bootc icon indicating copy to clipboard operation
bootc copied to clipboard

Published 20 hours ago verified publisher icon containers

centos-bootc - cockpit-ws does not work - selinux problems

Open spmfox opened this issue 1 year ago • 4 comments

Hello, when trying to use cockpit on centos-bootc, I get this error:

setroubleshoot[1163]: SELinux is preventing /usr/libexec/cockpit-session from using the transition access on a process.
                                                           
                                                           *****  Plugin restorecon_source (99.5 confidence) suggests   *****************
                                                           
                                                           If you want to fix the label. 
                                                           /usr/libexec/cockpit-session default label should be cockpit_session_exec_t.
                                                           Then you can run restorecon.
                                                           Do
                                                           # /sbin/restorecon -v /usr/libexec/cockpit-session

Using bootc usr-overlay, I can do a restorecon (as suggested by setroubleshoot) but this does not fix the problem. It does appear that all of the cockpit related files in /usr have the wrong context. I suspect something is breaking during the installation of cockpit-ws.

I can fix this by doing a dnf reinstall cockpit-ws (with usr-overlay). After the reinstall it seems that all the cockpit files in /usr have the correct context. I have tried doing the restorecon during the container build, however it seems the context is correct because they do not change. Once deployed onto a system, then they are broken. This has me puzzled. The container build machine has selinux set to enforcing.

Containerfile to reproduce this:

FROM quay.io/centos-bootc/centos-bootc:stream9
RUN dnf -y install cockpit cockpit-ws

spmfox avatar May 30 '24 02:05 spmfox

Digging in a bit more, it looks like doing the restorecon during the build process will do nothing as the labels are completely different when the container is running.

I found https://github.com/ostreedev/ostree-rs-ext/issues/510

So now I'm wondering if cockpit ships its policy as a binary just like greetd.

spmfox avatar May 30 '24 02:05 spmfox

Yes, this is a dup of https://github.com/ostreedev/ostree-rs-ext/issues/510

That said, it's probably important enough to have a tracker here too.

cgwalters avatar Jun 18 '24 15:06 cgwalters

Complete tangent: We don't see this in our Cockpit CI image for centos-9-bootc because we don't install cockpit-ws as an RPM there, but as a container. This mostly has historic reasons (it's preferable to do that on CoreOS), but for bootc it'd actually make more sense to include cockpit-ws.rpm right into the OCI image.

@spmfox So perhaps using https://quay.io/repository/cockpit/ws is at least a temporary workaround for you until this gets sorted out.

martinpitt avatar Jun 20 '24 12:06 martinpitt

@martinpitt I was able to get this working, thank you for the information - I was unaware there was a container version of cockpit-ws.

spmfox avatar Jun 20 '24 21:06 spmfox

This one should be fixed as of the latest bootc 1.1 - see https://github.com/ostreedev/ostree-rs-ext/pull/669 which bootc 1.1 rolled in.

cgwalters avatar Oct 24 '24 19:10 cgwalters

I can confirm, selinux errors no longer happen.

For anyone else looking at this later - this did not solve the problem for cockpit-ws. Same problem, no selinux errors though. I opened an issue with cockpit now (see above).

spmfox avatar Oct 31 '24 21:10 spmfox