Skip to content
This repository has been archived by the owner on Sep 18, 2020. It is now read-only.

Update selinux support #3155

Open
wants to merge 42 commits into
base: master
Choose a base branch
from
Open

Conversation

glevand
Copy link
Contributor

@glevand glevand commented Mar 29, 2018

Depends on:
#3100 (Update packages needed by SELinux) merged
https://github.com/coreos/coreos/bootengine#143 (initrd-setup-root: Add SELinux labels to files)
coreos/portage-stable#654 (Update selinux support)

@glevand
Copy link
Contributor Author

glevand commented Apr 20, 2018

Rebased to latest.

@dm0-
Copy link
Contributor

dm0- commented Apr 25, 2018

This looks like it needs to be rebased after its dependency was merged.

@glevand
Copy link
Contributor Author

glevand commented Apr 25, 2018

Rebased to latest, added new patches 'profiles: Set make.defaults POLICY_TYPES to mcs' and metadata refresh.

@glevand glevand force-pushed the for-merge-selinux branch 2 times, most recently from 3b183f7 to f0729a9 Compare April 25, 2018 23:40
@glevand
Copy link
Contributor Author

glevand commented May 8, 2018

Rebased to latest.

@@ -10,7 +10,7 @@ CROS_WORKON_REPO="git://github.com"
if [[ "${PV}" == 9999 ]]; then
KEYWORDS="~amd64 ~arm ~arm64 ~x86"
else
CROS_WORKON_COMMIT="deba0732daec569545cf456f0cc514f17c7529b5"
CROS_WORKON_COMMIT="HEAD"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this meant as a workaround until coreos/bootengine#143 merges?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@ajeddeloh Yes, once coreos/bootengine#143 is merged this commit hash can be set.

Copy link
Contributor

@ajeddeloh ajeddeloh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Couple minor nits, otherwise LGTM. Thank's for the cleanup!


DESCRIPTION="SELinux policy for virt"

if [[ ${PV} != 9999* ]] ; then
KEYWORDS="amd64 -arm arm64 ~mips x86"
fi

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: trailing newline

@@ -0,0 +1,3 @@
process = "system_u:system_r:svirt_lxc_net_t:s0"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Where did these rules (and the ones below in the ebuiild itself) come from exactly? Since this commit is non-trivial and modifies the policy itself, can you add a commit message with more details as to what's changing and why (especially since selinux policies are not the most intuitive)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That change came from Matthew Garrett's original patch here: adb930d. I seem to have not set him as author. His commit comments says:

sec-policy/*: We need custom policy modifications

I'll try to better understand the changes and update the commit comments.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@ajeddeloh The added lxc_contexts file is needed to support rkt. You can find some info here: https://coreos.com/rkt/docs/latest/selinux.html. Also, the lines in the ebuild that add to the policy are to support rkt. I've added comments to the sec-policy/selinux-base files that mention this. On another note, I think Container Linux's SELinux support for rkt needs to be reviewed and verified it is working correctly. See: rkt/rkt#3927

@@ -0,0 +1,31 @@
# Copyright 2014 CoreOS, Inc.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

2018? Or is this being moved from somewhere I'm not seeing?

Copy link
Contributor

@dm0- dm0- left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oops, I wrote a few comments a while ago and forgot to click the "submit" button.

# image in the SDK build_image script.
[[ "${CBUILD}" == "${CHOST}" ]] || return

selinux-policy-2_pkg_postinst
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This eclass should probably inherit selinux-policy-2 so ebuilds don't need to know about both.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would have liked to do that, but that caused problems. This new coreos-sec-policy.eclass has common things intended for use by all the sec-policy packages. selinux-policy-2.eclass is intended for use by the policy add-on packages like selinux-virt and selinux-unconfined, and not for the base policy package. Errors occur if selinux-policy-2 is inherit in selinux-base.

One way to avoid having to inherit both is to have a conditional on ${PN} inside coreos-sec-policy.eclass to inherit selinux-policy-2. Would you prefer that?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It seems the above is no longer true. It may have been a condition of older packages. Things seem to work OK with a simple inherit selinux-policy-2 in coreos-sec-policy.eclass.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I just did a fresh sdk build and it turns out that the problem is still there. selinux-policy-2.eclass has a DEPEND on selinux-base-policy, and so creates a circular dependency if either selinux-base or selinux-base-policy inherit selinux-policy-2.eclass. I added a conditional to coreos-sec-policy.eclass to fix this.

@@ -0,0 +1,31 @@
# Copyright 2014 CoreOS, Inc.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A new file should have the current year.

}

src_install() {
emake DESTDIR="${D}" \
LIBSEPOLA="/usr/$(get_libdir)/libsepol.a" \
LIBSEPOLA="${ROOT:-/}usr/$(get_libdir)" \
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this expected to be changing a file to a directory?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Seems like that's a typo, but LIBSEPOLA is just used as a makefile target dependency so it was working. I'll fix it.

@@ -6,7 +6,7 @@ EAPI="6"
IUSE=""
MODS="unconfined"

inherit selinux-policy-2
inherit selinux-policy-2 coreos-sec-policy
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The selinux-policy-2 eclass can be dropped if coreos-sec-policy inherits it, since it depends on it.

@@ -6,10 +6,11 @@ EAPI="6"
IUSE=""
MODS="virt"

inherit selinux-policy-2
inherit selinux-policy-2 coreos-sec-policy
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Again only inherit coreos-sec-policy should be needed.

@@ -42,3 +42,14 @@ sys-libs/libseccomp static-libs

# bind-tools' configure script breaks when cross-compiling with seccomp enabled
net-dns/bind-tools -seccomp

# Enable SELinux for amd64 targets
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The amd64 targets is no longer correct since this profile is for all boards.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We have a few SELinux entries in the generic/package.use file, each saying Enable SELinux for XXX. I'll clean that up and have a single section for SELinux with the packages in alphabetical order.

@@ -21,7 +21,7 @@ if [[ ${PV} == 9999 ]] ; then
S="${WORKDIR}/${MY_P}/${PN}"
else
SRC_URI="https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/${MY_RELEASEDATE}/${MY_P}.tar.gz"
KEYWORDS="amd64 ~arm ~arm64 ~mips x86"
KEYWORDS="amd64 ~arm arm64 ~mips x86"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If this is the only customization required now, maybe it should be moved back to portage-stable and accepted in the arm64 profile.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, I missed that. It goes together with sys-libs/libsepol.

@glevand glevand force-pushed the for-merge-selinux branch 2 times, most recently from f2ef493 to ad66e25 Compare May 14, 2018 22:26
@glevand
Copy link
Contributor Author

glevand commented May 23, 2018

Rebased to latest. Addressed all comments.

dm0- and others added 8 commits May 23, 2018 09:40
From: David Michael <[email protected]>
[rebased to latest SELinux ebuilds]
Signed-off-by: Geoff Levand <[email protected]>
From: David Michael <[email protected]>
[rebased to latest SELinux ebuilds]
Signed-off-by: Geoff Levand <[email protected]>
Container Linux only uses the mcs policy type.

Signed-off-by: Geoff Levand <[email protected]>
We're using a stripped down policy, so we don't care that certain tasks
may refer to policy objects that don't exist. Permit acts that reference
them.

From: Matthew Garrett <[email protected]>
[Rebase to latest]
Signed-off-by: Geoff Levand <[email protected]>
Install selinux to /usr/lib/selinux/ rather than /etc/selinux/ and
/var/lib/selinux in order for Container Linux update to work properly.

From: Matthew Garrett <[email protected]>
[Rebase to latest]
Signed-off-by: Geoff Levand <[email protected]>
From: David Michael <[email protected]>
[Rebase to latest]
Signed-off-by: Geoff Levand <[email protected]>
Matthew Garrett and others added 28 commits May 23, 2018 09:40
From: Matthew Garrett <[email protected]>
[Split from big patch and rebased for policycoreutils2.7]
Signed-off-by: Geoff Levand <[email protected]>
From: Michael Marineau <[email protected]>
[Rebase to latest]
Signed-off-by: Geoff Levand <[email protected]>
Add an semodule USE flag and enable it in the SDK profile to get
semodule-utils into the SDK.

Signed-off-by: Geoff Levand <[email protected]>
From: David Michael <[email protected]>
[Rebase to latest]
Signed-off-by: Geoff Levand <[email protected]>
From: Matthew Garrett <[email protected]>
[Split from big patch and rebased for policycoreutils2.7]
Signed-off-by: Geoff Levand <[email protected]>
From: David Michael <[email protected]>
[Rebase to latest]
Signed-off-by: Geoff Levand <[email protected]>
Adds a new eclass coreos-sec-policy.eclass that
handles the Container Linux build specifics.

Signed-off-by: Geoff Levand <[email protected]>
Delete this version and use the upstream portage-stable
version.  Local changes for Container Linux are handled
by a new eclass coreos-sec-policy.eclass.

Signed-off-by: Geoff Levand <[email protected]>
From: David Michael <[email protected]>
[Rebase to latest]
Signed-off-by: Geoff Levand <[email protected]>
From: David Michael <[email protected]>
[Rebase to latest]
Signed-off-by: Geoff Levand <[email protected]>
From: David Michael <[email protected]>
[Rebase to latest]
Signed-off-by: Geoff Levand <[email protected]>
From: David Michael <[email protected]>
[Rebase to latest]
Signed-off-by: Geoff Levand <[email protected]>
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants