On Thu, Dec 12, 2024 at 1:58 PM Vit Mojzis <vmojzis@xxxxxxxxxx> wrote: > > Mute error messages produced by selinux_restorecon when rebuilding the > policy store to avoid error messages in containers, image mode, etc. > > Fixes: > #podman build --security-opt=label=disable --cap-add=all --device /dev/fuse -t quay.io/jlebon/fedora-bootc:tier-x . --build-arg MANIFEST=fedora-tier-x.yaml --from quay.io/fedora/fedora:rawhide > ... > Could not set context for /etc/selinux/targeted/tmp/modules/100/rtas/lang_ext: Operation not supported > Could not set context for /etc/selinux/targeted/tmp/modules/100/rtas: Operation not supported > Could not set context for /etc/selinux/targeted/tmp/modules/100/rtkit/cil: Operation not supported > Could not set context for /etc/selinux/targeted/tmp/modules/100/rtkit/hll: Operation not supported > ... > > https://bugzilla.redhat.com/show_bug.cgi?id=2326348 > > Signed-off-by: Vit Mojzis <vmojzis@xxxxxxxxxx> Acked-by: James Carter <jwcart2@xxxxxxxxx> > --- > I feel like this is probably not the best solution, so feel free to > suggest a better way. I feel that it is fine in this case. It is limited and there is already a comment saying that we can ignore errors here. Thanks, Jim > The logs are all the more annoying because there is so many at once and > they clog up the logs and terminals so I am wonering about removing > the ERR after a failed fchown as well. > > libsemanage/src/semanage_store.c | 16 +++++++++++++++- > 1 file changed, 15 insertions(+), 1 deletion(-) > > diff --git a/libsemanage/src/semanage_store.c b/libsemanage/src/semanage_store.c > index e44efc16..2ca2e900 100644 > --- a/libsemanage/src/semanage_store.c > +++ b/libsemanage/src/semanage_store.c > @@ -3000,15 +3000,29 @@ int semanage_nc_sort(semanage_handle_t * sh, const char *buf, size_t buf_len, > return 0; > } > > +/* log_callback muting all logs */ > +static int __attribute__ ((format(printf, 2, 3))) > +log_callback_mute(__attribute__((unused)) int type, __attribute__((unused)) const char *fmt, ...) > +{ > + return 0; > +} > + > /* Make sure the file context and ownership of files in the policy > * store does not change */ > void semanage_setfiles(semanage_handle_t * sh, const char *path){ > struct stat sb; > int fd; > + union selinux_callback cb_orig = selinux_get_callback(SELINUX_CB_LOG); > + union selinux_callback cb = { .func_log = log_callback_mute }; > + > + /* Mute all logs */ > + selinux_set_callback(SELINUX_CB_LOG, cb); > + > /* Fix the user and role portions of the context, ignore errors > * since this is not a critical operation */ > selinux_restorecon(path, SELINUX_RESTORECON_SET_SPECFILE_CTX | SELINUX_RESTORECON_IGNORE_NOENTRY); > - > + /* restore log_logging */ > + selinux_set_callback(SELINUX_CB_LOG, cb_orig); > /* Make sure "path" is owned by root */ > if ((geteuid() != 0 || getegid() != 0) && > ((fd = open(path, O_RDONLY | O_CLOEXEC)) != -1)){ > -- > 2.47.0 > >
