mirror of
https://github.com/ostreedev/ostree.git
synced 2024-10-26 17:25:36 +03:00
edb4f38934
Whenever the user has SELinux enabled and has any local modules/modifications installed, it is necessary to rebuild the policy in the final deployment, otherwise ostree will leave the binary policy files unchanged from last deployment as it detects difference against the base content (in rpm-ostree case this is the RPM content). To avoid the situation where the policy binaries go stale once any local customization of the policy is made, try to rebuild the policy as part of sysroot_finalize_deployment(). Use the special --rebuild-if-modules-changed switch, which detects if the input module files have changed relative to last time the policy was built and skips the most time-consuming part of the rebuild process if modules are unchanged (thus making this a relatively cheap operation if the user hasn't made any modifications to the shipped policy). As suggested by Jonathan Lebon, this uses bubblewrap (via g_spawn_sync()) to perform the rebuild inside the deployment's filesystem tree, which also means that ostree will have a runtime dependency on bubblewrap. Partially addresses: https://github.com/coreos/fedora-coreos-tracker/issues/701 Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com> |
||
|---|---|---|
| .. | ||
| prow | ||
| build-check-sanitized.sh | ||
| build-check.sh | ||
| build-rpm.sh | ||
| build.sh | ||
| ci-commitmessage-submodules.sh | ||
| ci-release-build.sh | ||
| fah29-insttests.sh | ||
| flatpak-1.4.1-ostree-gpg-errors.patch | ||
| flatpak.sh | ||
| gh-build.sh | ||
| gh-install.sh | ||
| installdeps.sh | ||
| libbuild.sh | ||
| make-git-snapshot.sh | ||
| Makefile.dist-packaging | ||
| provision-prep.sh | ||
| rpmbuild-cwd | ||
| rpmostree.sh | ||