Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Prepare SELinux packages in overlay for upstreaming #1685

Merged
merged 18 commits into from
Mar 4, 2024

Conversation

krnowak
Copy link
Member

@krnowak krnowak commented Feb 21, 2024

Based on and blocked on #1672.

The weekly updates updated SELinux userspace tools to version 3.6. We have two packages in overlay that were not yet updated - sys-apps/policycoreutils and sys-libs/libsemanage. This PR updates both packages to 3.6 too and tries to remake Flatcar modifications to the ebuilds, so they will still be useful for us and be eventually upstreamable.

The modifications were as follows:

  • Drop dependency on python:
    • I tried making it optional by putting it behind the python USE flag.
    • In case of policycoreutils, python dependency did come mostly through the Gentoo-specific addition of policycoreutils-extra tarball that has some scripts written in python. For this, I have added a vanilla USE flag, that would skip the extra Gentoo stuff.
  • Make /var/lib/selinux a symlink to /usr/lib/selinux/policy.
    • I moved that modification to coreos-base/misc-files.
    • This modification is split in two - tmpfiles stuff went to coreos-base/misc-files, overriding the path went to the profiles bash hook. More about this in commit messages and comments.

One thing I'm not sure about is whether to drop python support SELinux only for generic images or for both generic and SDK images. Keeping python support for SELinux with current changes I have made to policycoreutils and libsemanage ebuilds results in needing to pull app-admin/setools, dev-python/networkx and sys-apps/selinux-python packages into SDK.
We dropped python support for both generic and SDK images - we don't need the python tools.

CI: http://jenkins.infra.kinvolk.io:8080/job/container/job/sdk/1342/cldsv/ (more or less passed, kicked off another one, because I dropped one INSTALL_MASK).

--

  • sys-apps/policycoreutils: [PROD] [DEV]

    • from 3.5 to 3.6
    • bumped python compat to 3.10..3.11
    • moved the use of tmpfiles to coreos-base/misc-files
    • added vanilla and python USE flags (we enable vanilla and disable python)
      • vanilla tells the ebuild to use vanilla sources, disabling it pulls in some Gentoo extras (which use python)
    • moved the override of selinux policy modules directory into profiles bash hook
  • sys-libs/libsemanage: [PROD] [DEV]

    • from 3.5 to 3.6
    • bumped python compat to 3.10..3.11
    • added the enabled-by-default python USE flag (to be upstreamed)
    • changed dep on sys-devel/{bison,flex} to app-alternatives/{yacc,lex}
    • moved config generation into a patch (to be upstreamed)
      • so we can add out own patch that changes the compression setting there
  • sys-process/audit: [PROD] [DEV]

  • dev-lang/swig:

--

  • changelog
  • image diff

@krnowak krnowak added the main label Feb 21, 2024
@krnowak krnowak force-pushed the krnowak/selinux-followup branch from 084c030 to 5777adf Compare February 22, 2024 08:29
@krnowak krnowak force-pushed the krnowak/selinux-followup branch from 2411b68 to 2113d36 Compare February 22, 2024 10:27
@krnowak krnowak force-pushed the krnowak/selinux-followup branch from 28466b2 to 04e1e9c Compare February 23, 2024 10:58
@krnowak krnowak force-pushed the krnowak/selinux-followup branch from 3b24b5b to bee1bfa Compare February 26, 2024 14:46
@krnowak krnowak force-pushed the krnowak/selinux-followup branch from bee1bfa to 4169fb7 Compare February 27, 2024 08:27
@krnowak krnowak force-pushed the krnowak/selinux-followup branch from 5ab04de to cf8973f Compare February 28, 2024 11:39
krnowak and others added 6 commits March 1, 2024 15:35
It's from Gentoo commit e70aa9e9c0de8663fecbd59c4e26a0d17a41050d.
Prepare the ebuild to be in an upstreamable state:

- hide python dependencies behind the IUSE flag

- move the semanage.conf additions to a patch

  - that way, we can add a user patch that changes compression setting
    that was added by Gentoo

Signed-off-by: Mathieu Tortuyaux <[email protected]>
Signed-off-by: Krzesimir Nowak <[email protected]>
The added patch turns on the module compression.
It's from Gentoo commit c4719a957590a9b209422d93c8136075c2781af7.
Prepare the changes for upstreaming:

- Hide python dependencies behind the python USE flag.

- Allow using original sources, without Gentoo modifications with the
  vanilla USE flag.

  - This also hides app-admin/setools dependency behind this USE
    flag. I'm not sure if anything in policycoreutils requires
    anything from that package - I assumed that Gentoo-provided rlpkg
    maybe does.

- Keep using /var/lib/selinux as a SELinux policy directory. We will
  use INSTALL_MASK to skip installation of the directory and will add
  a tmpfiles config file to coreos-base/misc-files instead.

Signed-off-by: Mathieu Tortuyaux <[email protected]>
Signed-off-by: Krzesimir Nowak <[email protected]>
The path where the SELinux policy modules are built is normally
/var/lib/selinux. In our case we want to have those policies to be
installed somewhere under /usr. So we have a setup where
/var/lib/selinux is a symlink to /usr/lib/selinux/policy. The
/var/lib/selinux directory is normally created by
sys-apps/policycoreutils directory and we don't want to change it in
order to pursue the goal of putting the package back to
portage-stable.

On the other hand, the override of modules directory location can't
happen in the coreos-base/misc-files package, because
sys-apps/policycoreutils needs that directory to be already set up in
the package post installation time.

The override of the SELinux policy modules directory needs to be done
in the bashrc hook unfortunately. This will come in the follow-up
commit.

So the only thing left is to set up tmpfiles configuration file to
recreate the /var/lib/selinux symlink, since it can be removed when
wiping the filesystem.
krnowak added 12 commits March 1, 2024 16:02
We never needed the python tools in Flatcar.
It's from Gentoo commit 8a1e6e5446c2729e93f1ad51a409862538ea34e9.
The files directory of the package was getting crowded and the names
of the files weren't really saying much.
We will move sys-process/audit to portage-stable. In order to do that,
we need to move the customizations out of its ebuild.
We will move sys-process/audit to portage-stable. In order to do that,
we need to move the customizations out of its ebuild.
It's from Gentoo commit b3421946f41290093bd4bfe67fee6ecccab31bcb.
@krnowak krnowak force-pushed the krnowak/selinux-followup branch from c73eb43 to 88d1eff Compare March 1, 2024 15:34
@krnowak krnowak marked this pull request as ready for review March 4, 2024 07:30
@krnowak krnowak requested a review from a team March 4, 2024 07:30
@krnowak
Copy link
Member Author

krnowak commented Mar 4, 2024

CI passed.

(Well, except openstack, but seems unrelated.)

Copy link

github-actions bot commented Mar 4, 2024

Copy link
Contributor

@tormath1 tormath1 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Thanks for working on this last bit of the SELinux automation: now all the SELinux upgrades (policies and core packages) will be done without effort. Allowing us to focus on the other SELinux related topics 😉
Thanks!

Some notes:

  • Regarding the OpenStack failure, it will disappear if you rebase on main but that's not needed of course.
  • What about opening a ticket on Gentoo https://bugs.gentoo.org/ to get folks input, get a reference when we'll send the Python patch upstream and not forget about it?

@krnowak
Copy link
Member Author

krnowak commented Mar 4, 2024

LGTM. Thanks for working on this last bit of the SELinux automation: now all the SELinux upgrades (policies and core packages) will be done without effort. Allowing us to focus on the other SELinux related topics 😉 Thanks!

Sure thing! I hope that upstream will be willing to take our changes.

Some notes:

  • Regarding the OpenStack failure, it will disappear if you rebase on main but that's not needed of course.

Oh, cool. Good to know.

  • What about opening a ticket on Gentoo https://bugs.gentoo.org/ to get folks input, get a reference when we'll send the Python patch upstream and not forget about it?

Oh yeah, I want to upstream this stuff, obviously. But I was rather thinking about filing a github PR. Would a ticket on bugzilla be better?

@krnowak krnowak merged commit b9b2f36 into main Mar 4, 2024
1 check failed
@krnowak krnowak deleted the krnowak/selinux-followup branch March 4, 2024 09:49
@tormath1
Copy link
Contributor

tormath1 commented Mar 4, 2024

@krnowak for the ticket, I don't know honestly. I often see this label: https://github.com/gentoo/gentoo/pulls?q=is%3Apr+is%3Aopen+label%3A%22bug+linked%22 which makes me think that it can help to get a review / traction if there is a linked issue? It can also be useful if you don't plan to submit in the next days the patch. Your call!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants