Update selinux support #804
Conversation
glevand
force-pushed
the
for-merge-selinux
branch
from
4bb0149
to
5e58f97
Compare
|
Rebased to latest. |
build_library/build_image_util.sh
Outdated
| setup_qemu_static "${root_fs_dir}" | ||
| sudo chroot "${root_fs_dir}" /bin/bash -x << 'EOF' | ||
| (cd /usr/share/selinux/mcs && semodule -s mcs -i *.pp) | ||
| setfiles -F /usr/lib/selinux/mcs/contexts/files/file_contexts /usr/lib/modules |
There was a problem hiding this comment.
What is special about the kernel modules that require relabeling?
There was a problem hiding this comment.
We build up the board's rootfs '${root_fs_dir}' from the SDK host, so the rootfs files don't have any selinux labels. The kernel module loader (modprobe, etc.) checks for proper labels, so without the relabeling here module loading will fail when selinux is enforcing. I didn't look into why module loading worked with the old selinux policy/tools.
setup_board
Outdated
| @@ -265,6 +265,9 @@ PORTAGE_BINHOST="${BOARD_BINHOST}" | |||
| # You can use --select to override this. | |||
| EMERGE_DEFAULT_OPTS="--oneshot" | |||
|
|
|||
| # SELinux installed policies. | |||
| POLICY_TYPES="mcs" | |||
There was a problem hiding this comment.
Is there a reason to keep POLICY_TYPES in the base profile set to targeted mcs mls? Maybe we should make this change there instead. Or, if we don't want it in the base policy, maybe we can set this value in profiles/coreos/targets/generic/make.defaults so that there is only one file with this change when using multiple boards.
There was a problem hiding this comment.
I missed that entry in the base profile. I think profiles/coreos/base/make.defaults is the right place to set it since we are only building the mcs policy, and that is the same for all boards. I'll move this change there.
glevand
force-pushed
the
for-merge-selinux
branch
2 times, most recently
from
63be2b3
to
a40114f
Compare
|
Moved POLICY_TYPES change to base policy in coreos/coreos-overlay#3155. |
|
@dm0- I sort of mentioned this on Slack before. We should be labeling everything created ( I have a patch for it |
|
Rebased to latest. |
glevand
force-pushed
the
for-merge-selinux
branch
from
9a5b9c2
to
5fcc513
Compare
|
Rebased to latest. |
Move the selinux policy build to before 'write_contents' and 'zero free space' are done so that the selinux modules are included in those operations. Also apply the selinux file lables as needed. Signed-off-by: Geoff Levand <geoff@infradead.org>
glevand
force-pushed
the
for-merge-selinux
branch
from
5fcc513
to
91c7555
Compare
Depends on coreos/portage-stable#654 (Update selinux support) and coreos/coreos-overlay#3155 (Update selinux support).