Skip to content

Increase selinux coverage of the host system #2849

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 78 commits into
base: main
Choose a base branch
from
Draft

Increase selinux coverage of the host system #2849

wants to merge 78 commits into from

Conversation

krnowak
Copy link
Member

@krnowak krnowak commented Apr 24, 2025

CI: http://jenkins.infra.kinvolk.io:8080/job/container/job/sdk/2052/cldsv/

  • switch to selinux profiles
  • add more sec-policy packages
  • do some cleanups in profiles wrt selinux, audit, python, perl and caps USE flags

TODO:

  • mask python files from sys-libs/libselinux for generic images
  • drop systemd patch that removes selinux checks

@krnowak krnowak force-pushed the krnowak/selinux-coverage branch from a0f3db3 to b2a06ed Compare April 29, 2025 11:30
@krnowak krnowak force-pushed the krnowak/selinux-coverage branch from e5f476b to f53a575 Compare May 8, 2025 15:15
@krnowak krnowak force-pushed the krnowak/selinux-coverage branch from f53a575 to fc92672 Compare May 9, 2025 10:43
@krnowak krnowak force-pushed the krnowak/selinux-coverage branch 2 times, most recently from c2fd277 to ada3e0c Compare May 13, 2025 18:11
@krnowak krnowak force-pushed the krnowak/selinux-coverage branch from ada3e0c to d6d1948 Compare May 13, 2025 18:27
@krnowak krnowak force-pushed the krnowak/selinux-coverage branch from d6d1948 to ff0b61e Compare May 14, 2025 07:22
@krnowak krnowak force-pushed the krnowak/selinux-coverage branch from ff0b61e to 4527a10 Compare May 14, 2025 08:27
@krnowak krnowak force-pushed the krnowak/selinux-coverage branch from 4527a10 to b9a1d06 Compare May 14, 2025 08:45
@krnowak krnowak force-pushed the krnowak/selinux-coverage branch from b9a1d06 to 999890a Compare May 14, 2025 09:13
@krnowak krnowak force-pushed the krnowak/selinux-coverage branch from 999890a to 6f6bbe8 Compare May 14, 2025 09:35
@krnowak
overlay coreos/config: Add python stuff to install mask for prod images
d5ae726 
Signed-off-by: Krzesimir Nowak <knowak@microsoft.com>
@krnowak
overlay coreos/user-patches: Drop a patch for sys-libs/libsemanage
3f2c36e 
We apply the fix in a different way.

Signed-off-by: Krzesimir Nowak <knowak@microsoft.com>
@krnowak
app-admin/setools: Add from Gentoo
fc95bb2 
It's from Gentoo commit dd8f1e13525265315752f252be7515f18e80334a.

Signed-off-by: Krzesimir Nowak <knowak@microsoft.com>
@krnowak
.github: Add app-admin/setools to automation
4ed7619 
Signed-off-by: Krzesimir Nowak <knowak@microsoft.com>
@krnowak
overlay profiles: Do not pull app-admin/setools into prod images
dbc971f 
Signed-off-by: Krzesimir Nowak <knowak@microsoft.com>
@krnowak
sys-apps/selinux-python: Add from Gentoo
6c6ec50 
It's from Gentoo commit 1a36dbcbfd45b1906c67e57a2640dca52f3370cb.

Signed-off-by: Krzesimir Nowak <knowak@microsoft.com>
@krnowak
.github: Add sys-apps/selinux-python to automation
527bfef 
Signed-off-by: Krzesimir Nowak <knowak@microsoft.com>
@krnowak
dev-python/networkx: Add from Gentoo
1a018e0 
It's from Gentoo commit e5712a8fc3d0d429407ee9db8450b5c573041019.

Signed-off-by: Krzesimir Nowak <knowak@microsoft.com>
@krnowak
.github: Add dev-python/networkx to automation
af4c263 
Signed-off-by: Krzesimir Nowak <knowak@microsoft.com>
@krnowak
overlay coreos/config: Add further modifications to sys-process/audit
ef40059 
Signed-off-by: Krzesimir Nowak <knowak@microsoft.com>
@krnowak
overlay profiles: Allow python for sys-process/audit
207d769 
Signed-off-by: Krzesimir Nowak <knowak@microsoft.com>
@krnowak
overlay coreos/config: Add further Flatcar modifications for sys-apps…
26e68a5 
…/policycoreutils

Signed-off-by: Krzesimir Nowak <knowak@microsoft.com>
@krnowak
overlay profiles: Force static-libs on sys-libs/libsepol to fix boots…
c116a82 
…trap

Signed-off-by: Krzesimir Nowak <knowak@microsoft.com>
@krnowak
build_toolchain: Do not leak variables
71d39ad 
Signed-off-by: Krzesimir Nowak <knowak@microsoft.com>
@krnowak
build_toolchains: Break dep loop and handle more dependencies
5b9a358 
Switching to a selinux profile caused more USE flags to be enabled
(selinux, audit, caps), thus more dependencies to be pulled. More
dependencies caused two things:

- cyclic dependencies appeared
- sys-apps/baselayout is being pulled in

Cyclic dependencies need to be handled in a similar way it was done in
build_packages, thus factor out the code doing it into a separate and
reusable part.

The dependency on baselayout needs to be handled by installing the
package as a first thing in $ROOT, followed by a more careful way of
copying things from $SYSROOT to $ROOT (due to split-usr differences),
followed by installing the rest of the packages.

Signed-off-by: Krzesimir Nowak <knowak@microsoft.com>
@krnowak
overlay profiles: Move python from package.mask to package.provided f…
cf0ddba 
…or prod

Signed-off-by: Krzesimir Nowak <knowak@microsoft.com>
@krnowak
build_library: Building selinux policy
b43b80b 
Signed-off-by: Krzesimir Nowak <knowak@microsoft.com>
@krnowak
build_library: Fix pkg_use_enabled
c229b01 
"equery uses" ignores forced or masked USE flags by default. In our
case, the selinux USE flag is forced, so stop ignoring it with
--forced-masked flag. Update the regexp to catch the forced USE flags
too and modernize the function a bit.

Signed-off-by: Krzesimir Nowak <knowak@microsoft.com>
@krnowak krnowak force-pushed the krnowak/selinux-coverage branch from 7a0b68e to d2147b2 Compare September 18, 2025 13:59
@krnowak
build_library: Relabel the whole filesystem
90e29e5 
Signed-off-by: Krzesimir Nowak <knowak@microsoft.com>
@krnowak
build_sysext: Allow specifying forbidden packages in sysexts
21a6a90 
Signed-off-by: Krzesimir Nowak <knowak@microsoft.com>
@krnowak
build_library: Forbid SELinux policy packages in sysexts
9b51687 
Signed-off-by: Krzesimir Nowak <knowak@microsoft.com>
@krnowak
overlay coreos-base/coreos: Add more selinux policy packages
1c272f4 
Some of those policies are pulled in by sysext packages. We want the
policies to be in the base image, so we can build them and be
applicable for sysext contents.

Signed-off-by: Krzesimir Nowak <knowak@microsoft.com>
@krnowak
HACK: sys-libs/glibc: Enable selinux even when cross-compiling
8ddb51e 
Signed-off-by: Krzesimir Nowak <knowak@microsoft.com>
@krnowak
overlay coreos/user-patches: Add a patch for crossdev
6957d51 
Signed-off-by: Krzesimir Nowak <knowak@microsoft.com>
@krnowak
overlay sys-apps/systemd: Drop selinux-related modifications
f3df311 
Signed-off-by: Krzesimir Nowak <knowak@microsoft.com>
@krnowak
overlay sys-apps/baselayout: Pull in selinux-related pam changes
0971e7b 
Signed-off-by: Krzesimir Nowak <knowak@microsoft.com>
@krnowak krnowak force-pushed the krnowak/selinux-coverage branch from d2147b2 to 0971e7b Compare September 19, 2025 15:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@krnowak @pothos