SELinux policies were attempting to run the host checkmodule and semodule
commands. The former is easy to fix via pointing them at the build root, the
latter we skip entirely because we don't want to install the policy at this
point - we'll do that during image build.
We will be carrying some patches so the version of the source code will
no longer be simply the upstream mainline version. A -coreos or
-coreos-r1 and so forth will be appended. A new variable defining the
source revision (e.g. -r1) has been added so we can continue to bump the
coreos-kernel revision independently of coreos-sources for minor things
like config updates.
We need some additional selinux policy to get rkt working. Right now
this is a slightly rough cut - we'll tidy this up over time and ensure
that it's not overly permissive. In addition, ensure that policy is
installed in /usr rather than /etc and /var in order to allow upgrades
to work properly.
Pull in various selinux bits that need modification, and enable them.
setools: Needs patching to support cross building
policycoreutils: Needs patching to remove python runtime dependency
sec-policy/*: We need custom policy modifications
In addition, modify selinux-policy-2.eclass to support pulling in selinux
includes from the build root rather than /, enable selinux in systemd's
use flags and enable selinux support in the kernel.
The update of the elfutils package for arm64 bumped the amd64 stable to
elfutils-0.158 which unfortunatly, has a cross compile bug. Specify the
unstable ~amd64 (elfutils-0.161) to work around the problem.
Signed-off-by: Geoff Levand <geoff@infradead.org>
Before we can enable ixgbevf devices by default we need to prevent the
interface names from changing names and surprising folks. On the down
side this may surprise anyone manually enabling ixgbevf on their
instances but I expect that to be the smaller population.
btmp and wtmp will now be properly rotated, yay!
Masking of logrotate configs has moved to just apply to boards, leaving
them in the SDK can be a useful reference.
The LDFLAGS setting for package building is generally not suitable for building
the kernel, and on some architectures will even lead to kernel build errors.
Fixes errors like these on kernel architectures that do not set the LDFLAGS
variable:
ld: unrecognized option '-Wl,-O1'
Signed-off-by: Geoff Levand <geoff@infradead.org>
