Setting pam_unix and pam_sss to sufficient means that if both fail,
control will be passed to the following pam module. If this is
pam_permit then permission will be granted even if the previous modules
failed. Switch to pam_deny and require it rather than permitting it to
be optional - if sss or unix succeed, we'll jump out before we get to
this point.
since rkt 1.3.0, rkt has began checking stage1 hashes, and will do so if
the stage1 is not in the default stage1 directory. for compatibility,
df131e85d5240a75fb9cd4e1fb85e86e6f5290c1 symlinked the old stage1
directory to the new one, however, if a stage1 is referred to by the old
stage1 path under rkt >1.3.0, image verification will fail because no
signature exists.
instead of using a path, use stage1-fly.aci by name and let rkt handle
finding it in the default directory.
CoreOS 1029.0.0 introduced PAM which was linked into systemd. rkt copies
files and libraries out of CoreOS images with a static manifest to
construct the CoreOS stage1. since this manifest lacks PAM libraries in
rkt 1.5.1, we can't use CoreOS 1032.0.0, so fall back to a CoreOS
version without PAM linked into systemd.
This will drop the need to reconfigure/rebuild GRUB with the special
`arm64` target in `setup_board`. The amd64 targets could receive the
same treatment eventually but the xen dependency needs fixing first.
After that the SDK's grub can be built with the special `none` target so
it only builds user-space tools.
There are a number of ways the absolute path to a source file can make
it into the compiler output, some of which can prevent cached results
from being used when compiling related code in different locations.
The default source directory $S contains the package version so paths
need to be relative to it in order to work between package versions.
Previously attempted in 8259b77fc8eba8cfda54da565882283953bfd61a, should
be safe now that QEMU has been upgraded to 1.5. I've been using this
setting on my Gentoo machines and haven't found any other issues.
Also reverts commit 661ceb0fa114c499fa99b653bccb6d011c0d0b49.
polkit is failing when selinux is enforcing as it is attempting to mmap
pages as both writable and executable and selinux is forbidding this.
Since we want selinux for container isolation rather than general system
confinement, the easiest fix for now is to just add the selinux boolean
to permit execmem.
The selinux eclass is modified to hardcode the gentoo patchset that we're
basing our policy on - otherwise bumping the revision for our local
builds tries to pull down versions that don't exist.
