openstack/ironic-python-agent
Code Issues Proposed changes

bootc install: Treat SELinux Permissive like Enforcing

Browse Source 
Currently Permissive is treated like Disabled for bootc install which
means the written operating system will also have SELinux disabled.

This change treats Permissive like Enforcing, with the assumption that
Permissive is "enough" SELinux enforcement for bootc install.

Likely all IPA builds on SELinux distros are set to Permissive[1], which
means it is currently not practical to provision a SELinux enabled bootc
system.

[1] https://opendev.org/openstack/ironic-python-agent-builder/src/branch/master/dib/ironic-ramdisk-base/element-deps#L3

Change-Id: Id8a049b242a8c7e38103afc988749ecb2a787ce4
Signed-off-by: Steve Baker <sbaker@redhat.com>
This commit is contained in:
Steve Baker
2026-01-09 14:56:28 +13:00
parent a17666cbfa
commit 9df86a04b9
2 changed files with 52 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
ironic_python_agent/extensions/standby.py
View File

@@ -1259,7 +1259,8 @@ class StandbyExtension(base.BaseAgentExtension):
selinux = False
try:
stdout, _ = utils.execute("getenforce", use_standard_locale=True)
if stdout.startswith('Enforcing'):
if (stdout.startswith('Enforcing')
or stdout.startswith('Permissive')):
selinux = True
except (processutils.ProcessExecutionError,
errors.CommandExecutionError,

52
ironic_python_agent/tests/unit/extensions/test_standby.py
View File

@@ -1839,7 +1839,7 @@ class TestStandbyExtension(base.IronicAgentTest):
@mock.patch.object(standby.StandbyExtension,
'_write_no_pivot_root',
autospec=True)
def test__download_container_and_bootc_install(
def test__download_container_and_bootc_install_enforcing_selinux(
self,
no_pivot_mock,
write_container_auth_mock,
@@ -1875,6 +1875,54 @@ class TestStandbyExtension(base.IronicAgentTest):
'/dev/fake', use_standard_locale=True)
])
@mock.patch('ironic_python_agent.utils.execute', autospec=True)
@mock.patch.object(disk_utils, 'get_dev_byte_size',
autospec=True)
@mock.patch.object(standby.StandbyExtension,
'_write_authorized_keys',
autospec=True)
@mock.patch.object(standby.StandbyExtension,
'_write_container_auth',
autospec=True)
@mock.patch.object(standby.StandbyExtension,
'_write_no_pivot_root',
autospec=True)
def test__download_container_and_bootc_install_permissive_selinux(
self,
no_pivot_mock,
write_container_auth_mock,
write_authorized_keys_mock,
get_size_mock,
execute_mock):
get_size_mock.return_value = 2000000000
execute_mock.side_effect = iter([
(('Permissive\n'), ()),
((), ())])
write_authorized_keys_mock.return_value = '/tmp/fake/file'
self.agent_extension._download_container_and_bootc_install(
'oci://foo/container', '/dev/fake', 'secret', False, 'keys!')
no_pivot_mock.assert_called_once()
write_container_auth_mock.assert_called_once_with(mock.ANY,
'secret',
'foo')
get_size_mock.assert_called_once_with('/dev/fake')
execute_mock.assert_has_calls([
mock.call('getenforce', use_standard_locale=True),
mock.call(
'podman', '--log-level=debug', 'run', '--rm',
'--privileged',
'--pid=host',
'-v', '/var/lib/containers:/var/lib/containers',
'-v', '/dev:/dev', '--retry-delay=5s',
'--authfile=/root/.config/containers/auth.json',
'-v', '/tmp:/tmp', '--security-opt',
'label=type:unconfined_t', 'foo/container',
'bootc', 'install', 'to-disk', '--wipe',
'--skip-fetch-check', '--root-size=1139M',
'--root-ssh-authorized-keys=/tmp/fake/file',
'/dev/fake', use_standard_locale=True)
])
@mock.patch('ironic_python_agent.utils.execute', autospec=True)
@mock.patch.object(disk_utils, 'get_dev_byte_size',
autospec=True)
@@ -1946,7 +1994,7 @@ class TestStandbyExtension(base.IronicAgentTest):
get_size_mock.return_value = 15000000000
execute_mock.side_effect = iter([
OSError(),
((), ())])
(('Disabled'), ())])
write_authorized_keys_mock.return_value = '/tmp/fake/file'
self.agent_extension._download_container_and_bootc_install(