with this patch, we allow `unlabeled_t` to associate to tmpfs
filesystem.
It aims to solve the AVC we have with `torcx` with the
`torcx-generator`:
```
Nov 15 09:45:43 localhost audit[688]: AVC avc: denied { associate } for pid=688 comm="torcx-generator" name="docker" dev="tmpfs" ino=2 scontext=system_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=filesystem permissive=0
```
It has been not been caught earlier because it occurs
when the system boots with `SELinux` in `enforcing` mode.
This denial was preventing torcx to finish correctly its setup and so
Docker was not able to start.
Signed-off-by: Mathieu Tortuyaux <mtortuyaux@microsoft.com>
Automatically update app-misc/ca-certificates , a derivative of
nss https://hg.mozilla.org/projects/nss . To make things easier,
we simply check for new releases on its Github mirror
https://github.com/nss-dev/nss . When the new latest tag is found,
simply bump the version of ca-certificates ebuild.
There usually exists a way to tell the configure script to use certain
path, so the script won't try to autodetect things. This is a case for
the systemd system unit directory, but apparently not for systemd util
directory. So for the system unit directory, we can forward the path
we received from systemd.eclass' `systemd_get_systemunitdir`, but for
the util directory, we need to hack the script with `sed`. The reason
for this is that autodetected directory will have the sysroot path
prepended twice. The systemd eclass has a workaround for this issue.
Without passing the --with-systemdconfdir flag, the configure script
will query pkg-config for the directory itself. In the
cross-compilation setup that we have, this will result in a path
sysroot prepended to the path twice. systemd.eclass has a workaround
for this issue, but it does not provide an elegant getter of the
system configuration directory, thus we call `_systemd_get_dir`
ourselves.
Normally we use pkg-config to query flags and libraries that are
needed to build things. These are specific to CHOST, and the build
system usually uses pkg-config on CHOST to get those flags and
libraries. But pkg-config is also used to query for the location of
the tools used during the build, and for those we need to use
pkg-config on CBUILD. But the build system is usually using the same
pkg-config for both flags and libs, and for build tools. Which works
fine for typical builds, but breaks for cross builds.
One of such build tools is glib-genmarshal. Fortunately the build
system allows us to override the detection results by passing
GLIB_GENMARSHAL="${some_path}" to the configure script. So do that.
This is to avoid querying pkg-config for this information and
overriding the SYSROOT variable. These hacks seem to be broken with
the change of the pkgconfig implementation.
We know what will the path for the directory of the system units -
it's based on rootprefix that we pass to configure script. So use this
knowledge directly instead of getting it in a roundabout way from
pkg-config file.
The recent keyword cleanup removed two keywords that are necessary to
bootstrap an arm64 sdk: open-vmdk and virtual/cdrtools. Restore them.
Signed-off-by: Jeremi Piotrowski <jpiotrowski@microsoft.com>
app-editors/nano with `USE=unicode` results in build failures in SDK
stage1, because ncurses >= 6.2_p20210619 which does not have the USE
flag at all.
To fix that, exclude the unicode USE flag from packages.use.force list,
which is defined in portage-stable. We can do that by setting the flag
in package.use.mask.
Systemd during the initrd stage was complaining about the missing
group, which resulted in ignoring some of the udev rules. Let's
placate it by adding sgx to baselayout, so the group is available
during the initrd stage too.
Pulls in https://github.com/flatcar-linux/baselayout/pull/20.
The "create" action became "open", and "remove" became "close". Also
reorder the parameters accordingly (it's a bit different for "open" vs
"create"). Also put the options before specifying the action.
Pulls in https://github.com/flatcar-linux/bootengine/pull/31.
Clean up unnecessary ebuilds from arm64 accept_keywords like below:
app-arch/bzip2 1.0.6-r12 is already stable.
app-crypt/mit-krb5 1.19.2 is already stable.
app-emulation/open-vmdk 1.0 is not needed by arm64.
app-eselect/eselect-rust is already stable.
dev-lang/perl 5.34.0-r2 is already stable.
dev-libs/ding-libs 0.4.0 is not needed by arm64.
dev-libs/elfutils 0.177 is already stable.
dev-libs/libpcre2 10.34 is already stable.
dev-libs/libpcre 8.44 is already stable.
dev-libs/libintl-perl 1.280.0 is already stable.
dev-util/meson 0.57.2 is already stable.
dev-util/re2c 2.0.3 is already stable.
net-analyzer/tcpdump 4.9.3 is already stable.
net-dns/bind-tools 9.16.6 is already stable.
net-dns/dnsmasq 2.85 is already stable.
net-firewall/ebtables 2.0.11-r3 is already stable.
net-libs/libmicrohttpd: move to base.
net-libs/libnfnetlink 1.0.1 is already stable.
net-libs/libnftnl 1.2.0-r1 is already stable.
net-nds/openldap 2.4.57 is already stable.
sys-apps/checkpolicy is already enabled in base.
sys-fs/btrfs-progs 4.10.2 is not needed by arm64.
sys-libs/binutils-libs 2.36.1-r2 is already stable.
virtual/perl-File-Path 2.130.0 is already stable.
virtual/cdrtools is not needed by arm64.
Add the following ebuilds to arm64 accept_keywords like below:
app-misc/jq 1.6-r3: move from base
cross-aarch64-cros-linux-gnu/gcc 9.3.0-r1: move from base
net-misc/curl 7.79.1: move from base
sec-policy/selinux-base 2.20200818-r2: move from base
sec-policy/selinux-base-policy 2.20200818-r2: move from base
sec-policy/selinux-unconfined 2.20200818-r2: move from base
sec-policy/selinux-virt 2.20200818-r2: move from base
sys-apps/checkpolicy 3.1: move from base
sys-apps/kexec-tools 2.0.17-r1 is needed by arm64
sys-firmware/edk2-ovmf 201905: move from base
sys-process/tini 0.18.0: move from base
Clean up unnecessary ebuilds from base accept_keywords like below.
Sort alphabetically.
app-crypt/efitools: move to sdk
app-misc/jq: move to arm64
cross-aarch64-cros-linux-gnu/gcc: move 9.3.0-r1 to arm64
dev-lang/spidermonkey is not needed any more.
dev-libs/protobuf 3.5.2 is already stable.
dev-libs/elfutils: specify explicit version 0.178
dev-python/boto: specify explicit keywords ~amd64, ~arm64.
dev-util/dwarves: specify explicit version 1.19
dev-util/perf 5.8 is already stable.
net-misc/curl: move 7.79.1 to arm64
net-nds/rpcbind: specify explicit keywords ~amd64, ~arm64.
net-libs/libnftnl 1.2.0-r1 is already stable.
net-libs/libmicrohttpd: move from arm64, specify explicit keywords.
sec-policy/selinux-base: move to arm64.
sec-policy/selinux-base-policy: move to arm64.
sec-policy/selinux-unconfined: move to arm64.
sec-policy/selinux-virt: move to arm64.
sys-apps/checkpolicy: move to arm64.
sys-apps/gptfdisk 1.0.7 is already stable.
sys-apps/iproute2 5.8.0 is already stable.
sys-apps/kexec-tools 2.0.17-r1 is already stable.
sys-auth/google-oslogin 20200910.00 is already stable.
sys-kernel/dracut 053-r1 is already stable.
sys-boot/gnu-efi 3.0.3 is already stable.
sys-firmware/edk2-ovmf: move to arm64
sys-fs/dosfstools: specify explicit keywords ~amd64, ~arm64.
sys-process/tini: move to arm64
sys-libs/libselinux: already configured in arm64
sys-libs/libsepol: already configured in arm64
Now that Github rejects access to an unauthenticated URL with `git://`,
we have to make git and libcurl work with `https://`. However, during
the SDK stage2, curl is not explicitly installed, but just inherited
from the stage1. As a result, curl is built without the `ssl` USE flag.
So installation of baselayout fails with:
```
git fetch https://github.com/flatcar-linux/baselayout.git --prune +HEAD:refs/git-r3/HEAD
fatal: unable to access 'https://github.com/flatcar-linux/baselayout.git/':
Protocol "https" not supported or disabled in libcurl
```
To resolve the issue, we need to install curl with `BOOTSTRAP_USE=ssl`
before trying to install baselayout.
Also we need to set `CURL_SSL=openssl` as required by curl.
Using a USE_EXPAND variable `curl_ssl_openssl` in `BOOTSTRAP_USE`, we
can specify the correct `CURL_SSL` variable in curl.
