install: Change no-SELinux -> SELinux to a warning

We believe we have almost all the labeling work here covered, so degrade this to a warning. Signed-off-by: Colin Walters <[email protected]>
cgwalters · Mar 22, 2024 · 980da23 · 980da23
1 parent c75fc58
commit 980da23
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 12 deletions.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -143,6 +143,6 @@ jobs:
           # TODO fix https://github.com/containers/bootc/pull/137
           sudo chattr -i /ostree/deploy/default/deploy/*
           sudo rm /ostree/deploy/default -rf
-          sudo podman run --rm -ti --privileged --env BOOTC_SKIP_SELINUX_HOST_CHECK=1 --env RUST_LOG=debug -v /:/target -v /var/lib/containers:/var/lib/containers -v ./usr/bin/bootc:/usr/bin/bootc --pid=host --security-opt label=disable \
+          sudo podman run --rm -ti --privileged --env RUST_LOG=debug -v /:/target -v /var/lib/containers:/var/lib/containers -v ./usr/bin/bootc:/usr/bin/bootc --pid=host --security-opt label=disable \
             ${image} bootc install to-existing-root
           sudo podman run --rm -ti --privileged -v /:/target -v ./usr/bin/bootc:/usr/bin/bootc --pid=host --security-opt label=disable ${image} bootc internal-tests verify-selinux /target/ostree --warn
diff --git a/lib/src/install.rs b/lib/src/install.rs
@@ -788,10 +788,6 @@ pub(crate) fn reexecute_self_for_selinux_if_needed(
     let mut ret_did_override = false;
     // If the target state has SELinux enabled, we need to check the host state.
     let mut g = None;
-    // We don't currently quite support installing SELinux enabled systems
-    // from SELinux disabled hosts, but this environment variable can be set
-    // to test it out anyways.
-    let skip_check_envvar = "BOOTC_SKIP_SELINUX_HOST_CHECK";
     if srcdata.selinux {
         let host_selinux = crate::lsm::selinux_enabled()?;
         tracing::debug!("Target has SELinux, host={host_selinux}");
@@ -807,14 +803,10 @@ pub(crate) fn reexecute_self_for_selinux_if_needed(
             setup_sys_mount("selinuxfs", SELINUXFS)?;
             // This will re-execute the current process (once).
             g = crate::lsm::selinux_ensure_install_or_setenforce()?;
-        } else if std::env::var_os(skip_check_envvar).is_some() {
-            eprintln!(
-                "Host kernel does not have SELinux support, but target enables it by default; {} is set, continuing anyways",
-                skip_check_envvar
-            );
         } else {
-            anyhow::bail!(
-                "Host kernel does not have SELinux support, but target enables it by default"
+            // This used to be a hard error, but is now a mild warning
+            crate::utils::medium_visibility_warning(
+                "Host kernel does not have SELinux support, but target enables it by default; this is less well tested.  See https://github.com/containers/bootc/issues/419",
             );
         }
     } else {