From e5c1d942ecf8e736dc45a882bd30eca0b15defa3 Mon Sep 17 00:00:00 2001 From: Michael Marineau Date: Wed, 1 Jul 2015 22:41:43 -0700 Subject: [PATCH] selinux: make selinux optional based on USE flags, disable for now. Some issues still to work out with tmpfiles and logind. --- .../coreos-base/coreos/coreos-0.0.1.ebuild | 11 ++++++++--- .../coreos-overlay/eclass/coreos-kernel.eclass | 8 ++++++++ .../coreos-overlay/profiles/coreos/base/package.use | 2 +- 3 files changed, 17 insertions(+), 4 deletions(-) diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos/coreos-0.0.1.ebuild b/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos/coreos-0.0.1.ebuild index ccfca2aa12..1008c9e4c6 100644 --- a/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos/coreos-0.0.1.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos/coreos-0.0.1.ebuild @@ -9,7 +9,7 @@ HOMEPAGE="http://coreos.com" LICENSE="GPL-2" SLOT="0" KEYWORDS="amd64 arm arm64 x86" -IUSE="etcd_protocols_1 etcd_protocols_2" +IUSE="etcd_protocols_1 etcd_protocols_2 selinux" ################################################################################ @@ -87,6 +87,13 @@ RDEPEND="${RDEPEND} etcd_protocols_2? ( dev-db/etcd:2 ) " +# Optionally enable SELinux and pull in policy for containers +RDEPEND="${RDEPEND} + sys-apps/systemd[selinux?] + selinux? ( + sec-policy/selinux-virt + )" + RDEPEND="${RDEPEND} app-emulation/actool app-emulation/rkt @@ -119,7 +126,6 @@ RDEPEND="${RDEPEND} net-misc/ntp net-misc/rsync net-misc/wget - sec-policy/selinux-virt sys-apps/coreutils sys-apps/dbus sys-apps/ethtool @@ -136,7 +142,6 @@ RDEPEND="${RDEPEND} sys-apps/sed sys-apps/seismograph sys-apps/shadow - sys-apps/systemd sys-apps/usbutils sys-apps/util-linux sys-fs/btrfs-progs diff --git a/sdk_container/src/third_party/coreos-overlay/eclass/coreos-kernel.eclass b/sdk_container/src/third_party/coreos-overlay/eclass/coreos-kernel.eclass index a8c47ce2e3..d6d53626c9 100644 --- a/sdk_container/src/third_party/coreos-overlay/eclass/coreos-kernel.eclass +++ b/sdk_container/src/third_party/coreos-overlay/eclass/coreos-kernel.eclass @@ -18,6 +18,7 @@ HOMEPAGE="http://www.kernel.org" LICENSE="GPL-2 freedist" SLOT="0/${PVR}" SRC_URI="" +IUSE="selinux" DEPEND="=sys-kernel/coreos-sources-${COREOS_SOURCE_VERSION} sys-kernel/bootengine:=" @@ -134,6 +135,13 @@ coreos-kernel_src_prepare() { } coreos-kernel_src_configure() { + if ! use selinux; then + sed -i -e '/CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE/d' \ + "${KBUILD_OUTPUT}/.config" || die + echo CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE=0 >> \ + "${KBUILD_OUTPUT}/.config" || die + fi + # Use default for any options not explitly set in defconfig yes "" | kmake oldconfig diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.use b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.use index 04f9865717..e52ecd1608 100644 --- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.use +++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.use @@ -37,7 +37,7 @@ net-analyzer/nmap ncat -lua app-admin/sudo -sendmail # avoid pulling in gnutls, disable gentoo-only bits, enable journal upload -sys-apps/systemd -ssl curl vanilla -lz4 lzma gcrypt selinux +sys-apps/systemd -ssl curl vanilla -lz4 lzma gcrypt # disable kernel config detection and module building net-firewall/ipset -modules