Flatcar icon indicating copy to clipboard operation
Flatcar copied to clipboard
verified publisher icon flatcar

[RFE] rework SELinux patches

Open tormath1 opened this issue 3 years ago • 0 comments

Current situation

On Flatcar, we have SELinux patches. Some of these are quite old and could be upstreamed or purely deleted. Let's gather the feedback we had from an interesting discussion with https://wiki.gentoo.org/wiki/Project:SELinux folks:

  • [x] selinux-unconfined: no customization -> let's move it to ::portage-stable: https://github.com/flatcar-linux/portage-stable/pull/314
  • [ ] icmp-bind could be replaced with user_ping boolean? (@krnowak if you want to try it ?)
  • [ ] unlabeled.patch could be upstreamed to refpolicy
  • [ ] sshd.patch is broken (unconfined_t is not a file type so you cant put it on fcontexts)
  • [ ] logging.patch seems fine, it has to use an interface (cant use kernel_t outside of kernel.te/if) could go upstream
  • [ ] locallogin.patch could go upstream
  • [ ] https://github.com/flatcar-linux/coreos-overlay/blob/main/sec-policy/selinux-base/files/0001-policy-ms-MCS-restricts-relabelfrom.patch could go upstream but need investigation

This is required for https://github.com/flatcar-linux/Flatcar/issues/673

Thanks a lot @perfinion for your time and your feedback :)

tormath1 avatar Mar 28 '22 17:03 tormath1