Skip to content

Increase selinux coverage of the host system#2849

Draft
krnowak wants to merge 100 commits intomainfrom
krnowak/selinux-coverage
Draft

Increase selinux coverage of the host system#2849
krnowak wants to merge 100 commits intomainfrom
krnowak/selinux-coverage

Conversation

@krnowak
Copy link
Member

@krnowak krnowak commented Apr 24, 2025

CI: http://jenkins.infra.kinvolk.io:8080/job/container/job/sdk/2052/cldsv/

  • switch to selinux profiles
  • add more sec-policy packages
  • do some cleanups in profiles wrt selinux, audit, python, perl and caps USE flags

TODO:

  • mask python files from sys-libs/libselinux for generic images
  • drop systemd patch that removes selinux checks

@krnowak krnowak force-pushed the krnowak/selinux-coverage branch from a0f3db3 to b2a06ed Compare April 29, 2025 11:30
@krnowak krnowak force-pushed the krnowak/selinux-coverage branch from e5f476b to f53a575 Compare May 8, 2025 15:15
@krnowak krnowak force-pushed the krnowak/selinux-coverage branch from f53a575 to fc92672 Compare May 9, 2025 10:43
@krnowak krnowak force-pushed the krnowak/selinux-coverage branch 2 times, most recently from c2fd277 to ada3e0c Compare May 13, 2025 18:11
@krnowak krnowak force-pushed the krnowak/selinux-coverage branch from ada3e0c to d6d1948 Compare May 13, 2025 18:27
@krnowak krnowak force-pushed the krnowak/selinux-coverage branch from d6d1948 to ff0b61e Compare May 14, 2025 07:22
@krnowak krnowak force-pushed the krnowak/selinux-coverage branch from ff0b61e to 4527a10 Compare May 14, 2025 08:27
@krnowak krnowak force-pushed the krnowak/selinux-coverage branch from 4527a10 to b9a1d06 Compare May 14, 2025 08:45
@krnowak krnowak force-pushed the krnowak/selinux-coverage branch from b9a1d06 to 999890a Compare May 14, 2025 09:13
@krnowak krnowak force-pushed the krnowak/selinux-coverage branch from 999890a to 6f6bbe8 Compare May 14, 2025 09:35
krnowak added 30 commits March 11, 2026 14:50
@krnowak
build_library: Relabel the whole filesystem
acefaca 
Signed-off-by: Krzesimir Nowak <knowak@microsoft.com>
@krnowak
build_sysext: Allow specifying forbidden packages in sysexts
b5b4854 
Signed-off-by: Krzesimir Nowak <knowak@microsoft.com>
@krnowak
build_library: Forbid SELinux policy packages in sysexts
4199539 
Signed-off-by: Krzesimir Nowak <knowak@microsoft.com>
@krnowak
overlay coreos-base/coreos: Add more selinux policy packages
35164bb 
Some of those policies are pulled in by sysext packages. We want the
policies to be in the base image, so we can build them and be
applicable for sysext contents.

Signed-off-by: Krzesimir Nowak <knowak@microsoft.com>
@krnowak
HACK: sys-libs/glibc: Enable selinux even when cross-compiling
ca101e1 
Signed-off-by: Krzesimir Nowak <knowak@microsoft.com>
@krnowak
overlay coreos/user-patches: Add a patch for crossdev
728a6f8 
Signed-off-by: Krzesimir Nowak <knowak@microsoft.com>
@krnowak
overlay coreos/user-patches: Drop systemd patches related to SELinux …
480bfa5 
…issues

Signed-off-by: Krzesimir Nowak <knowak@microsoft.com>
@krnowak
overlay profiles: Drop sec-policy/selinux-ntp from package.provided
fb7e9f0 
We have pulled enough policies for the build problem to go away.

Signed-off-by: Krzesimir Nowak <knowak@microsoft.com>
@krnowak
overlay coreos/config: Add pam_selinux to systemd PAM configs
22af60c 
Signed-off-by: Krzesimir Nowak <knowak@microsoft.com>
@krnowak
build_sysexts: Relabel sysexts too
592cf0a 
Signed-off-by: Krzesimir Nowak <knowak@microsoft.com>
@krnowak
build_sysext: Factor out install root to a variable
3eaad88 
Made it easier to change its path.

Signed-off-by: Krzesimir Nowak <knowak@microsoft.com>
@krnowak
overlay coreos/user-patches: Update patch for selinux policies
3ef0fa8 
Signed-off-by: Krzesimir Nowak <knowak@microsoft.com>
@krnowak
build_library: Move and fix pkg_use_enabled into
291c34d 
There were two problems with pkg_use_enabled:

1. It did not detect force-enabled or masked USE flags correctly -
   selinux USE flag is force-enabled and is shown in the output inside
   parentheses.

2. It was defined in board_options.sh which injects some command line
   flags and globals that are not related to the function.

Since pkg_use_enabled was only used so far for checking the selinux
USE flags, add a function is_selinux_enabled and use the newly added
function in the currently only user of pkg_use_enabled.

Signed-off-by: Krzesimir Nowak <knowak@microsoft.com>
@krnowak
build_sysext: Fix a crash when there were no forbidden packages
d92eb33 
Signed-off-by: Krzesimir Nowak <knowak@microsoft.com>
@krnowak
build_sysext: Add --selinux flag and use it to build policies
4dc9826 
For built-in sysext, we may not have yet any policies built, so the
relabeling won't work. To fix the situation, so we need to temporarily
build them ourselves.

Signed-off-by: Krzesimir Nowak <knowak@microsoft.com>
@krnowak
build_library: Pass --selinux flag to build_sysext
eba2c28 
Signed-off-by: Krzesimir Nowak <knowak@microsoft.com>
@krnowak
DEBUG
89fb051 
Signed-off-by: Krzesimir Nowak <knowak@microsoft.com>
@krnowak
build_library/extra_sysexts.sh: Sort entries
8d0e381 
Signed-off-by: Krzesimir Nowak <knowak@microsoft.com>
@krnowak
build_library/extra_sysexts.sh: Add selinux sysext
71458bd 
Signed-off-by: Krzesimir Nowak <knowak@microsoft.com>
@krnowak
overlay profiles: Build only the mcs SELinux policy
a91c211 
Building multiple policies is pointless - changing the policy at
runtime would require relabeling the filesystem, which will not work,
because /usr is read-only.

Signed-off-by: Krzesimir Nowak <knowak@microsoft.com>
@krnowak
overlay profiles: Move python packages as provided to the prod profile
e7970b8 
We want to install some SELinux tools written in python to the selinux
sysext. Sysexts use the generic profile, so the entries for those
packages need to be moved into generic/prod profile.

Signed-off-by: Krzesimir Nowak <knowak@microsoft.com>
@krnowak
Force installing some selinux libraries into selinux sysext
2510b37 
Signed-off-by: Krzesimir Nowak <knowak@microsoft.com>
@krnowak
dev-python/backports-zstd: Add from Gentoo
4e93330 
It's from Gentoo commit 5867e28cbfb4bf12ac5397e9dd35fd77dbfa1aab.

Signed-off-by: Krzesimir Nowak <knowak@microsoft.com>
@krnowak
.github: Add dev-python/backports-zstd to automation
c7e6d40 
Signed-off-by: Krzesimir Nowak <knowak@microsoft.com>
@krnowak
overlay coreos-dev/sdk-depends: Add dev-python/backports-zstd
79ebd8a 
This is being pulled into stage1 through bootstrap use.

Signed-off-by: Krzesimir Nowak <knowak@microsoft.com>
@krnowak
build_sdk_container_image: Stop truncating output from docker build
83e6c65 
Signed-off-by: Krzesimir Nowak <knowak@microsoft.com>
@krnowak
fixup! build_sdk_container_image: Stop truncating output from docker …
c4af980 
…build
@krnowak
save-logs
3f2f7a2
@krnowak
do not clean up tmp files from catalyst run
ba47c30 
we want to scavenge some build logs from that directory if build fails
@krnowak
scavenge for logs
daa05ef
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@krnowak @pothos