mirrors/flatcar-scripts
1
0
Fork 0
mirror of https://github.com/flatcar/scripts.git synced 2026-03-04 21:11:43 +01:00
Code Issues Packages Projects Releases Wiki Activity
34,439 Commits 641 Branches 420 Tags
Commit Graph

34439 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Krzesimir Nowak
f9cd9fb2fd overlay profiles: Move python packages as provided to the prod profile 
We want to install some SELinux tools written in python to the selinux
sysext. Sysexts use the generic profile, so the entries for those
packages need to be moved into generic/prod profile.

Signed-off-by: Krzesimir Nowak <knowak@microsoft.com>
 2026-02-27 15:18:02 +01:00
Krzesimir Nowak
7919e731a9 overlay profiles: Build only the mcs SELinux policy 
Building multiple policies is pointless - changing the policy at
runtime would require relabeling the filesystem, which will not work,
because /usr is read-only.

Signed-off-by: Krzesimir Nowak <knowak@microsoft.com>
 2026-02-27 15:17:57 +01:00
Krzesimir Nowak
b01df7d0b9 build_library/extra_sysexts.sh: Add selinux sysext 
Signed-off-by: Krzesimir Nowak <knowak@microsoft.com>
 2026-02-27 15:13:19 +01:00
Krzesimir Nowak
88d0958617 build_library/extra_sysexts.sh: Sort entries 
Signed-off-by: Krzesimir Nowak <knowak@microsoft.com>
 2026-02-27 15:13:19 +01:00
Krzesimir Nowak
4f3649cdce DEBUG 
Signed-off-by: Krzesimir Nowak <knowak@microsoft.com>
 2026-02-27 15:13:17 +01:00
Krzesimir Nowak
d165e38cd7 build_library: Pass --selinux flag to build_sysext 
Signed-off-by: Krzesimir Nowak <knowak@microsoft.com>
 2026-02-27 15:10:35 +01:00
Krzesimir Nowak
66ef40b446 build_sysext: Add --selinux flag and use it to build policies 
For built-in sysext, we may not have yet any policies built, so the
relabeling won't work. To fix the situation, so we need to temporarily
build them ourselves.

Signed-off-by: Krzesimir Nowak <knowak@microsoft.com>
 2026-02-27 14:49:26 +01:00
Krzesimir Nowak
d3cd997d9e build_sysext: Fix a crash when there were no forbidden packages 
Signed-off-by: Krzesimir Nowak <knowak@microsoft.com>
 2026-02-27 14:49:26 +01:00
Krzesimir Nowak
24d1eedf90 build_library: Move and fix pkg_use_enabled into 
There were two problems with pkg_use_enabled:

1. It did not detect force-enabled or masked USE flags correctly -
   selinux USE flag is force-enabled and is shown in the output inside
   parentheses.

2. It was defined in board_options.sh which injects some command line
   flags and globals that are not related to the function.

Since pkg_use_enabled was only used so far for checking the selinux
USE flags, add a function is_selinux_enabled and use the newly added
function in the currently only user of pkg_use_enabled.

Signed-off-by: Krzesimir Nowak <knowak@microsoft.com>
 2026-02-27 14:49:26 +01:00
Krzesimir Nowak
4cf0943f92 overlay coreos/user-patches: Update patch for selinux policies 
Signed-off-by: Krzesimir Nowak <knowak@microsoft.com>
 2026-02-27 14:49:24 +01:00
Krzesimir Nowak
41ab707fd6 build_sysext: Factor out install root to a variable 
Made it easier to change its path.

Signed-off-by: Krzesimir Nowak <knowak@microsoft.com>
 2026-02-27 14:40:57 +01:00
Krzesimir Nowak
a5d6a35ae1 build_sysexts: Relabel sysexts too 
Signed-off-by: Krzesimir Nowak <knowak@microsoft.com>
 2026-02-27 14:38:19 +01:00
Krzesimir Nowak
55f4386ba8 overlay coreos/config: Add pam_selinux to systemd PAM configs 
Signed-off-by: Krzesimir Nowak <knowak@microsoft.com>
 2026-02-27 14:34:52 +01:00
Krzesimir Nowak
f8d18f7052 overlay profiles: Drop sec-policy/selinux-ntp from package.provided 
We have pulled enough policies for the build problem to go away.

Signed-off-by: Krzesimir Nowak <knowak@microsoft.com>
 2026-02-27 14:34:46 +01:00
Krzesimir Nowak
4a4bfc03f1 overlay coreos/user-patches: Drop systemd patches related to SELinux issues 
Signed-off-by: Krzesimir Nowak <knowak@microsoft.com>
 2026-02-27 14:32:48 +01:00
Krzesimir Nowak
1e32a0bae9 overlay coreos/user-patches: Add a patch for crossdev 
Signed-off-by: Krzesimir Nowak <knowak@microsoft.com>
 2026-02-27 13:36:17 +01:00
Krzesimir Nowak
0f825c7de7 HACK: sys-libs/glibc: Enable selinux even when cross-compiling 
Signed-off-by: Krzesimir Nowak <knowak@microsoft.com>
 2026-02-27 13:36:17 +01:00
Krzesimir Nowak
bde16be60f overlay coreos-base/coreos: Add more selinux policy packages 
Some of those policies are pulled in by sysext packages. We want the
policies to be in the base image, so we can build them and be
applicable for sysext contents.

Signed-off-by: Krzesimir Nowak <knowak@microsoft.com>
 2026-02-27 13:36:17 +01:00
Krzesimir Nowak
1fcb677f98 build_library: Forbid SELinux policy packages in sysexts 
Signed-off-by: Krzesimir Nowak <knowak@microsoft.com>
 2026-02-27 13:36:14 +01:00
Krzesimir Nowak
0d4b0ff987 build_sysext: Allow specifying forbidden packages in sysexts 
Signed-off-by: Krzesimir Nowak <knowak@microsoft.com>
 2026-02-27 13:22:24 +01:00
Krzesimir Nowak
4de4fc23b1 build_library: Relabel the whole filesystem 
Signed-off-by: Krzesimir Nowak <knowak@microsoft.com>
 2026-02-27 13:22:24 +01:00
Krzesimir Nowak
3c39115be8 build_library: Fix pkg_use_enabled 
"equery uses" ignores forced or masked USE flags by default. In our
case, the selinux USE flag is forced, so stop ignoring it with
--forced-masked flag. Update the regexp to catch the forced USE flags
too and modernize the function a bit.

Signed-off-by: Krzesimir Nowak <knowak@microsoft.com>
 2026-02-27 13:22:24 +01:00
Krzesimir Nowak
c378fe8337 build_library: Building selinux policy 
Signed-off-by: Krzesimir Nowak <knowak@microsoft.com>
 2026-02-27 13:22:24 +01:00
Krzesimir Nowak
7a8acfab9a overlay profiles: Move python from package.mask to package.provided for prod 
Signed-off-by: Krzesimir Nowak <knowak@microsoft.com>
 2026-02-27 13:22:24 +01:00
Krzesimir Nowak
4e03c44cde build_toolchains: Break dep loop and handle more dependencies 
Switching to a selinux profile caused more USE flags to be enabled
(selinux, audit, caps), thus more dependencies to be pulled. More
dependencies caused two things:

- cyclic dependencies appeared
- sys-apps/baselayout is being pulled in

Cyclic dependencies need to be handled in a similar way it was done in
build_packages, thus factor out the code doing it into a separate and
reusable part.

The dependency on baselayout needs to be handled by installing the
package as a first thing in $ROOT, followed by a more careful way of
copying things from $SYSROOT to $ROOT (due to split-usr differences),
followed by installing the rest of the packages.

Signed-off-by: Krzesimir Nowak <knowak@microsoft.com>
 2026-02-27 13:22:20 +01:00
Krzesimir Nowak
2a225b47d9 build_toolchain: Do not leak variables 
Signed-off-by: Krzesimir Nowak <knowak@microsoft.com>
 2026-02-27 13:17:30 +01:00
Krzesimir Nowak
9431aadcce overlay profiles: Force static-libs on sys-libs/libsepol to fix bootstrap 
Signed-off-by: Krzesimir Nowak <knowak@microsoft.com>
 2026-02-27 13:17:30 +01:00
Krzesimir Nowak
5ea006d88e overlay coreos/config: Add further Flatcar modifications for sys-apps/policycoreutils 
Signed-off-by: Krzesimir Nowak <knowak@microsoft.com>
 2026-02-27 13:17:30 +01:00
Krzesimir Nowak
89ebdff85f overlay profiles: Allow python for sys-process/audit 
Signed-off-by: Krzesimir Nowak <knowak@microsoft.com>
 2026-02-27 13:17:30 +01:00
Krzesimir Nowak
f54b043a22 overlay coreos/config: Add further modifications to sys-process/audit 
Signed-off-by: Krzesimir Nowak <knowak@microsoft.com>
 2026-02-27 13:17:30 +01:00
Krzesimir Nowak
6f223d1d92 .github: Add dev-python/networkx to automation 
Signed-off-by: Krzesimir Nowak <knowak@microsoft.com>
 2026-02-27 13:17:30 +01:00
Krzesimir Nowak
9a6556238d dev-python/networkx: Add from Gentoo 
It's from Gentoo commit e5712a8fc3d0d429407ee9db8450b5c573041019.

Signed-off-by: Krzesimir Nowak <knowak@microsoft.com>
 2026-02-27 13:17:30 +01:00
Krzesimir Nowak
4b98c2521a .github: Add sys-apps/selinux-python to automation 
Signed-off-by: Krzesimir Nowak <knowak@microsoft.com>
 2026-02-27 13:17:30 +01:00
Krzesimir Nowak
2c38484a1a sys-apps/selinux-python: Add from Gentoo 
It's from Gentoo commit 1a36dbcbfd45b1906c67e57a2640dca52f3370cb.

Signed-off-by: Krzesimir Nowak <knowak@microsoft.com>
 2026-02-27 13:17:30 +01:00
Krzesimir Nowak
6f91a94f19 overlay profiles: Do not pull app-admin/setools into prod images 
Signed-off-by: Krzesimir Nowak <knowak@microsoft.com>
 2026-02-27 13:17:30 +01:00
Krzesimir Nowak
a823ae81f3 .github: Add app-admin/setools to automation 
Signed-off-by: Krzesimir Nowak <knowak@microsoft.com>
 2026-02-27 13:17:30 +01:00
Krzesimir Nowak
da984da31c app-admin/setools: Add from Gentoo 
It's from Gentoo commit dd8f1e13525265315752f252be7515f18e80334a.

Signed-off-by: Krzesimir Nowak <knowak@microsoft.com>
 2026-02-27 13:17:30 +01:00
Krzesimir Nowak
5b9d0acbdc overlay coreos/user-patches: Drop a patch for sys-libs/libsemanage 
We apply the fix in a different way.

Signed-off-by: Krzesimir Nowak <knowak@microsoft.com>
 2026-02-27 13:17:30 +01:00
Krzesimir Nowak
e369aa7765 overlay coreos/config: Add python stuff to install mask for prod images 
Signed-off-by: Krzesimir Nowak <knowak@microsoft.com>
 2026-02-27 13:17:29 +01:00
Krzesimir Nowak
08783393d8 .github: Add sys-apps/policycoreutils to automation 
Signed-off-by: Krzesimir Nowak <knowak@microsoft.com>
 2026-02-27 13:17:29 +01:00
Krzesimir Nowak
d27e2952e0 sys-apps/policycoreutils: Sync with Gentoo 
It's from Gentoo commit ef1013be87a2c4ede3d16c2557881505b93c3996.

Signed-off-by: Krzesimir Nowak <knowak@microsoft.com>
 2026-02-27 13:17:29 +01:00
Krzesimir Nowak
2daab32233 overlay sys-apps/policycoreutils: Move to portage-stable 
Signed-off-by: Krzesimir Nowak <knowak@microsoft.com>
 2026-02-27 13:17:29 +01:00
Krzesimir Nowak
7b9fd99f6c .github: Add sys-libs/libsemanage to automation 
Signed-off-by: Krzesimir Nowak <knowak@microsoft.com>
 2026-02-27 13:17:29 +01:00
Krzesimir Nowak
bb70882fda sys-libs/libsemanage: Sync with Gentoo 
It's from Gentoo commit 2a36cce420348509e5c8a75d75647c200f39b2bc.

Signed-off-by: Krzesimir Nowak <knowak@microsoft.com>
 2026-02-27 13:17:29 +01:00
Krzesimir Nowak
f058e32bb2 overlay sys-libs/libsemanage: Move to portage-stable 
Signed-off-by: Krzesimir Nowak <knowak@microsoft.com>
 2026-02-27 13:17:29 +01:00
Krzesimir Nowak
8128c9a072 overlay coreos/config: Add Flatcar modifications for sys-libs/libsemanage 
Signed-off-by: Krzesimir Nowak <knowak@microsoft.com>
 2026-02-27 13:17:29 +01:00
Krzesimir Nowak
0fe3480314 overlay profiles: Allow python for sys-libs/libselinux 
Signed-off-by: Krzesimir Nowak <knowak@microsoft.com>
 2026-02-27 13:17:29 +01:00
Krzesimir Nowak
a6598d470e overlay profiles: Disable caps for smartmontools 
The USE=caps is only relevant for smartd, which we are not building
anyway.

Signed-off-by: Krzesimir Nowak <knowak@microsoft.com>
 2026-02-27 13:17:29 +01:00
Krzesimir Nowak
8a33f8b99f overlay profiles: Drop enabling caps and audit USE flags for specific packages 
selinux profile enables the USE flags for all of them.

Signed-off-by: Krzesimir Nowak <knowak@microsoft.com>
 2026-02-27 13:17:29 +01:00
Krzesimir Nowak
6e9797dfc5 overlay profiles: Mask python and perl USE flags for generic images 
Signed-off-by: Krzesimir Nowak <knowak@microsoft.com>
 2026-02-27 13:17:29 +01:00