.com/coreos/fedora-coreos-tracker/issues/1808 + [[ "${path}" =~ /boot/ostree/.*/dtb ]] && continue + if [[ "${exceptions[$path]:-noexception}" == 'noexception' ]]; then + echo "Unexpected mislabeled file found: ${path}" + found="1" + fi + done <<< "${paths}" + if [ "${found}" == "1" ];then + fatal "Some unexpected mislabeled files were found." + fi + fi + ok "Selinux sanity checks passed" +} + ok "Reached version: $version" # Are we all the way at the desired target version? @@ -166,6 +218,8 @@ if vereq $version $target_version; then if ! echo "$state" | grep -q "CoreOS aleph version"; then fatal "check bootupctl status output" fi + # One last check! + selinux-sanity-check exit 0 fi