On Tue, Dec 17, 2024 at 2:27 PM James Carter <jwcart2@xxxxxxxxx> wrote: > > On Thu, Dec 12, 2024 at 1:58 PM Vit Mojzis <vmojzis@xxxxxxxxxx> wrote: > > > > Mute error messages produced by selinux_restorecon when rebuilding the > > policy store to avoid error messages in containers, image mode, etc. > > > > Fixes: > > #podman build --security-opt=label=disable --cap-add=all --device /dev/fuse -t quay.io/jlebon/fedora-bootc:tier-x . --build-arg MANIFEST=fedora-tier-x.yaml --from quay.io/fedora/fedora:rawhide > > ... > > Could not set context for /etc/selinux/targeted/tmp/modules/100/rtas/lang_ext: Operation not supported > > Could not set context for /etc/selinux/targeted/tmp/modules/100/rtas: Operation not supported > > Could not set context for /etc/selinux/targeted/tmp/modules/100/rtkit/cil: Operation not supported > > Could not set context for /etc/selinux/targeted/tmp/modules/100/rtkit/hll: Operation not supported > > ... > > > > https://bugzilla.redhat.com/show_bug.cgi?id=2326348 > > > > Signed-off-by: Vit Mojzis <vmojzis@xxxxxxxxxx> > > Acked-by: James Carter <jwcart2@xxxxxxxxx> > Merged. Thanks, Jim > > --- > > I feel like this is probably not the best solution, so feel free to > > suggest a better way. > > I feel that it is fine in this case. It is limited and there is > already a comment saying that we can ignore errors here. > Thanks, > Jim > > > The logs are all the more annoying because there is so many at once and > > they clog up the logs and terminals so I am wonering about removing > > the ERR after a failed fchown as well. > > > > libsemanage/src/semanage_store.c | 16 +++++++++++++++- > > 1 file changed, 15 insertions(+), 1 deletion(-) > > > > diff --git a/libsemanage/src/semanage_store.c b/libsemanage/src/semanage_store.c > > index e44efc16..2ca2e900 100644 > > --- a/libsemanage/src/semanage_store.c > > +++ b/libsemanage/src/semanage_store.c > > @@ -3000,15 +3000,29 @@ int semanage_nc_sort(semanage_handle_t * sh, const char *buf, size_t buf_len, > > return 0; > > } > > > > +/* log_callback muting all logs */ > > +static int __attribute__ ((format(printf, 2, 3))) > > +log_callback_mute(__attribute__((unused)) int type, __attribute__((unused)) const char *fmt, ...) > > +{ > > + return 0; > > +} > > + > > /* Make sure the file context and ownership of files in the policy > > * store does not change */ > > void semanage_setfiles(semanage_handle_t * sh, const char *path){ > > struct stat sb; > > int fd; > > + union selinux_callback cb_orig = selinux_get_callback(SELINUX_CB_LOG); > > + union selinux_callback cb = { .func_log = log_callback_mute }; > > + > > + /* Mute all logs */ > > + selinux_set_callback(SELINUX_CB_LOG, cb); > > + > > /* Fix the user and role portions of the context, ignore errors > > * since this is not a critical operation */ > > selinux_restorecon(path, SELINUX_RESTORECON_SET_SPECFILE_CTX | SELINUX_RESTORECON_IGNORE_NOENTRY); > > - > > + /* restore log_logging */ > > + selinux_set_callback(SELINUX_CB_LOG, cb_orig); > > /* Make sure "path" is owned by root */ > > if ((geteuid() != 0 || getegid() != 0) && > > ((fd = open(path, O_RDONLY | O_CLOEXEC)) != -1)){ > > -- > > 2.47.0 > > > >
