-
Notifications
You must be signed in to change notification settings - Fork 225
Update selinux support #3155
base: master
Are you sure you want to change the base?
Update selinux support #3155
Conversation
3f63130
to
529d2e3
Compare
Rebased to latest. |
529d2e3
to
aa32450
Compare
This looks like it needs to be rebased after its dependency was merged. |
aa32450
to
09a89c6
Compare
Rebased to latest, added new patches 'profiles: Set make.defaults POLICY_TYPES to mcs' and metadata refresh. |
3b183f7
to
f0729a9
Compare
Rebased to latest. |
@@ -10,7 +10,7 @@ CROS_WORKON_REPO="git://github.com" | |||
if [[ "${PV}" == 9999 ]]; then | |||
KEYWORDS="~amd64 ~arm ~arm64 ~x86" | |||
else | |||
CROS_WORKON_COMMIT="deba0732daec569545cf456f0cc514f17c7529b5" | |||
CROS_WORKON_COMMIT="HEAD" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this meant as a workaround until coreos/bootengine#143 merges?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@ajeddeloh Yes, once coreos/bootengine#143 is merged this commit hash can be set.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Couple minor nits, otherwise LGTM. Thank's for the cleanup!
|
||
DESCRIPTION="SELinux policy for virt" | ||
|
||
if [[ ${PV} != 9999* ]] ; then | ||
KEYWORDS="amd64 -arm arm64 ~mips x86" | ||
fi | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: trailing newline
@@ -0,0 +1,3 @@ | |||
process = "system_u:system_r:svirt_lxc_net_t:s0" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Where did these rules (and the ones below in the ebuiild itself) come from exactly? Since this commit is non-trivial and modifies the policy itself, can you add a commit message with more details as to what's changing and why (especially since selinux policies are not the most intuitive)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That change came from Matthew Garrett's original patch here: adb930d. I seem to have not set him as author. His commit comments says:
sec-policy/*: We need custom policy modifications
I'll try to better understand the changes and update the commit comments.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@ajeddeloh The added lxc_contexts file is needed to support rkt. You can find some info here: https://coreos.com/rkt/docs/latest/selinux.html. Also, the lines in the ebuild that add to the policy are to support rkt. I've added comments to the sec-policy/selinux-base
files that mention this. On another note, I think Container Linux's SELinux support for rkt needs to be reviewed and verified it is working correctly. See: rkt/rkt#3927
eclass/coreos-sec-policy.eclass
Outdated
@@ -0,0 +1,31 @@ | |||
# Copyright 2014 CoreOS, Inc. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
2018? Or is this being moved from somewhere I'm not seeing?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oops, I wrote a few comments a while ago and forgot to click the "submit" button.
# image in the SDK build_image script. | ||
[[ "${CBUILD}" == "${CHOST}" ]] || return | ||
|
||
selinux-policy-2_pkg_postinst |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This eclass should probably inherit selinux-policy-2
so ebuilds don't need to know about both.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would have liked to do that, but that caused problems. This new coreos-sec-policy.eclass
has common things intended for use by all the sec-policy packages. selinux-policy-2.eclass is intended for use by the policy add-on
packages like selinux-virt
and selinux-unconfined
, and not for the base policy package. Errors occur if selinux-policy-2
is inherit in selinux-base.
One way to avoid having to inherit both is to have a conditional on ${PN} inside coreos-sec-policy.eclass
to inherit selinux-policy-2
. Would you prefer that?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It seems the above is no longer true. It may have been a condition of older packages. Things seem to work OK with a simple inherit selinux-policy-2
in coreos-sec-policy.eclass.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I just did a fresh sdk build and it turns out that the problem is still there. selinux-policy-2.eclass
has a DEPEND
on selinux-base-policy
, and so creates a circular dependency if either selinux-base
or selinux-base-policy
inherit selinux-policy-2.eclass
. I added a conditional to coreos-sec-policy.eclass
to fix this.
eclass/coreos-sec-policy.eclass
Outdated
@@ -0,0 +1,31 @@ | |||
# Copyright 2014 CoreOS, Inc. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
A new file should have the current year.
} | ||
|
||
src_install() { | ||
emake DESTDIR="${D}" \ | ||
LIBSEPOLA="/usr/$(get_libdir)/libsepol.a" \ | ||
LIBSEPOLA="${ROOT:-/}usr/$(get_libdir)" \ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this expected to be changing a file to a directory?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Seems like that's a typo, but LIBSEPOLA is just used as a makefile target dependency so it was working. I'll fix it.
@@ -6,7 +6,7 @@ EAPI="6" | |||
IUSE="" | |||
MODS="unconfined" | |||
|
|||
inherit selinux-policy-2 | |||
inherit selinux-policy-2 coreos-sec-policy |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The selinux-policy-2
eclass can be dropped if coreos-sec-policy
inherits it, since it depends on it.
@@ -6,10 +6,11 @@ EAPI="6" | |||
IUSE="" | |||
MODS="virt" | |||
|
|||
inherit selinux-policy-2 | |||
inherit selinux-policy-2 coreos-sec-policy |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Again only inherit coreos-sec-policy
should be needed.
@@ -42,3 +42,14 @@ sys-libs/libseccomp static-libs | |||
|
|||
# bind-tools' configure script breaks when cross-compiling with seccomp enabled | |||
net-dns/bind-tools -seccomp | |||
|
|||
# Enable SELinux for amd64 targets |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The amd64 targets
is no longer correct since this profile is for all boards.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We have a few SELinux entries in the generic/package.use
file, each saying Enable SELinux for XXX
. I'll clean that up and have a single section for SELinux with the packages in alphabetical order.
@@ -21,7 +21,7 @@ if [[ ${PV} == 9999 ]] ; then | |||
S="${WORKDIR}/${MY_P}/${PN}" | |||
else | |||
SRC_URI="https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/${MY_RELEASEDATE}/${MY_P}.tar.gz" | |||
KEYWORDS="amd64 ~arm ~arm64 ~mips x86" | |||
KEYWORDS="amd64 ~arm arm64 ~mips x86" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If this is the only customization required now, maybe it should be moved back to portage-stable and accepted in the arm64 profile.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, I missed that. It goes together with sys-libs/libsepol.
f2ef493
to
ad66e25
Compare
ad66e25
to
3b40047
Compare
Rebased to latest. Addressed all comments. |
From: David Michael <[email protected]> [rebased to latest SELinux ebuilds] Signed-off-by: Geoff Levand <[email protected]>
From: David Michael <[email protected]> [rebased to latest SELinux ebuilds] Signed-off-by: Geoff Levand <[email protected]>
Container Linux only uses the mcs policy type. Signed-off-by: Geoff Levand <[email protected]>
Signed-off-by: Geoff Levand <[email protected]>
Signed-off-by: Geoff Levand <[email protected]>
We're using a stripped down policy, so we don't care that certain tasks may refer to policy objects that don't exist. Permit acts that reference them. From: Matthew Garrett <[email protected]> [Rebase to latest] Signed-off-by: Geoff Levand <[email protected]>
Install selinux to /usr/lib/selinux/ rather than /etc/selinux/ and /var/lib/selinux in order for Container Linux update to work properly. From: Matthew Garrett <[email protected]> [Rebase to latest] Signed-off-by: Geoff Levand <[email protected]>
From: David Michael <[email protected]> [Rebase to latest] Signed-off-by: Geoff Levand <[email protected]>
From: Matthew Garrett <[email protected]> [Split from big patch and rebased for policycoreutils2.7] Signed-off-by: Geoff Levand <[email protected]>
From: Michael Marineau <[email protected]> [Rebase to latest] Signed-off-by: Geoff Levand <[email protected]>
Signed-off-by: Geoff Levand <[email protected]>
Add an semodule USE flag and enable it in the SDK profile to get semodule-utils into the SDK. Signed-off-by: Geoff Levand <[email protected]>
From: David Michael <[email protected]> [Rebase to latest] Signed-off-by: Geoff Levand <[email protected]>
From: Matthew Garrett <[email protected]> [Split from big patch and rebased for policycoreutils2.7] Signed-off-by: Geoff Levand <[email protected]>
Signed-off-by: Geoff Levand <[email protected]>
Signed-off-by: Geoff Levand <[email protected]>
Signed-off-by: Geoff Levand <[email protected]>
Signed-off-by: Geoff Levand <[email protected]>
Signed-off-by: Geoff Levand <[email protected]>
From: David Michael <[email protected]> [Rebase to latest] Signed-off-by: Geoff Levand <[email protected]>
Adds a new eclass coreos-sec-policy.eclass that handles the Container Linux build specifics. Signed-off-by: Geoff Levand <[email protected]>
Delete this version and use the upstream portage-stable version. Local changes for Container Linux are handled by a new eclass coreos-sec-policy.eclass. Signed-off-by: Geoff Levand <[email protected]>
Signed-off-by: Geoff Levand <[email protected]>
From: David Michael <[email protected]> [Rebase to latest] Signed-off-by: Geoff Levand <[email protected]>
Signed-off-by: Geoff Levand <[email protected]>
Signed-off-by: Geoff Levand <[email protected]>
From: David Michael <[email protected]> [Rebase to latest] Signed-off-by: Geoff Levand <[email protected]>
Signed-off-by: Geoff Levand <[email protected]>
Signed-off-by: Geoff Levand <[email protected]>
From: David Michael <[email protected]> [Rebase to latest] Signed-off-by: Geoff Levand <[email protected]>
Signed-off-by: Geoff Levand <[email protected]>
Signed-off-by: Geoff Levand <[email protected]>
From: David Michael <[email protected]> [Rebase to latest] Signed-off-by: Geoff Levand <[email protected]>
Signed-off-by: Geoff Levand <[email protected]>
Signed-off-by: Geoff Levand <[email protected]>
3b40047
to
8195b8c
Compare
Depends on:
#3100 (Update packages needed by SELinux)mergedhttps://github.com/coreos/coreos/bootengine#143 (initrd-setup-root: Add SELinux labels to files)
coreos/portage-stable#654 (Update selinux support)