From 85e25ad6152ff77a8c7176a5d42bc3c97d235f2f Mon Sep 17 00:00:00 2001 From: Colin Walters Date: Wed, 15 Oct 2025 08:23:15 -0400 Subject: [PATCH 1/2] zipl: Hardcode absolute path This handles cases of running from systems with merged /sbin and /bin (e.g. F42+) but targeting a non-merged root. Signed-off-by: Colin Walters --- src/libostree/ostree-bootloader-zipl.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/src/libostree/ostree-bootloader-zipl.c b/src/libostree/ostree-bootloader-zipl.c index bfa7823f83..0c754edb74 100644 --- a/src/libostree/ostree-bootloader-zipl.c +++ b/src/libostree/ostree-bootloader-zipl.c @@ -398,9 +398,13 @@ static gboolean _ostree_secure_execution_call_zipl (GError **error) { int status = 0; - const char *const zipl_argv[] = { - "zipl", "-V", "-t", SECURE_EXECUTION_MOUNTPOINT, "-i", SECURE_EXECUTION_BOOT_IMAGE, NULL - }; + const char *const zipl_argv[] = { "/usr/sbin/zipl", + "-V", + "-t", + SECURE_EXECUTION_MOUNTPOINT, + "-i", + SECURE_EXECUTION_BOOT_IMAGE, + NULL }; if (!g_spawn_sync (NULL, (char **)zipl_argv, NULL, G_SPAWN_SEARCH_PATH, NULL, NULL, NULL, NULL, &status, error)) return glnx_prefix_error (error, "s390x SE: spawning zipl"); @@ -483,7 +487,7 @@ _ostree_bootloader_zipl_post_bls_sync (OstreeBootloader *bootloader, int bootver if (!_ostree_secure_boot_is_enabled (&sb_enabled, cancellable, error)) return FALSE; const char *const zipl_argv[] - = { "zipl", "--secure", (sb_enabled == TRUE) ? "1" : "auto", "-V", NULL }; + = { "/usr/sbin/zipl", "--secure", (sb_enabled == TRUE) ? "1" : "auto", "-V", NULL }; int estatus; if (target_deployment != NULL) { From 03883b07bdf379aaa29adae0fb9220b624c0fe93 Mon Sep 17 00:00:00 2001 From: Colin Walters Date: Wed, 15 Oct 2025 08:23:15 -0400 Subject: [PATCH 2/2] deploy: Hardcode absolute path for semodule This handles cases of running from systems with merged /sbin and /bin (e.g. F42+) but targeting a non-merged root. Reported-by: Peter Colberg Signed-off-by: Colin Walters --- src/libostree/ostree-sysroot-deploy.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/src/libostree/ostree-sysroot-deploy.c b/src/libostree/ostree-sysroot-deploy.c index 3bfc8d9f52..383e5a24c3 100644 --- a/src/libostree/ostree-sysroot-deploy.c +++ b/src/libostree/ostree-sysroot-deploy.c @@ -3406,11 +3406,16 @@ sysroot_finalize_selinux_policy (int deployment_dfd, GError **error) if (errno != 0) return TRUE; + /* Absolute path to handle cases of running from systems with merged /sbin and /bin (e.g. F42+) + * but targeting a non-merged root. + **/ + static const char semodule[] = "/usr/sbin/semodule"; + /* * Skip the SELinux policy refresh if the --refresh * flag is not supported by semodule. */ - static const gchar *const SEMODULE_HELP_ARGV[] = { "semodule", "--help", NULL }; + static const gchar *const SEMODULE_HELP_ARGV[] = { semodule, "--help", NULL }; if (!_ostree_sysroot_run_in_deployment (deployment_dfd, NULL, SEMODULE_HELP_ARGV, &exit_status, &stdout, error)) return FALSE; @@ -3422,7 +3427,7 @@ sysroot_finalize_selinux_policy (int deployment_dfd, GError **error) return TRUE; } - static const gchar *const SEMODULE_REBUILD_ARGV[] = { "semodule", "-N", "--refresh", NULL }; + static const gchar *const SEMODULE_REBUILD_ARGV[] = { semodule, "-N", "--refresh", NULL }; ot_journal_print (LOG_INFO, "Refreshing SELinux policy"); guint64 start_msec = g_get_monotonic_time () / 1000;