fca01e70b5
Add a `selinux` verb to treespec, and bind it from treefile. If set, use it in the core to load an initial policy before import, if we didn't already set a policy. In practice right now this is only used from the compose path since the SysrootUpgrader uses the policy from the merge deployment. Unset the policy if rojig mode is enabled. Now, non-SELinux use cases are required to set `selinux: false` in the treespec. For `ex container` I just set it in our example specs. Probably that should forcibly disable it in the treespec but eh, it's experimental. The other case I can think of is client-side layering; before we would create a policy using the target root, but it wasn't a *hard* requirement, i.e. we didn't error out if `policy_get_name() == NULL`. Let's preserve that semantic by hooking off of whether `_new_system()` was used. Prep for sharing code with `compose rojig`. Closes: #1630 Approved by: jlebon |
||
|---|---|---|
| .. | ||
| test-bash.sh | ||
| test-httpd.sh | ||