Skip to content

Increase selinux coverage of the host system #2849

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 67 commits into
base: main
Choose a base branch
from
Draft

Increase selinux coverage of the host system #2849

wants to merge 67 commits into from

Conversation

krnowak
Copy link
Member

@krnowak krnowak commented Apr 24, 2025

CI: http://jenkins.infra.kinvolk.io:8080/job/container/job/sdk/2052/cldsv/

  • switch to selinux profiles
  • add more sec-policy packages
  • do some cleanups in profiles wrt selinux, audit, python, perl and caps USE flags

TODO:

  • mask python files from sys-libs/libselinux for generic images
  • drop systemd patch that removes selinux checks

@krnowak krnowak force-pushed the krnowak/selinux-coverage branch from a0f3db3 to b2a06ed Compare April 29, 2025 11:30
@krnowak krnowak force-pushed the krnowak/selinux-coverage branch from e5f476b to f53a575 Compare May 8, 2025 15:15
krnowak added 17 commits May 9, 2025 12:42
@krnowak
overlay profiles: Switch to hardened/selinux/systemd profiles
7687b71
@krnowak
sec-policy/selinux-apache: Add from Gentoo
2b8b30f 
It's from Gentoo commit 1d834aa9c6f8d981b720a18aa74907f84e9e27bf.
@krnowak
sec-policy/selinux-apm: Add from Gentoo
4b13121 
It's from Gentoo commit 1d834aa9c6f8d981b720a18aa74907f84e9e27bf.
@krnowak
sec-policy/selinux-bind: Add from Gentoo
1736aeb 
It's from Gentoo commit 1d834aa9c6f8d981b720a18aa74907f84e9e27bf.
@krnowak
sec-policy/selinux-brctl: Add from Gentoo
a1d60e8 
It's from Gentoo commit 1d834aa9c6f8d981b720a18aa74907f84e9e27bf.
@krnowak
sec-policy/selinux-cdrecord: Add from Gentoo
a739758 
It's from Gentoo commit 1d834aa9c6f8d981b720a18aa74907f84e9e27bf.
@krnowak
sec-policy/selinux-chronyd: Add from Gentoo
4714f2c 
It's from Gentoo commit 1d834aa9c6f8d981b720a18aa74907f84e9e27bf.
@krnowak
sec-policy/selinux-dirmngr: Add from Gentoo
71fd2cb 
It's from Gentoo commit 1d834aa9c6f8d981b720a18aa74907f84e9e27bf.
@krnowak
sec-policy/selinux-dnsmasq: Add from Gentoo
4d9b6fb 
It's from Gentoo commit 1d834aa9c6f8d981b720a18aa74907f84e9e27bf.
@krnowak
sec-policy/selinux-docker: Add from Gentoo
0cfbd9a 
It's from Gentoo commit 1d834aa9c6f8d981b720a18aa74907f84e9e27bf.
@krnowak
sec-policy/selinux-dracut: Add from Gentoo
92934ff 
It's from Gentoo commit 1d834aa9c6f8d981b720a18aa74907f84e9e27bf.
@krnowak
sec-policy/selinux-git: Add from Gentoo
ba3dd9e 
It's from Gentoo commit 1d834aa9c6f8d981b720a18aa74907f84e9e27bf.
@krnowak
sec-policy/selinux-gpg: Add from Gentoo
130d7c5 
It's from Gentoo commit 1d834aa9c6f8d981b720a18aa74907f84e9e27bf.
@krnowak
sec-policy/selinux-kdump: Add from Gentoo
a2a3d10 
It's from Gentoo commit 1d834aa9c6f8d981b720a18aa74907f84e9e27bf.
@krnowak
sec-policy/selinux-kerberos: Add from Gentoo
7998702 
It's from Gentoo commit 1d834aa9c6f8d981b720a18aa74907f84e9e27bf.
@krnowak
sec-policy/selinux-ldap: Add from Gentoo
669fd52 
It's from Gentoo commit 1d834aa9c6f8d981b720a18aa74907f84e9e27bf.
@krnowak
sec-policy/selinux-loadkeys: Add from Gentoo
dd005dd 
It's from Gentoo commit 1d834aa9c6f8d981b720a18aa74907f84e9e27bf.
@krnowak krnowak force-pushed the krnowak/selinux-coverage branch from b9a1d06 to 999890a Compare May 14, 2025 09:13
@krnowak krnowak force-pushed the krnowak/selinux-coverage branch from 999890a to 6f6bbe8 Compare May 14, 2025 09:35
@krnowak krnowak force-pushed the krnowak/selinux-coverage branch from 6f6bbe8 to 61ef7d4 Compare May 14, 2025 10:55
@krnowak krnowak force-pushed the krnowak/selinux-coverage branch from 61ef7d4 to 2fe435d Compare May 14, 2025 12:09
@krnowak krnowak force-pushed the krnowak/selinux-coverage branch from 2fe435d to e3b0915 Compare May 14, 2025 12:23
@krnowak krnowak force-pushed the krnowak/selinux-coverage branch from e3b0915 to 783c103 Compare May 14, 2025 12:37
@krnowak krnowak force-pushed the krnowak/selinux-coverage branch from 783c103 to af5fb28 Compare May 14, 2025 12:54
@krnowak krnowak force-pushed the krnowak/selinux-coverage branch from af5fb28 to b15c808 Compare May 14, 2025 13:19
@krnowak krnowak force-pushed the krnowak/selinux-coverage branch from b15c808 to 2d50642 Compare May 14, 2025 13:34
@krnowak krnowak force-pushed the krnowak/selinux-coverage branch from 3b24cb9 to fec55ca Compare May 14, 2025 15:16
@krnowak krnowak force-pushed the krnowak/selinux-coverage branch from fec55ca to 19b8b6f Compare May 15, 2025 14:38
@krnowak krnowak force-pushed the krnowak/selinux-coverage branch from 19b8b6f to 8521010 Compare May 15, 2025 14:51
@krnowak krnowak force-pushed the krnowak/selinux-coverage branch from 8521010 to 3d006d6 Compare May 16, 2025 09:07
@krnowak
build_toolchains: Break dep loop and handle more dependencies
4e5c37e 
Switching to a selinux profile caused more USE flags to be enabled
(selinux, audit, caps), thus more dependencies to be pulled. More
dependencies caused two things:

- cyclic dependencies appeared
- sys-apps/baselayout is being pulled in

Cyclic dependencies need to be handled in a similar way it was done in
build_packages, thus factor out the code doing it into a separate and
reusable part.

The dependency on baselayout needs to be handled by installing the
package as a first thing in $ROOT, followed by a more careful way of
copying things from $SYSROOT to $ROOT (due to split-usr differences),
followed by installing the rest of the packages.
@krnowak krnowak force-pushed the krnowak/selinux-coverage branch from 3d006d6 to 4e5c37e Compare May 16, 2025 09:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@krnowak