mirror of
https://github.com/flatcar/scripts.git
synced 2025-08-17 18:06:59 +02:00
Merge pull request #1245 from kinvolk/kai/enable-selinux-on-all-targets-v2
profiles: Enable selinux for all targets
This commit is contained in:
Kai Lüke
GitHub
commit
adb5726979
@ -65,13 +65,11 @@ IUSE="selinux"
|
||||
|
||||
RDEPEND=">=sys-apps/baselayout-3.0.0"
|
||||
|
||||
# Optionally enable SELinux and pull in policy for containers
|
||||
# Optionally enable SELinux for dbus and systemd (but always install packages and pull in the SELinux policy for containers)
|
||||
RDEPEND="${RDEPEND}
|
||||
sys-apps/dbus[selinux?]
|
||||
sys-apps/systemd[selinux?]
|
||||
selinux? (
|
||||
sec-policy/selinux-virt
|
||||
)"
|
||||
"
|
||||
|
||||
# Only applicable or available on amd64
|
||||
RDEPEND="${RDEPEND}
|
||||
@ -141,9 +139,14 @@ RDEPEND="${RDEPEND}
|
||||
net-misc/wget
|
||||
net-misc/whois
|
||||
net-vpn/wireguard-tools
|
||||
sec-policy/selinux-virt
|
||||
sec-policy/selinux-base
|
||||
sec-policy/selinux-base-policy
|
||||
sec-policy/selinux-unconfined
|
||||
sys-apps/acl
|
||||
sys-apps/attr
|
||||
sys-apps/coreutils
|
||||
sys-apps/checkpolicy
|
||||
sys-apps/dbus
|
||||
sys-apps/diffutils
|
||||
sys-apps/ethtool
|
||||
@ -163,6 +166,7 @@ RDEPEND="${RDEPEND}
|
||||
sys-apps/rng-tools
|
||||
sys-apps/sed
|
||||
sys-apps/seismograph
|
||||
sys-apps/semodule-utils
|
||||
sys-apps/shadow
|
||||
sys-apps/usbutils
|
||||
sys-apps/util-linux
|
||||
|
||||
@ -1,17 +1,3 @@
|
||||
# Enable SELinux for amd64 targets
|
||||
coreos-base/coreos selinux
|
||||
sys-apps/dbus selinux
|
||||
sys-apps/systemd selinux
|
||||
|
||||
# Enable SELinux for coreutils
|
||||
sys-apps/coreutils selinux
|
||||
|
||||
# Enable SELinux for tar
|
||||
app-arch/tar selinux
|
||||
|
||||
# Enable SELinux for docker-runc
|
||||
app-emulation/docker-runc selinux
|
||||
|
||||
# Only ship microcode currently distributed by Intel
|
||||
# See https://bugs.gentoo.org/654638#c11 by iucode-tool maintainer
|
||||
sys-firmware/intel-microcode vanilla
|
||||
|
||||
@ -1,2 +0,0 @@
|
||||
# Unmask selinux so it can be enabled selectively in package.use
|
||||
-selinux
|
||||
@ -1,5 +0,0 @@
|
||||
# Enable SELinux for amd64 targets
|
||||
app-arch/tar selinux
|
||||
sys-apps/coreutils selinux
|
||||
coreos-base/coreos selinux
|
||||
|
||||
@ -1,2 +0,0 @@
|
||||
# Unmask selinux so it can be enabled selectively in package.use
|
||||
-selinux
|
||||
@ -6,6 +6,4 @@ net-dns/bind-tools -gssapi
|
||||
# FIXME: why isn't this set by default???
|
||||
sys-libs/ncurses unicode
|
||||
|
||||
sys-apps/systemd -selinux
|
||||
|
||||
sys-auth/polkit -introspection
|
||||
|
||||
@ -70,6 +70,11 @@ dev-util/checkbashisms
|
||||
|
||||
=sys-libs/libsepol-2.4 **
|
||||
=sys-libs/libselinux-2.4 **
|
||||
=sys-apps/checkpolicy-3.1 **
|
||||
=sec-policy/selinux-base-2.20200818-r2 **
|
||||
=sec-policy/selinux-base-policy-2.20200818-r2 **
|
||||
=sec-policy/selinux-unconfined-2.20200818-r2 **
|
||||
=sec-policy/selinux-virt-2.20200818-r2 **
|
||||
|
||||
=net-misc/openssh-8.6_p1-r1 ~amd64 ~arm64
|
||||
|
||||
|
||||
@ -100,6 +100,20 @@ sys-apps/man-db -nls
|
||||
# Disable zstd to avoid adding it to prod images until something needs it
|
||||
sys-fs/btrfs-progs -zstd
|
||||
|
||||
# Enable SELinux for all targets
|
||||
coreos-base/coreos selinux
|
||||
sys-apps/dbus selinux
|
||||
sys-apps/systemd selinux
|
||||
|
||||
# Enable SELinux for coreutils
|
||||
sys-apps/coreutils selinux
|
||||
|
||||
# Enable SELinux for tar
|
||||
app-arch/tar selinux
|
||||
|
||||
# Enable SELinux for docker-runc
|
||||
app-emulation/docker-runc selinux
|
||||
|
||||
# enable regular expression processing in jq
|
||||
app-misc/jq oniguruma
|
||||
|
||||
|
||||
@ -4,3 +4,6 @@ kdbus
|
||||
# We default to python 3.6 for now
|
||||
python_targets_python3_7
|
||||
python_single_target_python3_7
|
||||
|
||||
# Unmask selinux so it can be enabled selectively in package.use
|
||||
-selinux
|
||||
|
||||
Loading…
Reference in New Issue
Block a user