build_sysext: Add SELinux labeling #1147
Labels
Milestone
Comments
github-project-automation
bot
moved this to 📝 Needs Triage
in Flatcar tactical, release planning, and roadmap
pothos
moved this from 📝 Needs Triage
to 🪵Backlog
in Flatcar tactical, release planning, and roadmap
pothos
added this to the Torcx removal, internal Docker+containerd sysext images milestone
|
The change is prepared as part of flatcar/scripts#1517 (currently not working due to label/policy mismatch in the rest of |
pothos
moved this from 🪵Backlog
to ⚒️ In Progress
in Flatcar tactical, release planning, and roadmap
|
This should also be labelled area/selinux |
|
@vielmetti @pothos On nights and weekends, I've been dabbling quite a bit in SELinux policy analysis and generation lately, using LLMs and formal verification—picked up a thing or two along the way. Any chance you could assign this to me? I’d love to take a look at it. Plus, I’m using Flatcar for something right now, so solving this would definitely help me out. And since I wrote build_sysext during my internship, I’ve already got some context :) |
|
You're welcome to work on it, no one else is currently looking into this. It doesn't require the issue to be assigned. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The build_sysext tool is now used for the OEM and in the future the internal Docker/containerd systemd-sysext image.
For Docker and containerd we need to make sure that the files are correctly labeled for SELinux to work in enforcing mode.
There were attempts to do this with the torcx tar ball but they failed.
Note that the /usr image is also not completely labeled yet https://github.com/flatcar/scripts/blob/1f1a53140cf7b3cbb4d3e8961bce7a44af295ce4/build_library/build_image_util.sh#L775 and that enforcing mode is not expected to work until we update the policy and debug any remaining issues.
The text was updated successfully, but these errors were encountered: