Skip to content
This repository has been archived by the owner on May 30, 2023. It is now read-only.

selinux: upgrade selinux libs #1048

Merged
merged 21 commits into from
Jul 16, 2021
Merged

selinux: upgrade selinux libs #1048

merged 21 commits into from
Jul 16, 2021

Conversation

tormath1
Copy link
Contributor

@tormath1 tormath1 commented Jun 4, 2021
edited
Loading

this PR is based on #347 but it has been adapted to match flatcar git commit workflow and to clean the git history

⚠️ to be merged with flatcar-archive/portage-stable#172

as it's quite a big PR, we can split it into smaller ones

Note for reviewers

Todo

  • remove script with python requirements
/usr/share/selinux/targeted/include/support/segenxml.py: (env)/python3 does not exist
/usr/share/selinux/mls/include/support/segenxml.py: (env)/python3 does not exist
/usr/share/selinux/mcs/include/support/segenxml.py: (env)/python3 does not exist

(according to selinux repository, this scripts should only be "helpers")

  • selinux-unconfined seems to be able to move into ::portage-stable

Testing done

closes flatcar/Flatcar#305, (and certainly other SELinux related issues - need to pass through)

@tormath1 tormath1 self-assigned this Jun 4, 2021
@tormath1 tormath1 force-pushed the tormath1/selinux branch 4 times, most recently from 08a8c3c to 2853e14 Compare June 10, 2021 12:51
@tormath1 tormath1 changed the title [wip] selinux: upgrade selinux libs selinux: upgrade selinux libs Jun 11, 2021
@tormath1 tormath1 requested a review from a team June 11, 2021 09:49
@tormath1 tormath1 marked this pull request as ready for review June 11, 2021 09:49
This was referenced Jun 11, 2021
Closed
Closed
@dongsupark
Copy link
Contributor

Build fails like that:

 * Applying mcs-sshd.patch ...
/build/amd64-usr/var/tmp/portage/sec-policy/selinux-base-2.20200818-r2/temp/environment: line 518: /build/amd64-usr/var/tmp/portage/sec-policy/selinux-base-2.20200818-r2/files/mcs-sshd.patch: No such file or directory
/build/amd64-usr/var/tmp/portage/sec-policy/selinux-base-2.20200818-r2/temp/environment: line 521: /build/amd64-usr/var/tmp/portage/sec-policy/selinux-base-2.20200818-r2/files/mcs-sshd.patch: No such file or directory

@tormath1
Copy link
Contributor Author

tormath1 commented Jul 5, 2021

@dongsupark thanks, I forgot to remove this patch. Actually it has been moved from selinux-base to selinux-base-policy. Otherwise it was override.
CI is currently failing because of glibc, I need to investigate on it 🤔

Mathieu Tortuyaux added 9 commits July 6, 2021 15:57
sys-apps/checkpolicy: sync with the upstream
0848ed7 
Signed-off-by: Mathieu Tortuyaux <mathieu@kinvolk.io>
sys-apps/checkpolicy: apply flatcar changes
84ab9d3 
backported from CoreOS commits

Signed-off-by: Mathieu Tortuyaux <mathieu@kinvolk.io>
sys-apps/policycoreutils: sync with upstream
98f38cf 
Signed-off-by: Mathieu Tortuyaux <mathieu@kinvolk.io>
sys-apps/policycoreutils: apply flatcar changes
c240ce6 
Signed-off-by: Mathieu Tortuyaux <mathieu@kinvolk.io>
sys-libs/libselinux: sync with upstream
53b1238 
Signed-off-by: Mathieu Tortuyaux <mathieu@kinvolk.io>
sys-libs/libselinux: apply flatcar changes
2e04728 
Signed-off-by: Mathieu Tortuyaux <mathieu@kinvolk.io>
sys-libs/libsemanage: sync with the upstream
1407009 
Signed-off-by: Mathieu Tortuyaux <mathieu@kinvolk.io>
sys-libs/libsemanage: apply flatcar changes
b03ab9d 
Signed-off-by: Mathieu Tortuyaux <mathieu@kinvolk.io>
sec-policy/selinux-base: sync with the upstream
6888bb7 
Signed-off-by: Mathieu Tortuyaux <mathieu@kinvolk.io>
@tormath1
Copy link
Contributor Author

tormath1 commented Jul 7, 2021

Rebased with main to include glibc stuffs - otherwise the CI was failing :)

dongsupark
dongsupark reviewed Jul 15, 2021
View reviewed changes
Copy link
Contributor

@dongsupark dongsupark left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks. Code looks good in general.
My local test looks ok as well.

As for cosmetic issues, can you please rearrange commits, e.g.,
squash fixup commits, move Flatcar patch commits right next to their corresponding Gentoo sync commits, etc?

sys-apps/policycoreutils/policycoreutils-3.1-r2.ebuild
if use extra ; then
S="${S2}"
python_copy_sources
fi
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just thought.
Ideally we should contribute to Gentoo code like that, making USE flags to exclude unnecessary parts.
Of course that would be a long term project. So for now it is ok.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not a big fan of this extra USE flag - but yeah we could definitely try to provide more granular control on this kind of part.

Mathieu Tortuyaux added 5 commits July 16, 2021 10:03
sec-policy/selinux-base: apply flatcar changes
d9d484a 
Signed-off-by: Mathieu Tortuyaux <mathieu@kinvolk.io>
sec-policy/selinux-base-policy: sync with upstream
3f15cb7 
Signed-off-by: Mathieu Tortuyaux <mathieu@kinvolk.io>
sec-policy/selinux-base-policy: flatcar changes
0a0fa98 
- run sshd (and child) as unconfined_t
- add init.patch to allow execute_no_trans,map and
exec from init to unconfined
- add AVC patch for local login and journald

Signed-off-by: Mathieu Tortuyaux <mathieu@kinvolk.io>
sec-policy/selinux-virt: sync with upstream
ea64235 
Signed-off-by: Mathieu Tortuyaux <mathieu@kinvolk.io>
sec-policy/selinux-virt: apply flatcar changes
0cf49ea 
Signed-off-by: Mathieu Tortuyaux <mathieu@kinvolk.io>
Mathieu Tortuyaux and others added 7 commits July 16, 2021 10:04
sec-policy/selinux-unconfined: sync with upstream
cab0b52 
Signed-off-by: Mathieu Tortuyaux <mathieu@kinvolk.io>
eclass: move selinux-policy-2 to ::portage-stable
656615d 
Signed-off-by: Mathieu Tortuyaux <mathieu@kinvolk.io>
profiles/coreos/amd64: enable selinux for runc
a3a3563 
Signed-off-by: Mathieu Tortuyaux <mathieu@kinvolk.io>
app-admin/setools: remove package
08ceba7 
from 4.x setools is a pure python script, we won't include it
in Flatcar anymore

Signed-off-by: Mathieu Tortuyaux <mathieu@kinvolk.io>
@sayanchowdhury
sys-apps/dbus: Sync with Gentoo upstream
027843a 
Updates to dbus-1.12.20-r1

Signed-off-by: Sayan Chowdhury <sayan@kinvolk.io>
@sayanchowdhury
sys-apps/dbus: Apply Flatcar patches
053d75d 
Signed-off-by: Sayan Chowdhury <sayan@kinvolk.io>
Revert "app-emulation/docker: disable SELinux"
0cff4d9 
This reverts commit 956f975.
@tormath1
Copy link
Contributor Author

@dongsupark thanks for the review - commits squash and rearranged :)

@tormath1 tormath1 merged commit b73283e into main Jul 16, 2021
@tormath1 tormath1 deleted the tormath1/selinux branch July 16, 2021 09:25
@dongsupark dongsupark mentioned this pull request Jul 16, 2021
Closed
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@dongsupark dongsupark dongsupark approved these changes

Assignees

@tormath1 tormath1

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

SELinux: running semodule -DB fails with "file_contexts: line X is missing fields, skipping"
3 participants
@tormath1 @dongsupark @sayanchowdhury