Age | Commit message (Collapse) | Author | Files | Lines |
|
SECURITY_SELINUX_DISABLE removed in f22f9aaf6c3d92ebd5ad9e67acc03afebaaeb289
SECURITY_SELINUX_CHECKREQPROT_VALUE removed in a7e4676e8e2cb158a4d24123de778087955e1b36
Both changes are in kernel 6.4+
Bug-AGL: SPEC-4578
Change-Id: I46d5f880c4d13372f09cc9cfdab4e7e0a9a02e42
Signed-off-by: Denys Dmytriyenko <denys@konsulko.com>
|
|
Enabling CONFIG_AUDIT* is needed by auditd and should be safe whether systemd
is used or not and is not specific to SELinux.
Note that systemd README has this old caveat mentioned
| Note that kernel auditing is broken when used with systemd's
| container code. When using systemd in conjunction with
| containers, please make sure to either turn off auditing at
| runtime using the kernel command line option "audit=0", or
| turn it off at kernel compile time using:
| CONFIG_AUDIT=n
| If systemd is compiled with libseccomp support on
| architectures which do not use socketcall() and where seccomp
| is supported (this effectively means x86-64 and ARM, but
| excludes 32-bit x86!), then nspawn will now install a
| work-around seccomp filter that makes containers boot even
| with audit being enabled. This works correctly only on kernels
| 3.14 and newer though. TL;DR: turn audit off, still.
But that seems to only apply to nspawn usage in some specific cases and on
older kernels, plus there are even runtime workarounds available when needed,
so let's enable it by default.
Bug-AGL: SPEC-4627
Change-Id: I5fcd58ba41929d2966fadea27b6751e4fa6589c9
Signed-off-by: Denys Dmytriyenko <denys@konsulko.com>
Reviewed-on: https://gerrit.automotivelinux.org/gerrit/c/AGL/meta-agl/+/28276
Tested-by: Jenkins Job builder account
ci-image-build: Jenkins Job builder account
ci-image-boot-test: Jenkins Job builder account
Reviewed-by: Jan-Simon Moeller <jsmoeller@linuxfoundation.org>
|
|
Add agl-selinux feature to enable SELinux support.
Notes:
- SELinux is in permissive mode by default for now, and using the
targeted policy by default.
- The linux-yocto specific bbappend in meta-selinux is masked out in
favor of adding a more universal kernel configuration fragment with
AGL's own scheme.
- SELinux specific recipes and bbappends are added via a meta-selinux
dynamic-layers addition in meta-agl-core to keep using meta-selinux
optional. This will avoid issues with the Yocto autobuilder testing
of meta-agl-core.
- To avoid the effectively hard-coded autorelabel on first boot, a
bbappend is added to the selinux-autorelabel recipe to remove the
flag creation. In the off chance that a build happens on a filesystem
without xattr support, the logic in the selinux-image bbclass will
still touch the /.autorelabel flag and trigger relabeling.
- A systemd unit and script are added with a new systemd-selinux-relabel
recipe to handle relabeling of some systemd generated files that do
not get handled during root filesystem construction. Some of these
can be addressed by some upstream tweaks, but /etc/machine-id will
always need special handling unless there is a shift to using
read-only or stateless root by default. With this workaround we still
avoid doing a full relabel and reboot on first boot, which helps
simplify CI.
Bug-AGL: SPEC-4332
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
Change-Id: Ibf469e11eb3a67709074cc6794b3d12cd5071a90
Reviewed-on: https://gerrit.automotivelinux.org/gerrit/c/AGL/meta-agl/+/27790
Tested-by: Jenkins Job builder account
ci-image-build: Jenkins Job builder account
ci-image-boot-test: Jenkins Job builder account
Reviewed-by: Jan-Simon Moeller <jsmoeller@linuxfoundation.org>
|