-
|
In: https://github.com/containers/bootc#using-bootc-install $ podman run --privileged would force spc_t which is unconfined and should be able to do the boot install. Secondarily are you saying all bootc images will have an embeded bootc? |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment
-
And more. Today I landed code such that bootc goes to quite some effort to re-exec itself as (We also need to mount selinuxfs in the container, and re-exec ourself for that)
Yes, so they can perform in-place OS updates after install via This said...running the install as a privileged container but OS updates directly on the host does argue for potentially also running OS updates as a privileged container too. But my hesitation in going down this route is that it is more likely to create chicken/egg problems where your container runtime is broken, and it'd be fixed by an OS update, but to apply that OS update you need a container runtime... |
Beta Was this translation helpful? Give feedback.
spc_tdoesn't havemac_adminwhich allows writing unknown selinux labels. We haveinstall_ttoday. If you recall this distinction has been a huge ongoing source of trouble.And more.
Today I landed code such that bootc goes to quite some effort to re-exec itself as
install_t. See https://github.com/containers/bootc/blob/53cd1e618d67a3fddcb36d0cec199ae8a6d4c5c0/lib/src/lsm.rs#L43(We also need to mount selinuxfs in the container, and re-exec ourself for that)