-
Notifications
You must be signed in to change notification settings - Fork 150
Update selinux support #804
base: master
Are you sure you want to change the base?
Conversation
4bb0149
to
5e58f97
Compare
Rebased to latest. |
build_library/build_image_util.sh
Outdated
setup_qemu_static "${root_fs_dir}" | ||
sudo chroot "${root_fs_dir}" /bin/bash -x << 'EOF' | ||
(cd /usr/share/selinux/mcs && semodule -s mcs -i *.pp) | ||
setfiles -F /usr/lib/selinux/mcs/contexts/files/file_contexts /usr/lib/modules |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What is special about the kernel modules that require relabeling?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We build up the board's rootfs '${root_fs_dir}' from the SDK host, so the rootfs files don't have any selinux labels. The kernel module loader (modprobe, etc.) checks for proper labels, so without the relabeling here module loading will fail when selinux is enforcing. I didn't look into why module loading worked with the old selinux policy/tools.
setup_board
Outdated
@@ -265,6 +265,9 @@ PORTAGE_BINHOST="${BOARD_BINHOST}" | |||
# You can use --select to override this. | |||
EMERGE_DEFAULT_OPTS="--oneshot" | |||
|
|||
# SELinux installed policies. | |||
POLICY_TYPES="mcs" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is there a reason to keep POLICY_TYPES
in the base profile set to targeted mcs mls
? Maybe we should make this change there instead. Or, if we don't want it in the base policy, maybe we can set this value in profiles/coreos/targets/generic/make.defaults
so that there is only one file with this change when using multiple boards.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I missed that entry in the base profile. I think profiles/coreos/base/make.defaults
is the right place to set it since we are only building the mcs policy, and that is the same for all boards. I'll move this change there.
63be2b3
to
a40114f
Compare
Moved POLICY_TYPES change to base policy in coreos/coreos-overlay#3155. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If no labels are applied, maybe we should be relabeling the entire /usr
partition here, but LGTM if this is the minimal requirement.
@dm0- I sort of mentioned this on Slack before. We should be labeling everything created ( I have a patch for it |
Rebased to latest. |
9a5b9c2
to
5fcc513
Compare
Rebased to latest. |
Move the selinux policy build to before 'write_contents' and 'zero free space' are done so that the selinux modules are included in those operations. Also apply the selinux file lables as needed. Signed-off-by: Geoff Levand <[email protected]>
5fcc513
to
91c7555
Compare
Depends on coreos/portage-stable#654 (Update selinux support) and coreos/coreos-overlay#3155 (Update selinux support).