mirrors/flatcar-scripts
1
0
Fork 0
mirror of https://github.com/flatcar/scripts.git synced 2025-08-18 21:11:08 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #1245 from kinvolk/kai/enable-selinux-on-all-targets-v2

Browse Source 
profiles: Enable selinux for all targets
This commit is contained in:
Kai Lüke 2021-09-02 21:14:39 +02:00 committed by GitHub
commit adb5726979
9 changed files with 30 additions and 29 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
sdk_container/src/third_party/coreos-overlay/coreos-base/coreos/coreos-0.0.1.ebuild vendored
View File

@ -65,13 +65,11 @@ IUSE="selinux"
RDEPEND=">=sys-apps/baselayout-3.0.0" RDEPEND=">=sys-apps/baselayout-3.0.0"
# Optionally enable SELinux and pull in policy for containers # Optionally enable SELinux for dbus and systemd (but always install packages and pull in the SELinux policy for containers)
RDEPEND="${RDEPEND} RDEPEND="${RDEPEND}
sys-apps/dbus[selinux?] sys-apps/dbus[selinux?]
sys-apps/systemd[selinux?] sys-apps/systemd[selinux?]
selinux? ( "
sec-policy/selinux-virt
)"
# Only applicable or available on amd64 # Only applicable or available on amd64
RDEPEND="${RDEPEND} RDEPEND="${RDEPEND}
@ -141,9 +139,14 @@ RDEPEND="${RDEPEND}
net-misc/wget net-misc/wget
net-misc/whois net-misc/whois
net-vpn/wireguard-tools net-vpn/wireguard-tools
sec-policy/selinux-virt
sec-policy/selinux-base
sec-policy/selinux-base-policy
sec-policy/selinux-unconfined
sys-apps/acl sys-apps/acl
sys-apps/attr sys-apps/attr
sys-apps/coreutils sys-apps/coreutils
sys-apps/checkpolicy
sys-apps/dbus sys-apps/dbus
sys-apps/diffutils sys-apps/diffutils
sys-apps/ethtool sys-apps/ethtool
@ -163,6 +166,7 @@ RDEPEND="${RDEPEND}
sys-apps/rng-tools sys-apps/rng-tools
sys-apps/sed sys-apps/sed
sys-apps/seismograph sys-apps/seismograph
sys-apps/semodule-utils
sys-apps/shadow sys-apps/shadow
sys-apps/usbutils sys-apps/usbutils
sys-apps/util-linux sys-apps/util-linux

14
sdk_container/src/third_party/coreos-overlay/profiles/coreos/amd64/generic/package.use vendored
View File

@ -1,17 +1,3 @@
# Enable SELinux for amd64 targets
coreos-base/coreos selinux
sys-apps/dbus selinux
sys-apps/systemd selinux
# Enable SELinux for coreutils
sys-apps/coreutils selinux
# Enable SELinux for tar
app-arch/tar selinux
# Enable SELinux for docker-runc
app-emulation/docker-runc selinux
# Only ship microcode currently distributed by Intel # Only ship microcode currently distributed by Intel
# See https://bugs.gentoo.org/654638#c11 by iucode-tool maintainer # See https://bugs.gentoo.org/654638#c11 by iucode-tool maintainer
sys-firmware/intel-microcode vanilla sys-firmware/intel-microcode vanilla

2
sdk_container/src/third_party/coreos-overlay/profiles/coreos/amd64/generic/use.mask vendored
View File

@ -1,2 +0,0 @@
# Unmask selinux so it can be enabled selectively in package.use
-selinux

5
sdk_container/src/third_party/coreos-overlay/profiles/coreos/amd64/sdk/package.use vendored
View File

@ -1,5 +0,0 @@
# Enable SELinux for amd64 targets
app-arch/tar selinux
sys-apps/coreutils selinux
coreos-base/coreos selinux

2
sdk_container/src/third_party/coreos-overlay/profiles/coreos/amd64/sdk/use.mask vendored
View File

@ -1,2 +0,0 @@
# Unmask selinux so it can be enabled selectively in package.use
-selinux

2
sdk_container/src/third_party/coreos-overlay/profiles/coreos/arm64/package.use vendored
View File

@ -6,6 +6,4 @@ net-dns/bind-tools -gssapi
# FIXME: why isn't this set by default??? # FIXME: why isn't this set by default???
sys-libs/ncurses unicode sys-libs/ncurses unicode
sys-apps/systemd -selinux
sys-auth/polkit -introspection sys-auth/polkit -introspection

5
sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords vendored
View File

@ -70,6 +70,11 @@ dev-util/checkbashisms
=sys-libs/libsepol-2.4 ** =sys-libs/libsepol-2.4 **
=sys-libs/libselinux-2.4 ** =sys-libs/libselinux-2.4 **
=sys-apps/checkpolicy-3.1 **
=sec-policy/selinux-base-2.20200818-r2 **
=sec-policy/selinux-base-policy-2.20200818-r2 **
=sec-policy/selinux-unconfined-2.20200818-r2 **
=sec-policy/selinux-virt-2.20200818-r2 **
=net-misc/openssh-8.6_p1-r1 ~amd64 ~arm64 =net-misc/openssh-8.6_p1-r1 ~amd64 ~arm64

14
sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.use vendored
View File

@ -100,6 +100,20 @@ sys-apps/man-db -nls
# Disable zstd to avoid adding it to prod images until something needs it # Disable zstd to avoid adding it to prod images until something needs it
sys-fs/btrfs-progs -zstd sys-fs/btrfs-progs -zstd
# Enable SELinux for all targets
coreos-base/coreos selinux
sys-apps/dbus selinux
sys-apps/systemd selinux
# Enable SELinux for coreutils
sys-apps/coreutils selinux
# Enable SELinux for tar
app-arch/tar selinux
# Enable SELinux for docker-runc
app-emulation/docker-runc selinux
# enable regular expression processing in jq # enable regular expression processing in jq
app-misc/jq oniguruma app-misc/jq oniguruma

3
sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/use.mask vendored
View File

@ -4,3 +4,6 @@ kdbus
# We default to python 3.6 for now # We default to python 3.6 for now
python_targets_python3_7 python_targets_python3_7
python_single_target_python3_7 python_single_target_python3_7
# Unmask selinux so it can be enabled selectively in package.use
-selinux