New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

selinux: update #917

Merged

tormath1 merged 22 commits into main from tormath1/selinux-policy-update

Sep 20, 2023

Contributor

tormath1 commented Jun 14, 2023 •

edited

Loading

This PR is a follow-up of flatcar-archive/portage-stable#339 and flatcar-archive/coreos-overlay#1993 - the idea is to "only" upgrade SELinux related software and to pull the new "selinux-container" policy, relabeling investigation could be done in a second time: at least, let's try to get the foundation.

The main change is a transition from virt to container policy (which solves some issues) while I did not want to fix all the SELinux AVC in this PR, I just patched the container policy to get Cilium working out of the box (because now, even in permissive mode, it was failing)

Changelog entries added in the respective changelog/ directory (user-facing change, bug fix, security fix, update)
Inspected CI output for image differences: /boot and /usr size, packages, list files for any missing binaries, kernel modules, config files, kernel modules, etc.
CI: http://jenkins.infra.kinvolk.io:8080/job/container/job/packages_all_arches/2521/cldsv/

While it closes a certain number of issues, there is still some investigation to do on the others but from a first look it's just a matter of upstreaming some policies (example: SELinuxProject/refpolicy#621)

Closes: flatcar/Flatcar#479, flatcar/Flatcar#891, flatcar/Flatcar#696

Tested in the CI with: flatcar/mantle#344

NOTE: All the kernel_t related patches have to be DROPPED once we support a fully labelled system.

tormath1 self-assigned this

tormath1 temporarily deployed to development

June 14, 2023 08:17

— with

GitHub Actions Inactive

tormath1 force-pushed the tormath1/selinux-policy-update branch from 8aa40b9 to ba26ce5 Compare

June 14, 2023 08:49

tormath1 temporarily deployed to development

June 14, 2023 08:49

— with

GitHub Actions Inactive

tormath1 temporarily deployed to development

June 14, 2023 12:40

— with

GitHub Actions Inactive

tormath1 force-pushed the tormath1/selinux-policy-update branch from 6d6cbe2 to 0cec227 Compare

June 14, 2023 15:07

tormath1 temporarily deployed to development

June 14, 2023 15:08

— with

GitHub Actions Inactive

tormath1 force-pushed the tormath1/selinux-policy-update branch from 0cec227 to eee524d Compare

June 15, 2023 09:17

tormath1 temporarily deployed to development

June 15, 2023 09:17

— with

GitHub Actions Inactive

tormath1 temporarily deployed to development

June 15, 2023 12:26

— with

GitHub Actions Inactive

tormath1 temporarily deployed to development

June 15, 2023 15:46

— with

GitHub Actions Inactive

tormath1 temporarily deployed to development

June 15, 2023 15:50

— with

GitHub Actions Inactive

tormath1 force-pushed the tormath1/selinux-policy-update branch from eee524d to 5f4879d Compare

June 16, 2023 15:01

tormath1 temporarily deployed to development

June 16, 2023 15:01

— with

GitHub Actions Inactive

tormath1 force-pushed the tormath1/selinux-policy-update branch from 5f4879d to 806db4b Compare

June 19, 2023 09:42

tormath1 temporarily deployed to development

June 19, 2023 09:42

— with

GitHub Actions Inactive

tormath1 force-pushed the tormath1/selinux-policy-update branch from 806db4b to b3edcfc Compare

June 19, 2023 16:40

tormath1 temporarily deployed to development

June 19, 2023 16:40

— with

GitHub Actions Inactive

github-actions bot commented Jun 19, 2023 •

edited

Loading

Build action triggered: https://github.com/flatcar/scripts/actions/runs/6246519237

tormath1 force-pushed the tormath1/selinux-policy-update branch from b3edcfc to f5c72f3 Compare

June 20, 2023 08:30

tormath1 had a problem deploying to development

June 20, 2023 08:30

— with

GitHub Actions Error

tormath1 temporarily deployed to development

June 20, 2023 08:54

— with

GitHub Actions Inactive

tormath1 force-pushed the tormath1/selinux-policy-update branch from d2bc91e to 2f10b2a Compare

June 20, 2023 13:24

tormath1 temporarily deployed to development

June 20, 2023 13:24

— with

GitHub Actions Inactive

tormath1 force-pushed the tormath1/selinux-policy-update branch from 2f10b2a to 8a6b967 Compare

June 20, 2023 18:43

tormath1 temporarily deployed to development

June 20, 2023 18:43

— with

GitHub Actions Inactive

tormath1 force-pushed the tormath1/selinux-policy-update branch from 8a6b967 to 60b8d04 Compare

June 21, 2023 07:51

tormath1 had a problem deploying to development

June 21, 2023 07:51

— with

GitHub Actions Failure

tormath1 marked this pull request as ready for review

June 21, 2023 07:54

tormath1 requested a review from a team

June 21, 2023 07:54

tormath1 added 22 commits

September 20, 2023 12:33


          eclass: sync selinux-policy-2 with Gentoo

b0810f4

Commit-Ref: gentoo/gentoo@ea4cd1f
Signed-off-by: Mathieu Tortuyaux <mtortuyaux@microsoft.com>


          sys-libs/libselinux: sync with Gentoo

7132f52

Commit-Ref: gentoo/gentoo@a67229c

Signed-off-by: Mathieu Tortuyaux <mtortuyaux@microsoft.com>


          sys-libs/libsepol: sync with Gentoo

c4a353d

Commit-Ref: gentoo/gentoo@ea4cd1f
Signed-off-by: Mathieu Tortuyaux <mtortuyaux@microsoft.com>


          sys-apps/policycoreutils: sync with Gentoo

d78e4b3

Commit-Ref: gentoo/gentoo@ea4cd1f
Signed-off-by: Mathieu Tortuyaux <mtortuyaux@microsoft.com>


          sys-apps/policycoreutils: apply flatcar changes

a38d44b

* remove python dependencies
* move selinux policy directory from /etc/selinux/policy to /usr/lib/selinux/policy
* add tmpfiles to recreate /var/lib/selinux on rootfs
* remove setools dependency

Signed-off-by: Mathieu Tortuyaux <mtortuyaux@microsoft.com>


          sys-libs/libsemanage: sync with Gentoo

e1ff975

Commit-Ref: gentoo/gentoo@ea4cd1f
Signed-off-by: Mathieu Tortuyaux <mtortuyaux@microsoft.com>


          sys-libs/libsemanage: apply flatcar patches

90bd28e

* remove python dependencies
* added back multilib_src_install function (qa_check does fail otherwise)
* setting SHLIBDIR for installation

Signed-off-by: Mathieu Tortuyaux <mtortuyaux@microsoft.com>


          sys-apps/checkpolicy: sync with Gentoo

cd2d678

Commit-Ref: gentoo/gentoo@ea4cd1f
Signed-off-by: Mathieu Tortuyaux <mtortuyaux@microsoft.com>


          sec-policy/selinux-base: sync with Gentoo

3de5229

Commit-Ref: gentoo/gentoo@ea4cd1f
Signed-off-by: Mathieu Tortuyaux <mtortuyaux@microsoft.com>


          coreos/user-patches: add selinux-base

ac520d6

* add selinux patches (icmp-bind, relabel and kernel permissions)
* ship our own config file

Signed-off-by: Mathieu Tortuyaux <mtortuyaux@microsoft.com>


          sec-policy/selinux-base-policy: sync with Gentoo

6b7c247

Commit-Ref: gentoo/gentoo@ea4cd1f
Signed-off-by: Mathieu Tortuyaux <mtortuyaux@microsoft.com>


          coreos/user-patches: add selinux-base-policy

2af995d

Signed-off-by: Mathieu Tortuyaux <mtortuyaux@microsoft.com>


          sec-policy/selinux-virt: drop ebuild

1e2b1c9

it's now replaced by selinux-container

Signed-off-by: Mathieu Tortuyaux <mtortuyaux@microsoft.com>


          sec-policy/selinux-container: add new package

1306dfe

it comes in replacement of selinux-virt

Commit-Ref: gentoo/gentoo@ea4cd1f
Signed-off-by: Mathieu Tortuyaux <mtortuyaux@microsoft.com>


          coreos/user-patches: add selinux-container

206b71a

apply Flatcar patch (including the kernel_t transition that
should be removed once we have a system labelled)

Signed-off-by: Mathieu Tortuyaux <mtortuyaux@microsoft.com>


          sec-policy/selinux-sssd: sync with Gentoo

eed7eb6

Commit-Ref: gentoo/gentoo@ea4cd1f
Signed-off-by: Mathieu Tortuyaux <mtortuyaux@microsoft.com>


          sec-policy/selinux-unconfined: sync with Gentoo

af5400c

Commit-Ref: gentoo/gentoo@ea4cd1f
Signed-off-by: Mathieu Tortuyaux <mtortuyaux@microsoft.com>


          sec-policys/selinux-dbus: add new package

077dd23

it's a dependency from ssh module:
```
Failed to resolve typeattributeset statement at /var/lib/selinux/mcs/tmp/modules/400/ssh/cil:127
Failed to resolve AST
```

Signed-off-by: Mathieu Tortuyaux <mtortuyaux@microsoft.com>


          changelog: add entries

a07620c

Signed-off-by: Mathieu Tortuyaux <mtortuyaux@microsoft.com>


          sys-apps/semodule-utils: sync with Gentoo

678dfd7

Commit-Ref: gentoo/gentoo@a8d9347

Signed-off-by: Mathieu Tortuyaux <mtortuyaux@microsoft.com>


          coreos-base/misc-files: add SELinux config

0d3c1a5

Signed-off-by: Mathieu Tortuyaux <mtortuyaux@microsoft.com>


          .github: add more packages to automation

c3ba668

Signed-off-by: Mathieu Tortuyaux <mtortuyaux@microsoft.com>

tormath1 force-pushed the tormath1/selinux-policy-update branch from 29f20e5 to c3ba668 Compare

September 20, 2023 10:33

tormath1 had a problem deploying to development

September 20, 2023 10:34

— with

GitHub Actions Failure

tormath1 merged commit 2337580 into main

1 check failed

tormath1 deleted the tormath1/selinux-policy-update branch

September 20, 2023 10:35

This was referenced Sep 20, 2023

Cilium CNi with k8s does not work with SELinux in permissive mode flatcar/Flatcar#891

Closed

getting "avc: denied" messages in system logs flatcar/Flatcar#696

Closed

SELinux prevents usage of execsnoop in enforcing mode flatcar/Flatcar#509

Closed

github-actions bot mentioned this pull request

Monthly contributions report 2023-08-22 - 2023-09-21 flatcar/Flatcar#1245

Closed

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet