From 03dd496a552aac47c24b2decb14f60064ff034cf Mon Sep 17 00:00:00 2001 From: Gregory Giguashvili Date: Wed, 1 Jul 2026 19:03:51 +0300 Subject: [PATCH 1/2] Revert "SELinux: allow kernel_t execmem to work around composefs regression" This reverts commit c427745b58b8047367468f3384495338829c2ee1. --- packaging/selinux/microshift.te | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) diff --git a/packaging/selinux/microshift.te b/packaging/selinux/microshift.te index 175b926e8a..0d9ef586b8 100644 --- a/packaging/selinux/microshift.te +++ b/packaging/selinux/microshift.te @@ -4,15 +4,9 @@ type microshift_t; domain_type(microshift_t); gen_require(` - type kubelet_t, var_lib_t, container_var_lib_t, kernel_t; + type kubelet_t, var_lib_t, container_var_lib_t; ') -# Workaround for kernel 7.x composefs/overlayfs SELinux regression (USHIFT-7215). -# CRI-O runs as kernel_t instead of container_runtime_t on composefs, which denies -# execmem needed for text relocations. Upstream fix: kernel v7.1-rc1 commits -# 880bd496ec72, 6af36aeb147a, 82544d36b172. Remove when backported to RHEL 10.2 kernel. -allow kernel_t self:process execmem; - # When microshift creates backup folders in /var/lib/microshift-backups, the correct labels are applied # Note: filetrans_pattern rules states; # Process running as `kubelet_t` that creates a `dir` called `microshift-backups` From ad86ff54b2857a3437a72e914a8b2cf59775ad32 Mon Sep 17 00:00:00 2001 From: Gregory Giguashvili Date: Wed, 1 Jul 2026 18:58:31 +0300 Subject: [PATCH 2/2] Use production registry for 10.2 bootc base images --- .../el10/layer1-base/group1/rhel102-test-agent.containerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/image-blueprints-bootc/el10/layer1-base/group1/rhel102-test-agent.containerfile b/test/image-blueprints-bootc/el10/layer1-base/group1/rhel102-test-agent.containerfile index d4bf2dbf96..a97ab03532 100644 --- a/test/image-blueprints-bootc/el10/layer1-base/group1/rhel102-test-agent.containerfile +++ b/test/image-blueprints-bootc/el10/layer1-base/group1/rhel102-test-agent.containerfile @@ -1,4 +1,4 @@ -FROM registry.stage.redhat.io/rhel10/rhel-bootc:10.2 +FROM registry.redhat.io/rhel10/rhel-bootc:10.2 # Build arguments ARG USHIFT_RPM_REPO_NAME=microshift-local