Add SELinux support [WIP]

Signed-off-by: David Cassany <[email protected]>

packages/base/definition.yaml

@@ -1,6 +1,6 @@
 name: "base"
 category: "distro"
-version: "0.3.6"
+version: "0.3.6+1"
 
 hidden: true # No need to make it installable for now
 labels:

packages/cos/build.yaml

@@ -20,6 +20,9 @@ requires:
 - name: cos-features
   category: system
   version: ">=0"
+- name: "refpolicy"
+  category: "system"
+  version: ">=0"
 
 steps:
 - sed -i 's/:VERSION:/{{.Values.version}}/g' setup.yaml
@@ -85,8 +88,8 @@ excludes:
 - ^/var/lib/YaST2
 
 # Perl
-# - ^/usr/bin/perl.*
-# - ^/usr/lib/perl.*
+- ^/usr/bin/perl.*
+- ^/usr/lib/perl.*
 
 # Wget - we are only shipping curl
 - ^/etc/wgetrc

packages/cos/setup.yaml

@@ -47,7 +47,7 @@ stages:
               set img=/cOS/active.img
               loopback loop0 /$img
               set root=($root)
-              linux (loop0)/boot/vmlinuz console=tty1 ro root=LABEL=COS_ACTIVE iso-scan/filename=/cOS/active.img panic=5
+              linux (loop0)/boot/vmlinuz console=tty1 ro root=LABEL=COS_ACTIVE iso-scan/filename=/cOS/active.img panic=5 security=selinux selinux=1
               initrd (loop0)/boot/initrd
             }
 
@@ -56,7 +56,7 @@ stages:
               set img=/cOS/passive.img
               loopback loop0 /$img
               set root=($root)
-              linux (loop0)/boot/vmlinuz console=tty1 ro root=LABEL=COS_PASSIVE iso-scan/filename=/cOS/passive.img panic=5
+              linux (loop0)/boot/vmlinuz console=tty1 ro root=LABEL=COS_PASSIVE iso-scan/filename=/cOS/passive.img panic=5 security=selinux selinux=1
               initrd (loop0)/boot/initrd
             }
 

packages/refpolicy/build.yaml

@@ -0,0 +1,34 @@
+requires:
+- name: "base"
+  category: "distro"
+  version: ">=0"
+
+prelude:
+{{ if .Values.distribution }}
+{{if eq .Values.distribution "opensuse" }}
+- zypper in -y wget sed bzip2 && zypper install -y -t pattern devel_basis
+{{else if eq .Values.distribution "fedora" }}
+- dnf install -y wget sed "@Development Tools"
+{{end}}
+{{end}}
+- wget https://raw.githubusercontent.com/wiki/SELinuxProject/refpolicy/files/refpolicy-{{.Values.policy_version}}.tar.bz2 -O refpolicy-src.tar.bz2
+- tar xaf refpolicy-src.tar.bz2
+
+steps:
+{{ if .Values.distribution }}
+{{if eq .Values.distribution "opensuse" }}
+- zypper in -y selinux-tools audit policycoreutils restorecond python-xml 
+{{end}}
+{{end}}
+- cp config /etc/selinux/config
+- cd refpolicy && make install-src
+- cd /etc/selinux/refpolicy/src/policy && make conf && \
+{{ if .Values.distribution }}
+{{if eq .Values.distribution "opensuse" }}
+  sed -e "s|^.*DISTRO *=.*$|DISTRO = suse|g" \
+{{else if eq .Values.distribution "fedora" }}
+  sed -e "s|^.*DISTRO *=.*$|DISTRO = redhat|g" \
+{{end}}
+{{end}}
+    -e "s|^.*DIRECT_INITRC *=.*$|DIRECT_INITRC=y|g" -i build.conf
+- cd /etc/selinux/refpolicy/src/policy && make load

packages/refpolicy/config

@@ -0,0 +1,10 @@
+# This file controls the state of SELinux on the system.
+# SELINUX= can take one of these three values:
+#       enforcing - SELinux security policy is enforced.
+#       permissive - SELinux prints warnings instead of enforcing.
+#       disabled - No SELinux policy is loaded.
+SELINUX=permissive
+# SELINUXTYPE= can take one of these two values:
+#       targeted - Targeted processes are protected,
+#       mls - Multi Level Security protection.
+SELINUXTYPE=refpolicy

packages/refpolicy/definition.yaml

@@ -0,0 +1,5 @@
+name: "refpolicy"
+category: "system"
+version: "0.0.4"
+
+policy_version: "2.20180114"

values/opensuse.yaml

@@ -35,5 +35,6 @@ packages: >-
     haveged
     tar
     rsync
+    timezone
 
 kernel_package: kernel-default