You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Hello, when trying to use cockpit on centos-bootc, I get this error:
setroubleshoot[1163]: SELinux is preventing /usr/libexec/cockpit-session from using the transition access on a process.
***** Plugin restorecon_source (99.5 confidence) suggests *****************
If you want to fix the label.
/usr/libexec/cockpit-session default label should be cockpit_session_exec_t.
Then you can run restorecon.
Do
# /sbin/restorecon -v /usr/libexec/cockpit-session
Using bootc usr-overlay, I can do a restorecon (as suggested by setroubleshoot) but this does not fix the problem. It does appear that all of the cockpit related files in /usr have the wrong context. I suspect something is breaking during the installation of cockpit-ws.
I can fix this by doing a dnf reinstall cockpit-ws (with usr-overlay). After the reinstall it seems that all the cockpit files in /usr have the correct context. I have tried doing the restorecon during the container build, however it seems the context is correct because they do not change. Once deployed onto a system, then they are broken. This has me puzzled. The container build machine has selinux set to enforcing.
Containerfile to reproduce this:
FROM quay.io/centos-bootc/centos-bootc:stream9
RUN dnf -y install cockpit cockpit-ws
The text was updated successfully, but these errors were encountered:
Digging in a bit more, it looks like doing the restorecon during the build process will do nothing as the labels are completely different when the container is running.
So now I'm wondering if cockpit ships its policy as a binary just like greetd.
spmfox
changed the title
centos-bootc - cockpit does not work - selinux problems
centos-bootc - cockpit-ws does not work - selinux problems
May 30, 2024
Complete tangent: We don't see this in our Cockpit CI image for centos-9-bootc because we don't install cockpit-ws as an RPM there, but as a container. This mostly has historic reasons (it's preferable to do that on CoreOS), but for bootc it'd actually make more sense to include cockpit-ws.rpm right into the OCI image.
Hello, when trying to use cockpit on centos-bootc, I get this error:
Using
bootc usr-overlay
, I can do a restorecon (as suggested by setroubleshoot) but this does not fix the problem. It does appear that all of the cockpit related files in /usr have the wrong context. I suspect something is breaking during the installation of cockpit-ws.I can fix this by doing a
dnf reinstall cockpit-ws
(with usr-overlay). After the reinstall it seems that all the cockpit files in /usr have the correct context. I have tried doing the restorecon during the container build, however it seems the context is correct because they do not change. Once deployed onto a system, then they are broken. This has me puzzled. The container build machine has selinux set to enforcing.Containerfile to reproduce this:
The text was updated successfully, but these errors were encountered: