add policycoreutils and related tools #1016
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The feature will eventually be deprecated so that only the secure form is available, per upstream discussion: https://patchwork.kernel.org/patch/11324099/ Signed-off-by: Ben Cressey <[email protected]>
This is required by libsemanage, which expects policy modules to be compressed with bzip2. Signed-off-by: Ben Cressey <[email protected]>
Signed-off-by: Ben Cressey <[email protected]>
To allow the policy to be extended or modified at runtime, we need to store the files in /etc rather than on the immutable root filesystem. Signed-off-by: Ben Cressey <[email protected]>
`avcstat` can be used by an administrator to display AVC statistics, and `sefcontext_compile` is required to rebuild the SELinux policy. Signed-off-by: Ben Cressey <[email protected]>
Shipping the modules enables an administrator to customize the policy at runtime without needing to obtain the sources from elsewhere. Signed-off-by: Ben Cressey <[email protected]>
`semodule` can be used by an administrator to add new modules to the SELinux policy, which can be helpful for troubleshooting. It depends on `load_policy` and `setfiles` to rebuild the policy. `sestatus` provides a quick summary of the SELinux configuration. Signed-off-by: Ben Cressey <[email protected]>
Signed-off-by: Ben Cressey <[email protected]>
tjkirch
approved these changes
Aug 8, 2020
iliana
approved these changes
Aug 10, 2020
jamieand
approved these changes
Aug 10, 2020
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Issue number:
#997
Description of changes:
Add policycoreutils to the default install, so that higher level tools for managing the policy are available if the break-glass admin container is used. In particular,
semoduleis useful for making temporary adjustments to troubleshoot an issue.The policy files are now included in the image, as otherwise it is not possible to extend the policy without obtaining them from the repository.
Adjust the kernel default for memory protection checking so that
sestatusreports "actual (secure)". We don't enforce the memory protection checks for processes running inside containers, and none of the host binaries request memory that's both writable and executable, so this is not a fixing an actual vulnerability, just hardening the default.Testing done:
Built the
aws-devvariant. Confirmed that the policy was loaded and that files copied bytmpfiles.dwere correctly labeled.Built the
aws-k8s-1.17variant. Verified that conformance tests passed with no AVC denials.Tested various
semodulecommands:-Rreloads the policy and-Bbuilds and reloads the policy.Verified that a new policy module that refers to existing policy types can be created and loaded:
Terms of contribution:
By submitting this pull request, I agree that this contribution is dual-licensed under the terms of both the Apache License, version 2.0, and the MIT license.