libpriv: Rebuild policy during postprocessing#1754
Closed
jlebon wants to merge 4 commits intocoreos:masterfrom
Closed
libpriv: Rebuild policy during postprocessing#1754jlebon wants to merge 4 commits intocoreos:masterfrom
jlebon wants to merge 4 commits intocoreos:masterfrom
Conversation
It's possible for some postprocessing scripts to affect the final SELinux policy. This is the case for the new `/etc/default/useradd` edit we now do (coreos#1726), but it could've been the case beforehand too with user scripts modifying e.g. booleans (though ideally all these modifications would be part of RPMs). Do a final `semodule -nB` during postprocessing so that the final policy we commit is "up to date". Otherwise, users may only see changes take effect if they layer packages that trigger a rebuild. The motivation for this is specifically for `/etc/default/useradd`. There is magic in `selinux-policy` that parses the file and generates templated rules from the value of `HOME`. For more info, see: https://bugzilla.redhat.com/show_bug.cgi?id=1669982 https://src.fedoraproject.org/rpms/selinux-policy/pull-request/14
rfairley
approved these changes
Feb 8, 2019
Contributor
rfairley
left a comment
There was a problem hiding this comment.
LGTM - works on my end doing a compose.
Contributor
|
Note: holding on merging this, awaiting confirmation in https://src.fedoraproject.org/rpms/selinux-policy/pull-request/14 |
Member
|
So...sorry about delaying on this. Again my primary concern here is making sure we're not breaking anything in the version combination matrix. For example we believe this shouldn't cause any harm for e.g. RHEL7 systems with older selinux policy? |
Member
Author
|
For RHCOS & CAHC, we're shipping the latest rpm-ostree there, so it should also be affected by the |
Manually patch `file_contexts.subs_dist` so that `/home` is equivalent to `/var/home`. This is required now that the generated homedirs rules use `/var/home`. Otherwise, `matchpathcon` for example will return wrong results. This patch also includes the *removal* of `/var/home -> /home` so that we're not dependent on this selinux-policy patch making it at the same time as downstream: https://src.fedoraproject.org/rpms/selinux-policy/pull-request/14 (See the conversation there for more information.)
ae048c4 to
3a06cdc
Compare
Member
Author
|
OK, so testing this on the latest RHCOS. Because the compose wasn't done with v2019.1, it didn't have #1726 yet. So I started off with manually modifying this: I then triggered a policy regen by layering a pkg that does Removing the One thing I don't quite understand yet is that the |
Member
Author
|
https://src.fedoraproject.org/rpms/selinux-policy/pull-request/14 was merged! Let's get this one in and do a release? |
Member
|
⚡ Test exempted: merge already tested. |
rh-atomic-bot
pushed a commit
that referenced
this pull request
Feb 14, 2019
Manually patch `file_contexts.subs_dist` so that `/home` is equivalent to `/var/home`. This is required now that the generated homedirs rules use `/var/home`. Otherwise, `matchpathcon` for example will return wrong results. This patch also includes the *removal* of `/var/home -> /home` so that we're not dependent on this selinux-policy patch making it at the same time as downstream: https://src.fedoraproject.org/rpms/selinux-policy/pull-request/14 (See the conversation there for more information.) Closes: #1754 Approved by: cgwalters
jlebon
added a commit
to jlebon/rpm-ostree
that referenced
this pull request
Feb 14, 2019
Let's get the SELinux fix out (coreos#1754).
Closed
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
It's possible for some postprocessing scripts to affect the final
SELinux policy. This is the case for the new
/etc/default/useraddeditwe now do (#1726), but it could've been the case beforehand too with
user scripts modifying e.g. booleans (though ideally all these
modifications would be part of RPMs).
Do a final
semodule -nBduring postprocessing so that the final policywe commit is "up to date". Otherwise, users may only see changes take
effect if they layer packages that trigger a rebuild.
The motivation for this is specifically for
/etc/default/useradd.There is magic in
selinux-policythat parses the file and generatestemplated rules from the value of
HOME.For more info, see:
https://bugzilla.redhat.com/show_bug.cgi?id=1669982
https://src.fedoraproject.org/rpms/selinux-policy/pull-request/14