-
Notifications
You must be signed in to change notification settings - Fork 53
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Prepare SELinux packages in overlay for upstreaming #1685
Conversation
084c030
to
5777adf
Compare
2411b68
to
2113d36
Compare
28466b2
to
04e1e9c
Compare
3b24b5b
to
bee1bfa
Compare
bee1bfa
to
4169fb7
Compare
5ab04de
to
cf8973f
Compare
It's from Gentoo commit e70aa9e9c0de8663fecbd59c4e26a0d17a41050d.
Prepare the ebuild to be in an upstreamable state: - hide python dependencies behind the IUSE flag - move the semanage.conf additions to a patch - that way, we can add a user patch that changes compression setting that was added by Gentoo Signed-off-by: Mathieu Tortuyaux <[email protected]> Signed-off-by: Krzesimir Nowak <[email protected]>
The added patch turns on the module compression.
It's from Gentoo commit c4719a957590a9b209422d93c8136075c2781af7.
Prepare the changes for upstreaming: - Hide python dependencies behind the python USE flag. - Allow using original sources, without Gentoo modifications with the vanilla USE flag. - This also hides app-admin/setools dependency behind this USE flag. I'm not sure if anything in policycoreutils requires anything from that package - I assumed that Gentoo-provided rlpkg maybe does. - Keep using /var/lib/selinux as a SELinux policy directory. We will use INSTALL_MASK to skip installation of the directory and will add a tmpfiles config file to coreos-base/misc-files instead. Signed-off-by: Mathieu Tortuyaux <[email protected]> Signed-off-by: Krzesimir Nowak <[email protected]>
The path where the SELinux policy modules are built is normally /var/lib/selinux. In our case we want to have those policies to be installed somewhere under /usr. So we have a setup where /var/lib/selinux is a symlink to /usr/lib/selinux/policy. The /var/lib/selinux directory is normally created by sys-apps/policycoreutils directory and we don't want to change it in order to pursue the goal of putting the package back to portage-stable. On the other hand, the override of modules directory location can't happen in the coreos-base/misc-files package, because sys-apps/policycoreutils needs that directory to be already set up in the package post installation time. The override of the SELinux policy modules directory needs to be done in the bashrc hook unfortunately. This will come in the follow-up commit. So the only thing left is to set up tmpfiles configuration file to recreate the /var/lib/selinux symlink, since it can be removed when wiping the filesystem.
We never needed the python tools in Flatcar.
It's from Gentoo commit 8a1e6e5446c2729e93f1ad51a409862538ea34e9.
The files directory of the package was getting crowded and the names of the files weren't really saying much.
We will move sys-process/audit to portage-stable. In order to do that, we need to move the customizations out of its ebuild.
We will move sys-process/audit to portage-stable. In order to do that, we need to move the customizations out of its ebuild.
It's from Gentoo commit b3421946f41290093bd4bfe67fee6ecccab31bcb.
c73eb43
to
88d1eff
Compare
CI passed. (Well, except openstack, but seems unrelated.) |
Build action triggered: https://github.com/flatcar/scripts/actions/runs/8138334529 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM. Thanks for working on this last bit of the SELinux automation: now all the SELinux upgrades (policies and core packages) will be done without effort. Allowing us to focus on the other SELinux related topics 😉
Thanks!
Some notes:
- Regarding the OpenStack failure, it will disappear if you rebase on
main
but that's not needed of course. - What about opening a ticket on Gentoo https://bugs.gentoo.org/ to get folks input, get a reference when we'll send the Python patch upstream and not forget about it?
Sure thing! I hope that upstream will be willing to take our changes.
Oh, cool. Good to know.
Oh yeah, I want to upstream this stuff, obviously. But I was rather thinking about filing a github PR. Would a ticket on bugzilla be better? |
@krnowak for the ticket, I don't know honestly. I often see this label: https://github.com/gentoo/gentoo/pulls?q=is%3Apr+is%3Aopen+label%3A%22bug+linked%22 which makes me think that it can help to get a review / traction if there is a linked issue? It can also be useful if you don't plan to submit in the next days the patch. Your call! |
Based on and blocked on #1672.The weekly updates updated SELinux userspace tools to version 3.6. We have two packages in overlay that were not yet updated - sys-apps/policycoreutils and sys-libs/libsemanage. This PR updates both packages to 3.6 too and tries to remake Flatcar modifications to the ebuilds, so they will still be useful for us and be eventually upstreamable.
The modifications were as follows:
python
USE flag.vanilla
USE flag, that would skip the extra Gentoo stuff./var/lib/selinux
a symlink to/usr/lib/selinux/policy
.I moved that modification tocoreos-base/misc-files
.coreos-base/misc-files
, overriding the path went to the profiles bash hook. More about this in commit messages and comments.One thing I'm not sure about is whether to drop python support SELinux only for generic images or for both generic and SDK images. Keeping python support for SELinux with current changes I have made to policycoreutils and libsemanage ebuilds results in needing to pull app-admin/setools, dev-python/networkx and sys-apps/selinux-python packages into SDK.We dropped python support for both generic and SDK images - we don't need the python tools.
CI: http://jenkins.infra.kinvolk.io:8080/job/container/job/sdk/1342/cldsv/ (more or less passed, kicked off another one, because I dropped one INSTALL_MASK).
--
sys-apps/policycoreutils: [PROD] [DEV]
sys-libs/libsemanage: [PROD] [DEV]
sys-process/audit: [PROD] [DEV]
dev-lang/swig:
--