infra: fix leak of container_file_t to installer image in lorax

[rvykydal]

Fix leaking of container_file_t to installer image when building installer image (boot.iso) in our anaconda-iso-creator container. Currently these images are built in anaconda CI for running kickstart tests on PR and for daily kickstart tests in kickstart-tests repository for daily-iso image scenario.

container_file_t (unlike the mock_var_lib_t which is used when lorax is not run in container) can't be restored at the end of installation with restorecon unless -F option is used (Otherwise it would not be applied with "not reset as customized by admin" message.)

Anaconda restores the contexts at the end of installation to fix for example lables of configuration files copied from installer environment. An example can be /etc/X11/xorg.conf.d/00-keyboad.conf for which we hit the issue with container-file_t in INSTALLER-4605 on rhel-9.

On Fedora we are hitting another issue INSTALLER-4592.

Resolves: INSTALLER-4609
Related: INSTALLER-4592

https://issues.redhat.com/browse/INSTALLER-4609

• modify the template to apply to rhel 10 as well

[gemini-code-assist]

Summary of Changes

Hello @rvykydal, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request resolves critical issues stemming from the unintended propagation of container_file_t SELinux labels from the containerized build environment into the generated installer image. By implementing a configuration change within the lorax build script, the system now explicitly filters out security.selinux extended attributes during image compression. This ensures that the installer image is built with the correct and expected SELinux contexts, thereby preventing post-installation restorecon failures and improving the overall reliability of the installation process.

Highlights

• SELinux Label Leakage Fix: Prevented the leakage of container_file_t SELinux labels into the installer image by configuring lorax to exclude security.selinux extended attributes during the build process.
• Resolved Installation Issues: Addressed problems where incorrect SELinux contexts, specifically container_file_t, caused failures during the restorecon phase of Anaconda installations on RHEL 9 and Fedora.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Changelog

• dockerfile/anaconda-iso-creator/lorax-build
  • Added a lorax.conf file to explicitly exclude security.selinux extended attributes during the compression phase of image creation.

Activity

• No activity has occurred on this pull request yet.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[rvykydal]

/kickstart-test selinux-contexts

[gemini-code-assist]

Code Review

This pull request aims to fix an issue with SELinux context (container_file_t) leaking into the installer image by configuring lorax to exclude SELinux extended attributes. While the technical approach to solving the problem appears correct, the change has been made to a generated file (dockerfile/anaconda-iso-creator/lorax-build) instead of its source template (dockerfile/anaconda-iso-creator/lorax-build.j2). This is a critical issue because the changes will be overwritten. The modifications must be moved to the template file to be effective and permanent.

[rvykydal]

/kickstart-test selinux-contexts

[rvykydal]

@bcl do you think this approach to weldr/lorax#1506 makes sense?

[bcl]

@bcl do you think this approach to weldr/lorax#1506 makes sense?

If it works :) I'm just glad you found something, I wouldn't have thought of that one.

[rvykydal]

/kickstart-test --testtype smoke

[rvykydal]

/kickstart-test selinux-contexts

[rvykydal]

/kickstart-test --testtype smoke