mirror of
https://github.com/flatcar/scripts.git
synced 2025-08-24 16:01:09 +02:00
sec-policy: Permit execmem in selinux policy
polkit is failing when selinux is enforcing as it is attempting to mmap pages as both writable and executable and selinux is forbidding this. Since we want selinux for container isolation rather than general system confinement, the easiest fix for now is to just add the selinux boolean to permit execmem. The selinux eclass is modified to hardcode the gentoo patchset that we're basing our policy on - otherwise bumping the revision for our local builds tries to pull down versions that don't exist.
This commit is contained in:
Matthew Garrett
parent
571317c3d3
commit
ce550930d0
@ -90,7 +90,7 @@ HOMEPAGE="https://wiki.gentoo.org/wiki/Project:SELinux"
|
|||||||
if [[ -n ${BASEPOL} ]] && [[ "${BASEPOL}" != "9999" ]];
|
if [[ -n ${BASEPOL} ]] && [[ "${BASEPOL}" != "9999" ]];
|
||||||
then
|
then
|
||||||
SRC_URI="https://raw.githubusercontent.com/wiki/TresysTechnology/refpolicy/files/refpolicy-${PV}.tar.bz2
|
SRC_URI="https://raw.githubusercontent.com/wiki/TresysTechnology/refpolicy/files/refpolicy-${PV}.tar.bz2
|
||||||
http://dev.gentoo.org/~swift/patches/selinux-base-policy/patchbundle-selinux-base-policy-${BASEPOL}.tar.bz2"
|
http://dev.gentoo.org/~swift/patches/selinux-base-policy/patchbundle-selinux-base-policy-2.20141203-r9.tar.bz2"
|
||||||
elif [[ "${BASEPOL}" != "9999" ]];
|
elif [[ "${BASEPOL}" != "9999" ]];
|
||||||
then
|
then
|
||||||
SRC_URI="https://raw.githubusercontent.com/wiki/TresysTechnology/refpolicy/files/refpolicy-${PV}.tar.bz2"
|
SRC_URI="https://raw.githubusercontent.com/wiki/TresysTechnology/refpolicy/files/refpolicy-${PV}.tar.bz2"
|
||||||
|
|||||||
@ -15,7 +15,7 @@ if [[ ${PV} == 9999* ]]; then
|
|||||||
KEYWORDS=""
|
KEYWORDS=""
|
||||||
else
|
else
|
||||||
SRC_URI="https://raw.githubusercontent.com/wiki/TresysTechnology/refpolicy/files/refpolicy-${PV}.tar.bz2
|
SRC_URI="https://raw.githubusercontent.com/wiki/TresysTechnology/refpolicy/files/refpolicy-${PV}.tar.bz2
|
||||||
http://dev.gentoo.org/~swift/patches/${PN}/patchbundle-${PN}-${PVR}.tar.bz2"
|
http://dev.gentoo.org/~swift/patches/${PN}/patchbundle-${PN}-2.20141203-r9.tar.bz2"
|
||||||
KEYWORDS="amd64 x86"
|
KEYWORDS="amd64 x86"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
1
sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/booleans
vendored
Normal file
1
sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/booleans
vendored
Normal file
@ -0,0 +1 @@
|
|||||||
|
allow_execmem = true
|
||||||
@ -15,7 +15,7 @@ if [[ ${PV} == 9999* ]]; then
|
|||||||
KEYWORDS=""
|
KEYWORDS=""
|
||||||
else
|
else
|
||||||
SRC_URI="https://raw.githubusercontent.com/wiki/TresysTechnology/refpolicy/files/refpolicy-${PV}.tar.bz2
|
SRC_URI="https://raw.githubusercontent.com/wiki/TresysTechnology/refpolicy/files/refpolicy-${PV}.tar.bz2
|
||||||
http://dev.gentoo.org/~swift/patches/selinux-base-policy/patchbundle-selinux-base-policy-${PVR}.tar.bz2"
|
http://dev.gentoo.org/~swift/patches/selinux-base-policy/patchbundle-selinux-base-policy-2.20141203-r9.tar.bz2"
|
||||||
|
|
||||||
KEYWORDS="amd64 x86"
|
KEYWORDS="amd64 x86"
|
||||||
fi
|
fi
|
||||||
@ -148,6 +148,7 @@ src_install() {
|
|||||||
echo "run_init_t" > "${D}/etc/selinux/${i}/contexts/run_init_type"
|
echo "run_init_t" > "${D}/etc/selinux/${i}/contexts/run_init_type"
|
||||||
|
|
||||||
echo "textrel_shlib_t" >> "${D}/etc/selinux/${i}/contexts/customizable_types"
|
echo "textrel_shlib_t" >> "${D}/etc/selinux/${i}/contexts/customizable_types"
|
||||||
|
cp "${FILESDIR}/booleans" "${D}/etc/selinux/${i}/booleans"
|
||||||
|
|
||||||
# libsemanage won't make this on its own
|
# libsemanage won't make this on its own
|
||||||
keepdir "/etc/selinux/${i}/policy"
|
keepdir "/etc/selinux/${i}/policy"
|
||||||
Loading…
x
Reference in New Issue
Block a user