Skip to content

Increase selinux coverage of the host system #2849

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 71 commits into
base: main
Choose a base branch
from
Draft

Increase selinux coverage of the host system #2849

wants to merge 71 commits into from

Conversation

krnowak
Copy link
Member

@krnowak krnowak commented Apr 24, 2025

CI: http://jenkins.infra.kinvolk.io:8080/job/container/job/sdk/2052/cldsv/

  • switch to selinux profiles
  • add more sec-policy packages
  • do some cleanups in profiles wrt selinux, audit, python, perl and caps USE flags

TODO:

  • mask python files from sys-libs/libselinux for generic images
  • drop systemd patch that removes selinux checks

@krnowak krnowak force-pushed the krnowak/selinux-coverage branch from a0f3db3 to b2a06ed Compare April 29, 2025 11:30
@krnowak krnowak force-pushed the krnowak/selinux-coverage branch from e5f476b to f53a575 Compare May 8, 2025 15:15
@krnowak krnowak force-pushed the krnowak/selinux-coverage branch from f53a575 to fc92672 Compare May 9, 2025 10:43
@krnowak krnowak force-pushed the krnowak/selinux-coverage branch 2 times, most recently from c2fd277 to ada3e0c Compare May 13, 2025 18:11
@krnowak krnowak force-pushed the krnowak/selinux-coverage branch from ada3e0c to d6d1948 Compare May 13, 2025 18:27
@krnowak krnowak force-pushed the krnowak/selinux-coverage branch from d6d1948 to ff0b61e Compare May 14, 2025 07:22
@krnowak krnowak force-pushed the krnowak/selinux-coverage branch from ff0b61e to 4527a10 Compare May 14, 2025 08:27
@krnowak krnowak force-pushed the krnowak/selinux-coverage branch from 4527a10 to b9a1d06 Compare May 14, 2025 08:45
@krnowak krnowak force-pushed the krnowak/selinux-coverage branch from b9a1d06 to 999890a Compare May 14, 2025 09:13
@krnowak krnowak force-pushed the krnowak/selinux-coverage branch from 999890a to 6f6bbe8 Compare May 14, 2025 09:35
krnowak added 28 commits June 4, 2025 10:46
@krnowak
overlay coreos/config: Add Flatcar modifications for sys-libs/libsema…
8d8c62d 
…nage
@krnowak
overlay sys-libs/libsemanage: Move to portage-stable
500f0fa
@krnowak
sys-libs/libsemanage: Sync with Gentoo
06f70e0 
It's from Gentoo commit 86b69b5955e3e452220825a0d3e8ab4224041b42.
@krnowak
.github: Add sys-libs/libsemanage to automation
8a4673b
@krnowak
overlay sys-apps/policycoreutils: Move to portage-stable
be03ce4
@krnowak
sys-apps/policycoreutils: Sync with Gentoo
47e1dde 
It's from Gentoo commit b854c7e78dfbd4c9afcadf9d2beb92e9cd24424b.
@krnowak
.github: Add sys-apps/policycoreutils to automation
7a3bc7c
@krnowak
overlay profiles: Add FLATCAR_{TYPE,SUBTYPE} variables
be3ccbf
@krnowak
overlay: Replace cros_target with new variables
aec7546
@krnowak
overlay coreos/config: Add python stuff to install mask for prod images
161bf1e
@krnowak
overlay coreos/user-patches: Drop a patch for sys-libs/libsemanage
f4a85ed 
We apply the fix in a different way.
@krnowak
app-admin/setools: Add from Gentoo
c339f64 
It's from Gentoo commit dd8f1e13525265315752f252be7515f18e80334a.
@krnowak
.github: Add app-admin/setools to automation
dc71a30
@krnowak
overlay profiles: Do not pull app-admin/setools into prod images
7a1f2af
@krnowak
sys-apps/selinux-python: Add from Gentoo
7f29f2d 
It's from Gentoo commit 4d201521b008785972a1f31e1284ecb847dc3831.
@krnowak
.github: Add sys-apps/selinux-python to automation
f9d9a06
@krnowak
dev-python/networkx: Add from Gentoo
328fe66 
It's from Gentoo commit 122ebce35d3db79069ed3cdf59247dffcb74d92a.
@krnowak
.github: Add dev-python/networkx to automation
eac4c74
@krnowak
overlay coreos/config: Add further modifications to sys-process/audit
fe2ed9c
@krnowak
overlay profiles: Allow python for sys-process/audit
23e2d35
@krnowak
overlay coreos/config: Add further Flatcar modifications for sys-apps…
0d06538 
…/policycoreutils
@krnowak
overlay profiles: Force static-libs on sys-libs/libsepol to fix boots…
d75e3b5 
…trap
@krnowak
build_toolchain: Do not leak variables
8b1e581
@krnowak
build_toolchains: Break dep loop and handle more dependencies
0dea927 
Switching to a selinux profile caused more USE flags to be enabled
(selinux, audit, caps), thus more dependencies to be pulled. More
dependencies caused two things:

- cyclic dependencies appeared
- sys-apps/baselayout is being pulled in

Cyclic dependencies need to be handled in a similar way it was done in
build_packages, thus factor out the code doing it into a separate and
reusable part.

The dependency on baselayout needs to be handled by installing the
package as a first thing in $ROOT, followed by a more careful way of
copying things from $SYSROOT to $ROOT (due to split-usr differences),
followed by installing the rest of the packages.
@krnowak
overlay profiles: Move python from package.mask to package.provided f…
693e695 
…or prod
@krnowak
overlay coreos/config: Mask also /usr/bin/rlpkg
06c0b00
@krnowak
overlay coreos/config: Try again at rlpkg masking
947305b
@krnowak
debug
73ea148
@krnowak krnowak force-pushed the krnowak/selinux-coverage branch from f6b26e5 to 73ea148 Compare June 4, 2025 08:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@krnowak