-
Notifications
You must be signed in to change notification settings - Fork 11
selinux: update eclass, libsepol to 3.1 and semodule-utils #172
Conversation
008c82d
to
f1df039
Compare
Signed-off-by: Mathieu Tortuyaux <mathieu@kinvolk.io>
Signed-off-by: Mathieu Tortuyaux <mathieu@kinvolk.io>
need to open a bug upstream - current discussions on IRC
Signed-off-by: Mathieu Tortuyaux <mathieu@kinvolk.io>
Signed-off-by: Mathieu Tortuyaux <mathieu@kinvolk.io>
Signed-off-by: Sayan Chowdhury <sayan@kinvolk.io>
1156fbd
to
ba4edc2
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good in general.
Nits:
# policycoreutils-2.4 and semodule-utils provide the same files | ||
RDEPEND="${DEPEND} | ||
!=sys-apps/policycoreutils-2.4-r2 | ||
" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If semodule-utils requires Flatcar changes, then why don't we move it to coreos-overlay?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That's right - it's an edge case actually: starting from policycoreutils-2.7, semodule-utils
becomes a single entity; see this commit: SELinuxProject/selinux@c9c97d6.
In the current way we upgrade the things, semodule-utils
needs to be installed after the policycoreutils
upgrade - otherwise semodule-utils-3.1
will collide with some files provided by policycoreutils-2.4
.
This blocker allows portage to first upgrade policycoreutils
then install semodule-utils
.
We can certainly move semodule-utils
to ::coreos-overlay
but we would need to move it back in ::portage-stable
once the upgrade done. :)
(this PR superseeds #66)
semodule-utils
with temporary patch to avoid conflict withpolicycoreutils-2.4
: this packages provide the same fileslibsepol
to 3.1 as it's required to upgrade libselinuxselinux-policy-2
eclass and patch it (https://bugs.gentoo.org/794682)basically we can provide patches to a SELinux policies in the ebuild using the
POLICY_PATCH
variable but it was failing with:[[ ${#files[@]} -eq 0 ]] && die "No *.{patch,diff} files in directory ${f}
Digging into the
eclass
, we have the following:[[ -n ${POLICY_PATCH[*]} ]] && eapply -d "${S}/refpolicy/policy/modules" "${POLICY_PATCH[@]}"
so it seems the
-d "${S}/refpolicy/policy/modules"
is interpreted as "apply any patches you find in this repository" not sure why... if the it's confirmed by the gentoo-hardened let's push the patch upstream if not, let's move this eclass to::coreos-overlay
.How to use
Testing done