fixup! fix: only set SELinux labels when enabled

siderolabs · Sep 2, 2024 · ffcec42 · ffcec42
1 parent 52116f9
commit ffcec42
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 3 deletions.
diff --git a/internal/pkg/mount/switchroot/switchroot.go b/internal/pkg/mount/switchroot/switchroot.go
@@ -103,12 +103,13 @@ func Switch(prefix string, mountpoints *mount.Points) (err error) {
 	}
 
 	runtime.LockOSThread()
+
+	// TODO: enforce (https://github.com/SELinuxProject/selinux/blob/e81a05a5050354261049cc7b5987372e763fc5f4/libselinux/src/setenforce.c#L12)
 	if procfs.ProcCmdline().Get(constants.KernelParamSELinux).First() != nil {
 		err = os.WriteFile("/proc/thread-self/attr/exec", []byte("system_u:system_r:init_t:s0"), 0o777)
 		if err != nil {
 			return err
 		}
-		// TODO: enforce (https://github.com/SELinuxProject/selinux/blob/e81a05a5050354261049cc7b5987372e763fc5f4/libselinux/src/setenforce.c#L12)
 	}
 
 	// extend PCR 11 with leave-initrd

diff --git a/internal/pkg/selinux/selinux.go b/internal/pkg/selinux/selinux.go
@@ -12,9 +12,9 @@ import (
 	"github.com/siderolabs/talos/pkg/machinery/constants"
 )
 
-// SetFileLabel sets label for file or directory, following symlinks
+// SetLabel sets label for file or directory, following symlinks
 // It does not perform the operation in case SELinux is disabled or provided label is empty
-// TODO: check for running in a container as well
+// TODO: check for running in a container as well.
 func SetLabel(filename string, label string) error {
 	if label == "" {
 		return nil