ben/silverblue-images
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

Also adding zfs automount policy

Browse Source
This commit is contained in:
Ben Radey
2025-10-08 23:04:40 -04:00
parent 8ba303cde7
commit e1529dae90
2 changed files with 33 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
f42-server/Containerfile
+9 -2
View File
@@ -14,13 +14,20 @@ FROM quay.io/fedora/fedora-silverblue:42
COPY --from=builder /gocryptfs/gocryptfs /usr/bin/gocryptfs
# Set up Synapse SELinux policy
# Set up custom SELinux policies
COPY synapse.te /tmp/synapse.te
COPY benZfsSnapshotAutomount.te /tmp/benZfsSnapshotAutomount.te
RUN checkmodule -M -m -o /tmp/synapse.mod /tmp/synapse.te \
&& semodule_package -o /tmp/synapse.pp -m /tmp/synapse.mod \
&& semodule -r synapse || true \
&& semodule -i /tmp/synapse.pp \
&& rm -f /tmp/synapse.{te,mod,pp}
&& rm -f /tmp/synapse.{te,mod,pp} \
&& checkmodule -M -m -o /tmp/benZfsSnapshotAutomount.mod /tmp/benZfsSnapshotAutomount.te \
&& semodule_package -o /tmp/benZfsSnapshotAutomount.pp -m /tmp/benZfsSnapshotAutomount.mod \
&& semodule -r benZfsSnapshotAutomount || true \
&& semodule -i /tmp/benZfsSnapshotAutomount.pp \
&& rm -f /tmp/benZfsSnapshotAutomount.{te,mod,pp}
# Install ZFS repository
RUN rpm-ostree install https://github.com/zfsonlinux/zfsonlinux.github.com/raw/master/fedora/zfs-release-2-8$(rpm --eval "%{dist}").noarch.rpm && \
f42-server/benZfsSnapshotAutomount.te
+24
View File
@@ -0,0 +1,24 @@
module benZfsSnapshotAutomount 1.1;
require {
type container_file_t;
type device_t;
type fs_t;
type kernel_generic_helper_t;
type mount_exec_t;
type unlabeled_t;
class capability { setgid setuid sys_admin };
class chr_file { ioctl open read write };
class dir { mounton search };
class file { execute open read execute_no_trans map getattr };
class filesystem mount;
}
#============= kernel_generic_helper_t ==============
allow kernel_generic_helper_t container_file_t:dir search;
allow kernel_generic_helper_t device_t:chr_file { ioctl open read write };
allow kernel_generic_helper_t fs_t:filesystem mount;
allow kernel_generic_helper_t mount_exec_t:file { execute open read execute_no_trans map getattr };
allow kernel_generic_helper_t self:capability { setgid setuid sys_admin };
allow kernel_generic_helper_t unlabeled_t:dir { mounton search };