Skip to content
This repository was archived by the owner on May 30, 2023. It is now read-only.

[WIP] update libselinux and security policies#347

Closed
dongsupark wants to merge 62 commits into
mainfrom
dongsu/selinux-container-alpha
Closed

[WIP] update libselinux and security policies#347
dongsupark wants to merge 62 commits into
mainfrom
dongsu/selinux-container-alpha

Conversation

@dongsupark
Copy link
Copy Markdown
Contributor

@dongsupark dongsupark commented May 7, 2020
edited
Loading

work-in-progress: please do not merge

Goal of this PR is basically to update the following packages to the latest versions.

  • sys-apps/checkpolicy
  • sys-apps/policycoreutils
  • sys-libs/libselinux
  • sys-libs/libsemanage
  • sys-libs/libsepol
  • sec-policy/selinux-base
  • sec-policy/selinux-base-policy
  • sec-policy/selinux-virt
  • sec-policy/selinux-unconfined

How to use

emerge-amd64-usr sys-libs/libselinux ...

This PR should be merged together with flatcar-archive/portage-stable#66 , flatcar/scripts#66.

This PR is based on a previous attempt to update libselinux, coreos/coreos-overlay#3155.
Many thanks to @glevand & @dm0- & others!

@dongsupark dongsupark mentioned this pull request May 7, 2020
Closed
@dongsupark dongsupark changed the title [WIP] add container-selinux, update libselinux to 3.0 [WIP] update libselinux and security policies May 12, 2020
@dongsupark dongsupark force-pushed the dongsu/selinux-container-alpha branch from 907a985 to 4751551 Compare May 19, 2020 18:34
@dongsupark dongsupark mentioned this pull request May 19, 2020
Closed
@dongsupark dongsupark changed the title [WIP] update libselinux and security policies update libselinux and security policies May 19, 2020
@dongsupark dongsupark marked this pull request as ready for review May 19, 2020 18:38
@dongsupark
Copy link
Copy Markdown
Contributor Author

dongsupark commented May 19, 2020

Rewrote the PR so it is based on a previous attempt to update libselinux, coreos/coreos-overlay#3155.
Many thanks to @glevand & @dm0- & others!.

It should be also merged together with flatcar/scripts#66, so SELinux relabeling can take place.

@dongsupark dongsupark requested a review from a team May 19, 2020 18:40
@dongsupark dongsupark mentioned this pull request May 28, 2020
Closed
@dongsupark dongsupark force-pushed the dongsu/selinux-container-alpha branch 2 times, most recently from 8f648ad to 889a684 Compare May 28, 2020 15:23
@dongsupark
Copy link
Copy Markdown
Contributor Author

dongsupark commented May 28, 2020

Rebased

@dongsupark dongsupark force-pushed the dongsu/selinux-container-alpha branch from 889a684 to 802a431 Compare May 29, 2020 07:52
@dongsupark dongsupark mentioned this pull request Jun 11, 2020
Closed
@dongsupark dongsupark force-pushed the dongsu/selinux-container-alpha branch from 802a431 to 8d4fe99 Compare June 17, 2020 14:44
@dongsupark dongsupark force-pushed the dongsu/selinux-container-alpha branch from 8d4fe99 to 6820053 Compare July 14, 2020 12:47
@pothos pothos changed the base branch from flatcar-master-alpha to main July 23, 2020 15:45
@dongsupark dongsupark changed the title update libselinux and security policies [WIP] update libselinux and security policies Jul 24, 2020
@dongsupark dongsupark force-pushed the dongsu/selinux-container-alpha branch from 6820053 to 676a79f Compare November 17, 2020 15:46
dm0- and others added 10 commits December 2, 2020 10:17
@dm0-
profiles: Move SELinux flags from amd64 to generic
8189415 
[rebased to latest SELinux ebuilds]
Signed-off-by: Geoff Levand <geoff@infradead.org>
@dm0-
profiles: Sync SELinux dependencies on arm64
1ed79fd 
[rebased to latest SELinux ebuilds]
Signed-off-by: Geoff Levand <geoff@infradead.org>
@glevand
profiles: Set make.defaults POLICY_TYPES to mcs
042df30 
Container Linux only uses the mcs policy type.

Signed-off-by: Geoff Levand <geoff@infradead.org>
@glevand
sys-libs/libsemanage: Import latest
df7612b 
Signed-off-by: Geoff Levand <geoff@infradead.org>
@glevand
sys-libs/libsemanage: Add postinst USE flag
972748e 
Signed-off-by: Geoff Levand <geoff@infradead.org>
sys-libs/libsemanage: Permit unknown policy objects
6b82332 
We're using a stripped down policy, so we don't care that certain tasks
may refer to policy objects that don't exist. Permit acts that reference
them.

From: Matthew Garrett <mjg59@coreos.com>
[Rebase to latest]
Signed-off-by: Geoff Levand <geoff@infradead.org>
sys-libs/libsemanage: Install configuration file
fac883c 
Install selinux to /usr/lib/selinux/ rather than /etc/selinux/ and
/var/lib/selinux in order for Container Linux update to work properly.

From: Matthew Garrett <mjg59@coreos.com>
[Rebase to latest]
Signed-off-by: Geoff Levand <geoff@infradead.org>
@dm0-
sys-libs/libsemanage: Enable building on arm64
c09cde2 
[Rebase to latest]
Signed-off-by: Geoff Levand <geoff@infradead.org>
@glevand
app-admin/setools: Import latest
e78c8e1 
Signed-off-by: Geoff Levand <geoff@infradead.org>
@dm0-
app-admin/setools: Enable building on arm64
f0785c3 
[Rebase to latest]
Signed-off-by: Geoff Levand <geoff@infradead.org>
glevand and others added 25 commits December 2, 2020 10:17
@glevand
sec-policy/selinux-virt: Import latest
61a372d 
Signed-off-by: Geoff Levand <geoff@infradead.org>
@dm0-
sec-policy/selinux-virt: Enable building on arm64
f000bae 
[Rebase to latest]
Signed-off-by: Geoff Levand <geoff@infradead.org>
@glevand
sec-policy/selinux-virt: Fixups for Container Linux
464ede0 
Signed-off-by: Geoff Levand <geoff@infradead.org>
app-admin/setools: remove unnecessary versions
772ddd3 
Leave only setools 4.1.1, and remove all other unnecessary versions.
profiles: enable selinux-base 2.20190609-r1
6112069
profiles: enable semodule for policycoreutils
6ed3f88 
To build policycoreutils with semodule tools, we need to enable USE flag
`semodule`.
sec-policy/selinux-base: update to 2.20190609-r1
f2e31ee
sec-policy/selinux-base: apply flatcar patches again
658d60c
sec-policy/selinux-base: set unconfined_t to sshd
7e2ab79 
Give users logged in via sshd unconfined_t.
sec-policy/selinux-base: set LD_LIBRARY_PATH in chroot
44cb908 
Since semodule_package 3.0 does not work with libsepol 2.4 outside
/build/amd64-usr, we need to set LD_LIBRARY_PATH to
`/build/amd64-usr/usr/lib64`. Otherwise we would get the error:

```
/build/amd64-usr//usr/bin/semodule_package: /lib64/libsepol.so.1: no
version information available (required by
/build/amd64-usr//usr/bin/semodule_package)
```
sec-policy/selinux-base-policy: update to 2.20190609-r1
22e90fe
sec-policy/selinux-base-policy: set LD_LIBRARY_PATH in chroot
65392e7 
Since semodule_package 3.0 does not work with libsepol 2.4 outside
/build/amd64-usr, we need to set LD_LIBRARY_PATH to
`/build/amd64-usr/usr/lib64`. Otherwise we would get the error:

```
/build/amd64-usr//usr/bin/semodule_package: /lib64/libsepol.so.1:
no version information available
(required by /build/amd64-usr//usr/bin/semodule_package)
```
sec-policy/selinux-unconfined: update to 2.20190609-r1
efb3706
sec-policy/selinux-unconfined: set BINDIR to find semodule_package
10852b4 
`/usr/bin/semodule_package` exists under `/build/amd64-usr`, so we
need to find correct path to that, by setting `BINDIR` correctly.
sec-policy/selinux-virt: update to 2.20190609-r1
b8af327
sec-policy/selinux-virt: set BINDIR to find semodule_package
509ae30 
`/usr/bin/semodule_package` exists under `/build/amd64-usr`, so we
need to find correct path to that, by setting `BINDIR` correctly.
sys-apps/policycoreutils: update to 3.0
f8e9755
sys-apps/semodule-utils: update to 3.0
d5952ad
sys-apps/checkpolicy: update to 3.0
837b6df
sys-libs/libselinux: update to 3.0
031c3ba
sys-libs/libsemanage: update to 3.0
5a90b3d
sys-libs/libsemanage: add flatcar-specific patches
11f025b
profiles: update arm64 keywords for selinux
aa2ceb8
sys-libs/libselinux: give exact path to sefcontext_compile
04520e7 
Since libselinux is installed under `/build/amd64-usr`, we need to
specify abspath to the binary `sefcontext_compile`, as well as abspath
to the policy files.
profile: semodule-utils
c4d9206
@dongsupark dongsupark force-pushed the dongsu/selinux-container-alpha branch from 676a79f to c4d9206 Compare December 2, 2020 09:50
@tormath1 tormath1 mentioned this pull request Jun 4, 2021
Merged
@dongsupark
Copy link
Copy Markdown
Contributor Author

dongsupark commented Jun 11, 2021

Please see #1048 instead

@dongsupark dongsupark closed this Jun 11, 2021
@dongsupark dongsupark deleted the dongsu/selinux-container-alpha branch June 11, 2021 09:53
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

No reviews

Assignees

No one assigned

Labels

alpha

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@dongsupark @vbatts @pothos @dm0- @glevand @marineam