Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Keep/Remove Python dependent package: policycoreutils-python #126

Closed
sinnykumari opened this issue Jan 17, 2019 · 10 comments · Fixed by coreos/fedora-coreos-config#88
Closed

Keep/Remove Python dependent package: policycoreutils-python #126

sinnykumari opened this issue Jan 17, 2019 · 10 comments · Fixed by coreos/fedora-coreos-config#88
Labels
-python card related to removing a python dependency

Comments

@sinnykumari
Copy link
Contributor

FCOS community members are trying not to ship Python in base system. In ticket #92, we have identified list of Python dependent packages which are currently installed in FCOS.

This ticket is to investigate that do we really need policycoreutils-python in FCOS base system? If yes, how can we provide policycoreutils-python or equivalent functionalities without shipping Python.
@sinnykumari sinnykumari mentioned this issue Jan 17, 2019
Closed
21 tasks
@dustymabe dustymabe added the -python card related to removing a python dependency label Jan 17, 2019
@dustymabe
Copy link
Member

This currently isn't in Fedora CoreOS but the policycoreutils-python-utils rpm (which requires python3-policycoreutils) maybe should be. It provides:

[root@vanilla-f29-atomic ~]# rpm -ql policycoreutils-python-utils | head -n 6
/etc/dbus-1/system.d/org.selinux.conf
/usr/bin/audit2allow
/usr/bin/audit2why
/usr/bin/chcat
/usr/bin/sandbox
/usr/sbin/semanage

To me the biggest one of those is semanage IMHO. I don't know if we can get by without it as there is a lot that it does.

cc @cgwalters @bgilbert @lucab

@sinnykumari sinnykumari added the meeting topics for meetings label Feb 20, 2019
@bgilbert bgilbert removed the meeting topics for meetings label Feb 20, 2019
@sinnykumari
Copy link
Contributor Author

@rhatdan We are trying to remove Python dependent packages from FCOS base system. Right now we have policycoreutils-python-utils included in host providing utilities like semanage . Will it be possible to run it inside container and manage selinux policy of host from container? If not do we have any other alternative option?

@rhatdan
Copy link

rhatdan commented Feb 21, 2019

I think you should be able to remove semanage from the system.

semodule for loading selinux policy modules, and setsebool for setting booleans should be all that is needed, and those are written in C.

@dustymabe
Copy link
Member

what happens if someone needs to change file contexts ?

@rhatdan
Copy link

rhatdan commented Feb 21, 2019

They have chcon and restorecon for that. Issue would be if someone ran a restorecon on entire system.
semanage fcontext ... Modifies the file context database but not the labels on disk. It is not ideal, but should work for the most part, and you could always add semanage via layering.

@dustymabe
Copy link
Member

cool. thanks for the info @rhatdan
only final question I have is how hard would it be to rewrite semanage in a compiled language :)

@rhatdan
Copy link

rhatdan commented Feb 21, 2019

In general, very difficult. I think writing something that manipulated the file contexts would be fairly simple.

@dustymabe dustymabe mentioned this issue Feb 22, 2019
Closed
@dustymabe
Copy link
Member

Discussed in the meeting this past wednesday:

We agreed to ask dan walsh for feedback, which he has conveniently already provided :)

@dustymabe dustymabe added the meeting topics for meetings label Feb 22, 2019
@sinnykumari
Copy link
Contributor Author

Adding this for information:
semodule, setsebool and restorecon are provided by policycoreutils package. chcon is provided by coreutils (already included in FCOS)

@sinnykumari sinnykumari removed the meeting topics for meetings label Feb 27, 2019
@sinnykumari
Copy link
Contributor Author

During FCOS community meeting, we agreed to experiment with initially not shipping policycoreutils-python-utils in the FCOS base system.

@ajeddeloh ajeddeloh mentioned this issue May 1, 2019
Merged
@guest20 guest20 mentioned this issue Dec 1, 2019
Closed
@dustymabe dustymabe mentioned this issue May 14, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
-python card related to removing a python dependency
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

base: rm setools-console, policycoreutils-python ajeddeloh/fedora-coreos-config
4 participants
@bgilbert @sinnykumari @rhatdan @dustymabe