Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

enable SELinux support #579

Merged
merged 10 commits into from
Dec 11, 2019
Merged

enable SELinux support #579

merged 10 commits into from
Dec 11, 2019

Conversation

bcressey
Copy link
Contributor

@bcressey bcressey commented Dec 9, 2019

Issue #, if available:
N/A

Description of changes:
This adds the SELinux libraries and enables support in the packages we ship.

Testing done:

  • Confirmed systemd could load a binary policy at startup.
  • Confirmed ps, ls could show security context.

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

@tjkirch tjkirch requested a review from jamieand December 10, 2019 18:49
Copy link
Contributor

@jamieand jamieand left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

Copy link
Contributor

@tjkirch tjkirch left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Dumb questions:

  • glibc still has --without-selinux - is that related to building on hosts without SELinux? Or do we just not need it?
  • containerd, runc, docker, and cri-tools already had selinux in BUILDTAGS - did Go have some special method for accomplishing that, or will it behave differently now, or...?
  • You're confident that we can't / shouldn't add support in other packages? (Nothing jumps out at me, but I'm not a SELinux person. Maybe findutils?)

@bcressey
Copy link
Contributor Author

  • glibc still has --without-selinux - is that related to building on hosts without SELinux? Or do we just not need it?

I need to dig into what glibc uses its SELinux support for. It's a bootstrapping challenge since we need glibc to build libselinux, which we'd then need to build glibc. I could handle this as part of building the SDK but it's not very elegant.

  • containerd, runc, docker, and cri-tools already had selinux in BUILDTAGS - did Go have some special method for accomplishing that, or will it behave differently now, or...?

These all use the native Go implementation in opencontainers/selinux. (This is in contrast to the seccomp build tag, which uses libseccomp.)

  • You're confident that we can't / shouldn't add support in other packages? (Nothing jumps out at me, but I'm not a SELinux person. Maybe findutils?)

findutils is covered. I unpacked all of the source archives and ran rg -i selinux, and enabled it everywhere it was an option.

@bcressey
Copy link
Contributor Author

I need to dig into what glibc uses its SELinux support for. It's a bootstrapping challenge since we need glibc to build libselinux, which we'd then need to build glibc. I could handle this as part of building the SDK but it's not very elegant.

glibc can build nscd with SELinux support, but we don't ship nscd. It also builds a helper program, makedb, which can set the context for newly created files. We don't ship that either.

@bcressey bcressey merged commit 5efecd5 into develop Dec 11, 2019
@bcressey bcressey deleted the enable-selinux branch December 11, 2019 21:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants