aimee-os

Commit Graph

Author	SHA1	Message	Date
Dustin	f2d6db5af1	Enable SELinux Enabling SELinux on the target system needs build-time and run-time configuration changes for ther kernel and userspace. Additionally, SELinux requires a policy that defines allowed operations. Gentoo provides a reasonable baseline for all of these changes, but some modifications are required. First and foremost, the Gentoo SELinux policy is missing several necessary rules for systemd-based systems. Notably, services that use alternate namespaces will fail to start because the base policy does not allow systemd components the necessary privileges, so these rules have to be added. Similarly, `systemd-journald` needs additional privileges in order to be able to capture all metadata for processes generating syslog messages. Finally, additional rules are necessary in order to allow systemd to create files and directories prior to launching servies. Besides patching the policy, we also do some hackery to avoid shipping the Python runtime in SELinux-enabled builds. Several SELinux-related packages, including libselinux and policycoreutils have dependencies on Python modules for some of their functionality. Unfortunately, the Python build system does NOT properly cross-compile native extension modules, so this functionality is not available on the target system. Fortunately, none of the features provided by these modules are actually needed at runtime, so we can safely ignore them and thus omit the entire Python runtime and all Python programs from the final image. It is important to note that it is impossible to build an SELinux-enabled image on a host that is itself SELinux-enabled. Operations such as changing file labels are checked against the SELinux policy in the running kernel, and may be denied if the target policy differs significantly from the running policy. The `setfiles` command fails, for example, when run on a Fedora host. As such, building an SELinux-enabled system should be done in a virtual machine using a kernel that does not have a loaded SELinux policy. The `ocivm` script can be used to create a suitable runtime from a container image.	2023-03-12 12:34:12 -05:00

Author

SHA1

Message

Date

Dustin

f2d6db5af1

Enable SELinux

Enabling SELinux on the target system needs build-time and run-time
configuration changes for ther kernel and userspace.  Additionally,
SELinux requires a policy that defines allowed operations.  Gentoo
provides a reasonable baseline for all of these changes, but some
modifications are required.

First and foremost, the Gentoo SELinux policy is missing several
necessary rules for systemd-based systems.  Notably, services that use
alternate namespaces will fail to start because the base policy does not
allow systemd components the necessary privileges, so these rules have
to be added.  Similarly, `systemd-journald` needs additional privileges
in order to be able to capture all metadata for processes generating
syslog messages.  Finally, additional rules are necessary in order to
allow systemd to create files and directories prior to launching
servies.

Besides patching the policy, we also do some hackery to avoid shipping
the Python runtime in SELinux-enabled builds.  Several SELinux-related
packages, including *libselinux* and *policycoreutils* have dependencies
on Python modules for some of their functionality.  Unfortunately, the
Python build system does NOT properly cross-compile native extension
modules, so this functionality is not available on the target system.
Fortunately, none of the features provided by these modules are actually
needed at runtime, so we can safely ignore them and thus omit the entire
Python runtime and all Python programs from the final image.

It is important to note that it is impossible to build an
SELinux-enabled image on a host that is itself SELinux-enabled.
Operations such as changing file labels are checked against the SELinux
policy in the running kernel, and may be denied if the target policy
differs significantly from the running policy.  The `setfiles` command
fails, for example, when run on a Fedora host.  As such, building an
SELinux-enabled system should be done in a virtual machine using a
kernel that does not have a loaded SELinux policy.  The `ocivm` script
can be used to create a suitable runtime from a container image.

2023-03-12 12:34:12 -05:00

1 Commits (1a1a64a16d2bc8f125dc57056699f52c43445da7)