ec4291293e
QEMU boot test of v0.5.1 (commit 3cbffaf) revealed both scripts
missing from /usr/local/sbin/ on running system, despite being in
overlay/usr/local/sbin/ in the source tree.
Root cause: Fedora's filesystem package (or post-install scriptlet)
rewrites /usr/local/sbin → /usr/local/bin symlink AFTER kickstart
%post --nochroot's overlay copy runs. The cp -a placed files in
/usr/local/sbin/ as a real directory; the symlink replacement
deleted them.
Confirmed via tty diagnostic: `ls -la /usr/local` shows
`lrwxrwxrwx ... sbin -> bin` with bin mtime predating sbin symlink
ctime by ~5min — overlay copy ran first, scriptlet rewrote sbin
second.
Fix: move both binaries to overlay/usr/local/bin/ where they're
safe from the symlink rewrite. Update all references:
- kickstart/veilor-os.ks chmod path + chown + diagnostic ls
- overlay/etc/systemd/system/getty@tty1.service.d/veilor-installer.conf ExecStart
- overlay/etc/systemd/system/veilor-firstboot.service ExecStart
- scripts/selinux/build-policy.sh fcontext + restorecon paths
- generated install ks template inside veilor-installer
Service drop-in stays at /etc/systemd/system/getty@tty1.service.d/
unchanged. The veilor-installer binary in /usr/local/bin/ is
discoverable via $PATH same as before.
43 lines
1.5 KiB
Bash
Executable file
43 lines
1.5 KiB
Bash
Executable file
#!/usr/bin/env bash
|
|
# Build + load veilor-os SELinux policy modules.
|
|
#
|
|
# Modules:
|
|
# veilor-systemd — capabilities for systemd-modules-load (post-boot lock)
|
|
# veilor-firstboot — confine /usr/local/bin/veilor-firstboot one-shot
|
|
#
|
|
# Usage:
|
|
# sudo ./build-policy.sh # build + install all
|
|
# sudo ./build-policy.sh <name> # build + install one module
|
|
set -euo pipefail
|
|
|
|
cd "$(dirname "$0")"
|
|
|
|
MODULES=(veilor-systemd veilor-firstboot)
|
|
if [[ $# -gt 0 ]]; then
|
|
MODULES=("$@")
|
|
fi
|
|
|
|
for m in "${MODULES[@]}"; do
|
|
if [[ ! -f "$m.te" ]]; then
|
|
echo "[ERR] $m.te not found" >&2
|
|
exit 1
|
|
fi
|
|
echo "[*] Building $m ..."
|
|
checkmodule -M -m -o "$m.mod" "$m.te"
|
|
semodule_package -o "$m.pp" -m "$m.mod"
|
|
semodule -i "$m.pp"
|
|
echo "[OK] $m loaded"
|
|
done
|
|
|
|
# Apply file context for veilor-firstboot if module just loaded.
|
|
if printf '%s\n' "${MODULES[@]}" | grep -qx veilor-firstboot; then
|
|
if command -v restorecon >/dev/null 2>&1; then
|
|
# Mark the binary + state file with the right types.
|
|
semanage fcontext -a -t veilor_firstboot_exec_t '/usr/local/bin/veilor-firstboot' 2>/dev/null || true
|
|
semanage fcontext -a -t veilor_firstboot_state_t '/var/lib/veilor-firstboot\.done' 2>/dev/null || true
|
|
restorecon -v /usr/local/bin/veilor-firstboot 2>/dev/null || true
|
|
[[ -e /var/lib/veilor-firstboot.done ]] && restorecon -v /var/lib/veilor-firstboot.done 2>/dev/null || true
|
|
fi
|
|
fi
|
|
|
|
echo "[done] all modules loaded"
|