diff --git a/.github/workflows/portage-stable-packages-list b/.github/workflows/portage-stable-packages-list index 6894ad7faaf..9d759e49d02 100644 --- a/.github/workflows/portage-stable-packages-list +++ b/.github/workflows/portage-stable-packages-list @@ -559,6 +559,7 @@ sec-policy/selinux-base sec-policy/selinux-base-policy sec-policy/selinux-container sec-policy/selinux-dbus +sec-policy/selinux-docker sec-policy/selinux-policykit sec-policy/selinux-sssd sec-policy/selinux-unconfined diff --git a/build_library/build_image_util.sh b/build_library/build_image_util.sh index a29470dc821..1ec826e1633 100755 --- a/build_library/build_image_util.sh +++ b/build_library/build_image_util.sh @@ -580,6 +580,30 @@ start_image() { --board="${BOARD}" } +# Actions common to the dev container and the image +# but which should be run before the image branches off +# the base squashfs (used for systemd-sysext image building) +finish_image_common() { + local image_name="$1" + local disk_layout="$2" + local root_fs_dir="$3" + local image_contents="$4" + local image_contents_wtd="$5" + local image_kernel="$6" + local pcr_policy="$7" + local image_grub="$8" + local image_shim="$9" + local image_kconfig="${10}" + local image_initrd_contents="${11}" + local image_initrd_contents_wtd="${12}" + local image_disk_space_usage="${13}" + + # Build the selinux policy + if pkg_use_enabled coreos-base/coreos selinux; then + sudo chroot "${root_fs_dir}" bash -c "cd /usr/share/selinux/mcs && semodule -s mcs -i *.pp" + fi +} + finish_image() { local image_name="$1" local disk_layout="$2" @@ -694,11 +718,6 @@ EOF "${BUILD_DIR}/${image_kconfig}" fi - # Build the selinux policy - if pkg_use_enabled coreos-base/coreos selinux; then - sudo chroot "${root_fs_dir}" bash -c "cd /usr/share/selinux/mcs && semodule -s mcs -i *.pp" - fi - # Run tmpfiles once to make sure that /etc has everything in place before # we freeze it in /usr/share/flatcar/etc as lowerdir in the overlayfs. @@ -731,10 +750,8 @@ EOF # The labeling has to be done before moving /etc to /usr/share/flatcar/etc to prevent wrong labels for these files and as # the relabeling on boot would cause upcopies in the overlay. if pkg_use_enabled coreos-base/coreos selinux; then - # TODO: Breaks the system: - # sudo setfiles -Dv -r "${root_fs_dir}" "${root_fs_dir}"/etc/selinux/mcs/contexts/files/file_contexts "${root_fs_dir}" - # sudo setfiles -Dv -r "${root_fs_dir}" "${root_fs_dir}"/etc/selinux/mcs/contexts/files/file_contexts "${root_fs_dir}"/usr - # For now we only try it with /etc + sudo setfiles -Dv -r "${root_fs_dir}" "${root_fs_dir}"/etc/selinux/mcs/contexts/files/file_contexts "${root_fs_dir}" + sudo setfiles -Dv -r "${root_fs_dir}" "${root_fs_dir}"/etc/selinux/mcs/contexts/files/file_contexts "${root_fs_dir}"/usr sudo setfiles -Dv -r "${root_fs_dir}" "${root_fs_dir}"/etc/selinux/mcs/contexts/files/file_contexts "${root_fs_dir}"/etc fi diff --git a/build_library/dev_container_util.sh b/build_library/dev_container_util.sh index f87bd1235ab..227471c1dff 100755 --- a/build_library/dev_container_util.sh +++ b/build_library/dev_container_util.sh @@ -112,6 +112,8 @@ create_dev_container() { # The remount services are provided by coreos-base/coreos-init systemd_enable "${root_fs_dir}" "multi-user.target" "remount-usr.service" + finish_image_common "${image_name}" "${disk_layout}" "${root_fs_dir}" "${image_contents}" "${image_contents_wtd}" + finish_image "${image_name}" "${disk_layout}" "${root_fs_dir}" "${image_contents}" "${image_contents_wtd}" declare -a files_to_evaluate diff --git a/build_library/prod_image_util.sh b/build_library/prod_image_util.sh index 561766aa21e..3af2c9a5628 100755 --- a/build_library/prod_image_util.sh +++ b/build_library/prod_image_util.sh @@ -92,6 +92,21 @@ create_prod_image() { run_ldconfig "${root_fs_dir}" run_localedef "${root_fs_dir}" + finish_image_common \ + "${image_name}" \ + "${disk_layout}" \ + "${root_fs_dir}" \ + "${image_contents}" \ + "${image_contents_wtd}" \ + "${image_kernel}" \ + "${image_pcr_policy}" \ + "${image_grub}" \ + "${image_shim}" \ + "${image_kconfig}" \ + "${image_initrd_contents}" \ + "${image_initrd_contents_wtd}" \ + "${image_disk_usage}" + local root_with_everything="${root_fs_dir}" # Call helper script for adding sysexts to the base OS. diff --git a/build_sysext b/build_sysext index ed053907325..00eb7754fe4 100755 --- a/build_sysext +++ b/build_sysext @@ -237,6 +237,7 @@ export SOURCE_DATE_EPOCH=$(stat -c '%Y' "${BUILD_DIR}/fs-root/usr/lib/os-release # Unmount in order to get rid of the overlay umount "${BUILD_DIR}/install-root" +sudo setfiles -Dv -r "${BUILD_DIR}/install-root" "${BUILD_DIR}/fs-root"/etc/selinux/mcs/contexts/files/file_contexts "${BUILD_DIR}/install-root"/usr umount "${BUILD_DIR}/fs-root" if [[ "$FLAGS_generate_pkginfo" = "${FLAGS_TRUE}" ]] ; then diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos/coreos-0.0.1.ebuild b/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos/coreos-0.0.1.ebuild index bfe8b96ed1d..c6f0d49527c 100644 --- a/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos/coreos-0.0.1.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos/coreos-0.0.1.ebuild @@ -148,6 +148,7 @@ RDEPEND="${RDEPEND} sec-policy/selinux-base-policy sec-policy/selinux-container sec-policy/selinux-dbus + sec-policy/selinux-docker sec-policy/selinux-policykit sec-policy/selinux-unconfined sys-apps/acl diff --git a/sdk_container/src/third_party/portage-stable/sec-policy/selinux-docker/Manifest b/sdk_container/src/third_party/portage-stable/sec-policy/selinux-docker/Manifest new file mode 100644 index 00000000000..5727621b3a8 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/sec-policy/selinux-docker/Manifest @@ -0,0 +1,4 @@ +DIST patchbundle-selinux-base-policy-2.20240226-r2.tar.bz2 442650 BLAKE2B f2f7c5e4a595afafc072fd78fc4ef3930cf739d05cbe9670f2fb2956fe84e3045518345e103bc3880603d2562f06ba0597fc005d8d394e9f8cd057363f9bf95f SHA512 2cb00d088eebdb098a6496f156eeb3dcee026fc6e53d732bac5bc8a4cfee1ce3bf2bdbbbfbbe9bba237d61c06f299d96bb9d123a57a44aaaa17cc122e15ea268 +DIST patchbundle-selinux-base-policy-2.20240916-r1.tar.bz2 274891 BLAKE2B 72b8181424450998164979ab582e8edee6d73b9110b4535e7880d1f7c989bd0ac391422872858da7bad3e3d77516996af93aa2f149f7d4a7f8fd329c481964cf SHA512 fd8259c91cc779301d6e0964827133529a9141dc235301da135210ea4359b800023848a25e33c45678477fa4f54e75da51be9ec85a3bed8b07cf5487e73b84f3 +DIST refpolicy-2.20240226.tar.bz2 610561 BLAKE2B 5dc54dcf7238776d4e4b282c1dcbc499f45c0d96676dbf931da39592854034874b5dd6197a2e2776fccec5106d5f245eea3fb9419959bd4d61e9b2c12aeaaa85 SHA512 896a57afb024bd131f25d2831a9a5ac90ee7e5d76b0565bc818c156f6c310d86758bcd4cedbd9df5b29954c9a92a42300d16685a7e07a5efd8f789320724b3f9 +DIST refpolicy-2.20240916.tar.bz2 618218 BLAKE2B d86ca75d254eef10f4aa57ef3977825211200cdf1eaa9bf9d416c9a52acee476b3f8719c3b0c8c17fdff2abc0c396989961e37e313a7b3bd3b4b0266a6280e75 SHA512 a8b6c90f8e186796b4c7db1e2d8ed3c3b8690bb5b8f180dcb6d5468ba80467e2969012c4edddf74429c0f5ce900d68fbbc0c2f8e253165af28f93f191039f064 diff --git a/sdk_container/src/third_party/portage-stable/sec-policy/selinux-docker/metadata.xml b/sdk_container/src/third_party/portage-stable/sec-policy/selinux-docker/metadata.xml new file mode 100644 index 00000000000..781bc07e6d5 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/sec-policy/selinux-docker/metadata.xml @@ -0,0 +1,8 @@ + + + + + selinux@gentoo.org + SELinux Team + + diff --git a/sdk_container/src/third_party/portage-stable/sec-policy/selinux-docker/selinux-docker-2.20240226-r2.ebuild b/sdk_container/src/third_party/portage-stable/sec-policy/selinux-docker/selinux-docker-2.20240226-r2.ebuild new file mode 100644 index 00000000000..f8e3f816a1d --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/sec-policy/selinux-docker/selinux-docker-2.20240226-r2.ebuild @@ -0,0 +1,21 @@ +# Copyright 1999-2024 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI="7" + +MODS="docker" + +inherit selinux-policy-2 + +DESCRIPTION="SELinux policy for docker" + +if [[ ${PV} != 9999* ]] ; then + KEYWORDS="amd64 arm arm64 x86" +fi + +DEPEND="${DEPEND} + sec-policy/selinux-container +" +RDEPEND="${RDEPEND} + sec-policy/selinux-container +" diff --git a/sdk_container/src/third_party/portage-stable/sec-policy/selinux-docker/selinux-docker-2.20240916-r1.ebuild b/sdk_container/src/third_party/portage-stable/sec-policy/selinux-docker/selinux-docker-2.20240916-r1.ebuild new file mode 100644 index 00000000000..f8e3f816a1d --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/sec-policy/selinux-docker/selinux-docker-2.20240916-r1.ebuild @@ -0,0 +1,21 @@ +# Copyright 1999-2024 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI="7" + +MODS="docker" + +inherit selinux-policy-2 + +DESCRIPTION="SELinux policy for docker" + +if [[ ${PV} != 9999* ]] ; then + KEYWORDS="amd64 arm arm64 x86" +fi + +DEPEND="${DEPEND} + sec-policy/selinux-container +" +RDEPEND="${RDEPEND} + sec-policy/selinux-container +" diff --git a/sdk_container/src/third_party/portage-stable/sec-policy/selinux-docker/selinux-docker-9999.ebuild b/sdk_container/src/third_party/portage-stable/sec-policy/selinux-docker/selinux-docker-9999.ebuild new file mode 100644 index 00000000000..2c75223af5a --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/sec-policy/selinux-docker/selinux-docker-9999.ebuild @@ -0,0 +1,21 @@ +# Copyright 1999-2024 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI="7" + +MODS="docker" + +inherit selinux-policy-2 + +DESCRIPTION="SELinux policy for docker" + +if [[ ${PV} != 9999* ]] ; then + KEYWORDS="~amd64 ~arm ~arm64 ~x86" +fi + +DEPEND="${DEPEND} + sec-policy/selinux-container +" +RDEPEND="${RDEPEND} + sec-policy/selinux-container +"