-
Notifications
You must be signed in to change notification settings - Fork 51
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
selinux: update #917
Merged
Merged
selinux: update #917
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
tormath1
force-pushed
the
tormath1/selinux-policy-update
branch
from
June 14, 2023 08:49
8aa40b9
to
ba26ce5
Compare
tormath1
force-pushed
the
tormath1/selinux-policy-update
branch
from
June 14, 2023 15:07
6d6cbe2
to
0cec227
Compare
tormath1
force-pushed
the
tormath1/selinux-policy-update
branch
from
June 15, 2023 09:17
0cec227
to
eee524d
Compare
tormath1
force-pushed
the
tormath1/selinux-policy-update
branch
from
June 16, 2023 15:01
eee524d
to
5f4879d
Compare
tormath1
force-pushed
the
tormath1/selinux-policy-update
branch
from
June 19, 2023 09:42
5f4879d
to
806db4b
Compare
tormath1
force-pushed
the
tormath1/selinux-policy-update
branch
from
June 19, 2023 16:40
806db4b
to
b3edcfc
Compare
Build action triggered: https://github.com/flatcar/scripts/actions/runs/6246519237 |
tormath1
force-pushed
the
tormath1/selinux-policy-update
branch
from
June 20, 2023 08:30
b3edcfc
to
f5c72f3
Compare
tormath1
force-pushed
the
tormath1/selinux-policy-update
branch
from
June 20, 2023 13:24
d2bc91e
to
2f10b2a
Compare
tormath1
force-pushed
the
tormath1/selinux-policy-update
branch
from
June 20, 2023 18:43
2f10b2a
to
8a6b967
Compare
tormath1
force-pushed
the
tormath1/selinux-policy-update
branch
from
June 21, 2023 07:51
8a6b967
to
60b8d04
Compare
Commit-Ref: gentoo/gentoo@ea4cd1f Signed-off-by: Mathieu Tortuyaux <[email protected]>
Commit-Ref: gentoo/gentoo@a67229c Signed-off-by: Mathieu Tortuyaux <[email protected]>
Commit-Ref: gentoo/gentoo@ea4cd1f Signed-off-by: Mathieu Tortuyaux <[email protected]>
Commit-Ref: gentoo/gentoo@ea4cd1f Signed-off-by: Mathieu Tortuyaux <[email protected]>
* remove python dependencies * move selinux policy directory from /etc/selinux/policy to /usr/lib/selinux/policy * add tmpfiles to recreate /var/lib/selinux on rootfs * remove setools dependency Signed-off-by: Mathieu Tortuyaux <[email protected]>
Commit-Ref: gentoo/gentoo@ea4cd1f Signed-off-by: Mathieu Tortuyaux <[email protected]>
* remove python dependencies * added back multilib_src_install function (qa_check does fail otherwise) * setting SHLIBDIR for installation Signed-off-by: Mathieu Tortuyaux <[email protected]>
Commit-Ref: gentoo/gentoo@ea4cd1f Signed-off-by: Mathieu Tortuyaux <[email protected]>
Commit-Ref: gentoo/gentoo@ea4cd1f Signed-off-by: Mathieu Tortuyaux <[email protected]>
* add selinux patches (icmp-bind, relabel and kernel permissions) * ship our own config file Signed-off-by: Mathieu Tortuyaux <[email protected]>
Commit-Ref: gentoo/gentoo@ea4cd1f Signed-off-by: Mathieu Tortuyaux <[email protected]>
Signed-off-by: Mathieu Tortuyaux <[email protected]>
it's now replaced by selinux-container Signed-off-by: Mathieu Tortuyaux <[email protected]>
it comes in replacement of selinux-virt Commit-Ref: gentoo/gentoo@ea4cd1f Signed-off-by: Mathieu Tortuyaux <[email protected]>
apply Flatcar patch (including the kernel_t transition that should be removed once we have a system labelled) Signed-off-by: Mathieu Tortuyaux <[email protected]>
Commit-Ref: gentoo/gentoo@ea4cd1f Signed-off-by: Mathieu Tortuyaux <[email protected]>
Commit-Ref: gentoo/gentoo@ea4cd1f Signed-off-by: Mathieu Tortuyaux <[email protected]>
it's a dependency from ssh module: ``` Failed to resolve typeattributeset statement at /var/lib/selinux/mcs/tmp/modules/400/ssh/cil:127 Failed to resolve AST ``` Signed-off-by: Mathieu Tortuyaux <[email protected]>
Signed-off-by: Mathieu Tortuyaux <[email protected]>
Commit-Ref: gentoo/gentoo@a8d9347 Signed-off-by: Mathieu Tortuyaux <[email protected]>
Signed-off-by: Mathieu Tortuyaux <[email protected]>
Signed-off-by: Mathieu Tortuyaux <[email protected]>
tormath1
force-pushed
the
tormath1/selinux-policy-update
branch
from
September 20, 2023 10:33
29f20e5
to
c3ba668
Compare
tormath1
had a problem deploying
to
development
September 20, 2023 10:34
— with
GitHub Actions
Failure
This was referenced Sep 20, 2023
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR is a follow-up of flatcar-archive/portage-stable#339 and flatcar-archive/coreos-overlay#1993 - the idea is to "only" upgrade SELinux related software and to pull the new "selinux-container" policy, relabeling investigation could be done in a second time: at least, let's try to get the foundation.
The main change is a transition from
virt
tocontainer
policy (which solves some issues) while I did not want to fix all the SELinux AVC in this PR, I just patched the container policy to get Cilium working out of the box (because now, even in permissive mode, it was failing)changelog/
directory (user-facing change, bug fix, security fix, update)/boot
and/usr
size, packages, list files for any missing binaries, kernel modules, config files, kernel modules, etc.While it closes a certain number of issues, there is still some investigation to do on the others but from a first look it's just a matter of upstreaming some policies (example: SELinuxProject/refpolicy#621)
Closes: flatcar/Flatcar#479, flatcar/Flatcar#891, flatcar/Flatcar#696
Tested in the CI with: flatcar/mantle#344
NOTE: All the
kernel_t
related patches have to be DROPPED once we support a fully labelled system.