Skip to content

Increase selinux coverage of the host system #2849

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 67 commits into
base: main
Choose a base branch
from
Draft

Increase selinux coverage of the host system #2849

wants to merge 67 commits into from

Conversation

krnowak
Copy link
Member

@krnowak krnowak commented Apr 24, 2025

CI: http://jenkins.infra.kinvolk.io:8080/job/container/job/sdk/2052/cldsv/

  • switch to selinux profiles
  • add more sec-policy packages
  • do some cleanups in profiles wrt selinux, audit, python, perl and caps USE flags

TODO:

  • mask python files from sys-libs/libselinux for generic images
  • drop systemd patch that removes selinux checks

@krnowak krnowak force-pushed the krnowak/selinux-coverage branch from a0f3db3 to b2a06ed Compare April 29, 2025 11:30
@krnowak krnowak force-pushed the krnowak/selinux-coverage branch from e5f476b to f53a575 Compare May 8, 2025 15:15
@krnowak krnowak force-pushed the krnowak/selinux-coverage branch from f53a575 to fc92672 Compare May 9, 2025 10:43
@krnowak krnowak force-pushed the krnowak/selinux-coverage branch 2 times, most recently from c2fd277 to ada3e0c Compare May 13, 2025 18:11
@krnowak krnowak force-pushed the krnowak/selinux-coverage branch from ada3e0c to d6d1948 Compare May 13, 2025 18:27
@krnowak krnowak force-pushed the krnowak/selinux-coverage branch from d6d1948 to ff0b61e Compare May 14, 2025 07:22
@krnowak krnowak force-pushed the krnowak/selinux-coverage branch from ff0b61e to 4527a10 Compare May 14, 2025 08:27
@krnowak krnowak force-pushed the krnowak/selinux-coverage branch from 4527a10 to b9a1d06 Compare May 14, 2025 08:45
@krnowak krnowak force-pushed the krnowak/selinux-coverage branch from b9a1d06 to 999890a Compare May 14, 2025 09:13
@krnowak krnowak force-pushed the krnowak/selinux-coverage branch from 999890a to 6f6bbe8 Compare May 14, 2025 09:35
krnowak added 25 commits August 29, 2025 16:29
@krnowak
overlay profiles: Disable caps for smartmontools
c1b6a00 
The USE=caps is only relevant for smartd, which we are not building
anyway.
@krnowak
overlay profiles: Allow python for sys-libs/libselinux
f97e79e
@krnowak
overlay coreos/config: Add Flatcar modifications for sys-libs/libsema…
92c333a 
…nage
@krnowak
overlay sys-libs/libsemanage: Move to portage-stable
9956b24
@krnowak
sys-libs/libsemanage: Sync with Gentoo
8cfceca 
It's from Gentoo commit d50f5237c71cff431dd2427197c51a631e38f99e.
@krnowak
.github: Add sys-libs/libsemanage to automation
6fa92f2
@krnowak
overlay sys-apps/policycoreutils: Move to portage-stable
e0d09e1
@krnowak
sys-apps/policycoreutils: Sync with Gentoo
2d7df68 
It's from Gentoo commit 2c3548b4a7e9cfdcc0dafd6d90a2192341f94011.
@krnowak
.github: Add sys-apps/policycoreutils to automation
b418267
@krnowak
overlay coreos/config: Add python stuff to install mask for prod images
b1d81e8
@krnowak
overlay coreos/user-patches: Drop a patch for sys-libs/libsemanage
3ef9933 
We apply the fix in a different way.
@krnowak
app-admin/setools: Add from Gentoo
01b25fd 
It's from Gentoo commit dd8f1e13525265315752f252be7515f18e80334a.
@krnowak
.github: Add app-admin/setools to automation
668741a
@krnowak
overlay profiles: Do not pull app-admin/setools into prod images
70c8d8c
@krnowak
sys-apps/selinux-python: Add from Gentoo
7547dfc 
It's from Gentoo commit 1a36dbcbfd45b1906c67e57a2640dca52f3370cb.
@krnowak
.github: Add sys-apps/selinux-python to automation
8a0f200
@krnowak
dev-python/networkx: Add from Gentoo
ed00f90 
It's from Gentoo commit e5712a8fc3d0d429407ee9db8450b5c573041019.
@krnowak
.github: Add dev-python/networkx to automation
e56832f
@krnowak
overlay coreos/config: Add further modifications to sys-process/audit
6ba1512
@krnowak
overlay profiles: Allow python for sys-process/audit
fa4edb7
@krnowak
overlay coreos/config: Add further Flatcar modifications for sys-apps…
8f0b586 
…/policycoreutils
@krnowak
overlay profiles: Force static-libs on sys-libs/libsepol to fix boots…
a1400cf 
…trap
@krnowak
build_toolchain: Do not leak variables
88ab737
@krnowak
build_toolchains: Break dep loop and handle more dependencies
7908784 
Switching to a selinux profile caused more USE flags to be enabled
(selinux, audit, caps), thus more dependencies to be pulled. More
dependencies caused two things:

- cyclic dependencies appeared
- sys-apps/baselayout is being pulled in

Cyclic dependencies need to be handled in a similar way it was done in
build_packages, thus factor out the code doing it into a separate and
reusable part.

The dependency on baselayout needs to be handled by installing the
package as a first thing in $ROOT, followed by a more careful way of
copying things from $SYSROOT to $ROOT (due to split-usr differences),
followed by installing the rest of the packages.
@krnowak
overlay profiles: Move python from package.mask to package.provided f…
c2700d2 
…or prod
@krnowak krnowak force-pushed the krnowak/selinux-coverage branch from 8a0a7be to c2700d2 Compare August 29, 2025 14:30
@pothos
Copy link
Member

pothos commented Sep 1, 2025

Interesting!
Maybe we can do the correct labeling now and have a booting image: #1517

@github-actions GitHub Actions
Copy link

github-actions bot commented Sep 1, 2025
edited
Loading

Build action triggered: https://github.com/flatcar/scripts/actions/runs/17375141650

@pothos
Copy link
Member

pothos commented Sep 1, 2025

When ready we should also make kola enforce early and not at runtime: flatcar/mantle#487

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@krnowak @pothos