fca01e70b5
Add a `selinux` verb to treespec, and bind it from treefile. If set, use it in the core to load an initial policy before import, if we didn't already set a policy. In practice right now this is only used from the compose path since the SysrootUpgrader uses the policy from the merge deployment. Unset the policy if rojig mode is enabled. Now, non-SELinux use cases are required to set `selinux: false` in the treespec. For `ex container` I just set it in our example specs. Probably that should forcibly disable it in the treespec but eh, it's experimental. The other case I can think of is client-side layering; before we would create a policy using the target root, but it wasn't a *hard* requirement, i.e. we didn't error out if `policy_get_name() == NULL`. Let's preserve that semantic by hooking off of whether `_new_system()` was used. Prep for sharing code with `compose rojig`. Closes: #1630 Approved by: jlebon
22 lines
440 B
Bash
Executable File
22 lines
440 B
Bash
Executable File
#!/usr/bin/bash
|
|
set -xeuo pipefail
|
|
|
|
cd ${test_tmpdir}
|
|
|
|
dn=$(cd $(dirname $0) && pwd)
|
|
. ${dn}/../common/libtest-core.sh
|
|
|
|
cat >httpd.conf <<EOF
|
|
[tree]
|
|
ref=httpd
|
|
packages=httpd;
|
|
selinux=false
|
|
repos=fedora;
|
|
releasever=28
|
|
EOF
|
|
|
|
# This one has non-root ownership in some of the dependencies, but we shouldn't
|
|
# try to apply them; see apply_rpmfi_overrides().
|
|
rpm-ostree ex container assemble httpd.conf
|
|
ostree --repo=repo ls httpd /usr/sbin/httpd
|