* filesystem: Restore /opt.
/opt is part of FHS. This fixes an issue on SELinux systems where
containerd will create /opt but we'd prefer not to allow this in
the policy.
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
* selinux-policy: systemd-hostnamed fix.
Cherry pick systemd-hostnamed fix for handling /run/systemd/default-hostname.
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
* containerd: Precreate /opt/containerd/{bin,lib}.
These are created by io.containerd.internal.v1.opt but it results in the
dirs having incorrect SELinux lables. Creating them in the package will
ensure correct labeling.
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
---------
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
- Fix missing role associations in cloud-init patch.
- Fix missing require in mkinitrd patch.
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
* selinux-policy: Update patches for upstreamed state.
0005 had changes prior to merging. Update the patch with the changes
from upstream review.
* Backport containers policy
* Split selinux-policy modules to a subpackage.
* Add prototype SELinux auto configure
* Add 'force_enforcing' option for SELinux
* Fix setools-console tools.
* Enable SELinux by default (permissive mode) on all images.
Drop build system unit test as it breaks with SELinux enabled on core-efi.
* selinux-policy: Update to 2.20210908.
* Update to 2.20220106.
Implement policy for systemd-homed and systemd-userdbd.
* Fix RPM changelog date.
* Finalize systemd-homed policy.
* Change SELinux enablement to not affect CONFIG_LSM.
* Document build settings
* Update cgmanifest
* Update toolkit/docs/formats/imageconfig.md
Co-authored-by: Christopher Co <35273088+christopherco@users.noreply.github.com>
* audit: Remove override so auditd starts by default.
* Add IsValid() call for SELinux inKkernelCommandLine
* Add unit test for missing selinux package
* Fix debug output for selinux setfiles
Co-authored-by: Daniel McIlvaney <damcilva@microsoft.com>
Co-authored-by: Christopher Co <35273088+christopherco@users.noreply.github.com>
The Fedora policy once shared the same upstream, but has been a hard
fork for many years. Additionally, the version numbers are incomparable.
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
Add patches so the core system can boot in enforcing. Change policy name to targeted.
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
Chris PeBenito
Pawel Winogrodzki
jslobodzian