SELinux libs and tools: 2.4 -> 2.7 #36978
Conversation
GrahamcOfBorg
added
10.rebuild-darwin: 0
|
Has anyone a working selinux on NixOS actually? I did not even manage to enable it. |
|
I want to give it a try, that's why I am doing this first. |
|
I would be glad to see this. I currently have to boot fedora to test selinux support in https://github.com/Mic92/cntr |
|
I would not be surprise that I was not able to enable it because of the age of selinux tools in comparison to the kernel. |
|
@GrahamcOfBorg build libsepool libselinux libsemanage policycoreutils checkpolicy |
|
No attempt on x86_64-darwin The following builds were skipped because they don't evaluate on x86_64-darwin: libsepool, libselinux, libsemanage, policycoreutils, checkpolicy No log is available. |
|
Success on x86_64-linux (full log) Attempted: libselinux, libsemanage, policycoreutils, checkpolicy The following builds were skipped because they don't evaluate on x86_64-linux: libsepool Partial log (click to expand)
|
|
Success on aarch64-linux (full log) Attempted: libselinux, libsemanage, policycoreutils, checkpolicy The following builds were skipped because they don't evaluate on aarch64-linux: libsepool Partial log (click to expand)
|
|
@GrahamcOfBorg build libsepol libselinux libsemanage policycoreutils checkpolicy |
|
Success on x86_64-linux (full log) Attempted: libsepol, libselinux, libsemanage, policycoreutils, checkpolicy Partial log (click to expand)
|
|
Success on aarch64-linux (full log) Attempted: libsepol, libselinux, libsemanage, policycoreutils, checkpolicy Partial log (click to expand)
|
|
@GrahamcOfBorg build setools |
|
Success on x86_64-linux (full log) Attempted: setools Partial log (click to expand)
|
|
Success on aarch64-linux (full log) Attempted: setools Partial log (click to expand)
|
|
@GrahamcOfBorg build selinux-python |
|
Success on x86_64-linux (full log) Attempted: selinux-python Partial log (click to expand)
|
|
Success on aarch64-linux (full log) Attempted: selinux-python Partial log (click to expand)
|
| nativeBuildInputs = [ autoreconfHook pkgconfig python swig2 bison flex ]; | ||
| buildInputs = [ tcl libxml2 sqlite bzip2 ]; | ||
| preBuild = '' | ||
| export SEPOL="${libsepol}/lib/libsepol.a" |
There was a problem hiding this comment.
Is libsepol supposed to be statically linked?
|
Yes, upstream code explicitly links libsepol.a statically. Surprised me too but I see no reason to mess with that. It's not that big anyway.
|
|
@GrahamcOfBorg build selinux-sandbox |
|
Success on x86_64-linux (full log) Attempted: selinux-sandbox Partial log (click to expand)
|
|
Success on aarch64-linux (full log) Attempted: selinux-sandbox Partial log (click to expand)
|
|
@GrahamcOfBorg build libsepol libselinux libsemanage policycoreutils checkpolicy |
|
Success on aarch64-linux (full log) Attempted: checkpolicy, libselinux, libsemanage, libsepol, policycoreutils, selinux-python, selinux-sandbox, setools Partial log (click to expand)
|
|
👍 |
|
@xeji did you manage to get selinux running on nixos and if what flags where required? Otherwise I could test on fedora. |
|
@Mic92 not yet - it's on my list for the next few days. Testing on fedora would be good anyway to confirm the tools work independent of nixos setup. |
|
@Mic92 some quick first tests show you need However, after boot selinux still shows as disabled: I suspect the |
I believe that means it wasn't available at compile-time (or that we forced it off with Also, yay! |
|
@xeji looking at systemd is a good hint. It is possible to enable selinux in systemd without recompiling everything by loading a custom systemd with |
|
Looking at the systemd expression, we don't disable selinux. But we don't list |
|
|
|
https://github.com/systemd/systemd/blob/ffb3c2bd705409ca5bbbb9ccef4c59349ea787cf/meson.build#L850 |
false by default, so no rebuild
|
Success on x86_64-linux (full log) Attempted: checkpolicy, libselinux, libsemanage, libsepol, policycoreutils, selinux-python, selinux-sandbox, setools, systemd Partial log (click to expand)
|
|
The last commit adds a |
|
Success on aarch64-linux (full log) Attempted: checkpolicy, libselinux, libsemanage, libsepol, policycoreutils, selinux-python, selinux-sandbox, setools, systemd Partial log (click to expand)
|
|
@xeji I suppose this selinux snippet could become a module later. Thanks for making selinux work. I need this for testing some software. |
|
Just a heads up - it seems |
|
@pbogdan thanks. The error looks like it can be fixed by ignoring a warning, I'll give that a try later, cannot hurt. But I have no idea how to test a i686 build. Is there a way to cross-build this on a x86_64 machine? Never tried... |
|
Yeah, at least for i686-linux you can build it with |
|
@Mic92 a selinux module would be nice, let's keep that in mind. Probably quite a bit of work since we need some sort of policy builder/patcher tool to create policies that fit a nixos system. |
|
@xeji I think supporting containers/vms would be already useful. docker/lxc/systemd-nspawn already apply profiles. |
| substituteInPlace Makefile --replace "-m 4755" "-m 755" | ||
| substituteInPlace sandboxX.sh \ | ||
| --replace "#!/bin/sh" "#!${bash}/bin/sh" \ | ||
| --replace "/usr/share/sandbox/start" "${placeholder "out"}/share/sandbox/start" \ |
There was a problem hiding this comment.
This doesn't work for Nix 1.11 users, please correct this as seen in #37860
|
@infinisil why does it matter? That placeholder is in a new package so this shouldn't break anything nix 1.11 users had before, or does it?
…On March 28, 2018 5:55:53 PM GMT+02:00, Silvan Mosberger ***@***.***> wrote:
Infinisil commented on this pull request.
> +
+ src = fetchurl {
+ url =
"https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/${se_release}/selinux-sandbox-${version}.tar.gz";
+ sha256 = "0hf5chm90iapb42njaps6p5460ys3ajh5446ja544vdbh01n544l";
+ };
+
+ nativeBuildInputs = [ wrapPython ];
+ buildInputs = [ bash coreutils libcap_ng policycoreutils python3
xorgserver openbox xmodmap dbus ];
+ propagatedBuildInputs = [ pygobject3 selinux-python ];
+
+ postPatch = ''
+ # Fix setuid install
+ substituteInPlace Makefile --replace "-m 4755" "-m 755"
+ substituteInPlace sandboxX.sh \
+ --replace "#!/bin/sh" "#!${bash}/bin/sh" \
+ --replace "/usr/share/sandbox/start" "${placeholder
"out"}/share/sandbox/start" \
This doesn't work for Nix 1.11 users, please correct this as seen in
#37860
--
You are receiving this because you were mentioned.
Reply to this email directly or view it on GitHub:
#36978 (review)
|
|
The minimum version required is still 1.11, not 2.0: https://github.com/NixOS/nixpkgs/blob/master/lib/minver.nix |
|
Fixed in 025881c |
|
Thanks @jtojnar ! |
Motivation for this change
Our SELinux 2.4 is >3 yrs old and produces some build fails with gcc7.
[WIP] since this update involves multiple packages which will be added here incrementally.
/cc @Phreedom @andir