pub(crate) fn selinux_ensure_install() -> Result<bool>Expand description
Ensure that the current process has the capability to write SELinux security contexts unknown to the current policy.
See test_install_t above for how we check for that capability.
In the general case of both upgrade or install, we may e.g. jump major versions
or even operating systems, and we need the ability to write arbitrary labels.
If the current process doesn’t already have mac_admin/install_t then we
make a new temporary copy of our binary, and give it the same label as /usr/bin/ostree,
which in Fedora derivatives at least was already historically labeled with
the correct install_t label.
However, if you maintain a bootc operating system with SELinux, you should from the start ensure that /usr/bin/bootc has the correct capabilities.