Re: [CentOS-devel] Making the redhat selinux-policy repository
publicly available
by Zdenek Pytela
On Tue, Jul 11, 2023 at 10:37 PM Troy Dawson <tdawson(a)redhat.com> wrote:
> On Tue, Jul 11, 2023 at 12:50 PM Neal Gompa <ngompa13(a)gmail.com> wrote:
>
>> On Tue, Jul 11, 2023 at 9:31 AM Troy Dawson <tdawson(a)redhat.com> wrote:
>> >
>> > On Tue, Jul 11, 2023 at 4:28 AM Daan De Meyer <daan.j.demeyer(a)gmail.com>
>> wrote:
>> >>
>> >> Hi,
>> >>
>> >> It seems that the selinux-policy rpm is built from
>> >> git@gitlab.cee.redhat.com:SELinux/selinux-policy.git which seems to be
>> >> a redhat internal repository. More specifically, if I try to checkout
>> >> the commit listed in the selinux-policy spec
>> >> (
>> https://gitlab.com/redhat/centos-stream/rpms/selinux-policy/-/blob/c9s/se...
>> )
>> >> in the fedora-selinux repository cloned from github, I get an error
>> >> saying that the commit does not exist. It would be great if the
>> >> repository containing this commit was publicly available and open for
>> >> external contributors just like all the other packages in CentOS
>> >> Stream. Is it possible to make this happen?
>> >
>> >
>> > I'm not the selinux-policy maintainer, so I can't comment on where they
>> work on the selinux-policy source code.
>> >
>> > But this is how I get the sources, if that is what you are ultimately
>> looking for.
>> >
>> > centpkg clone selinux-policy
>> > cd selinux-policy
>> > centpkg sources
>> > or if you want to know where they really are
>> > centpkg -v sources
>> > This shows it to be coming from
>> >
>> https://sources.stream.centos.org/sources/rpms/selinux-policy/selinux-pol...
>> >
>> > The sources information is found in the sources file
>> >
>> https://gitlab.com/redhat/centos-stream/rpms/selinux-policy/-/blob/c9s/so...
>> >
>> > I know this isn't exactly what you asked for, but I hope it still helps.
>> >
>>
>> I think the idea is that having the Git repository in a public
>> location would allow the CentOS Hyperscale SIG to contribute to the
>> SELinux policy in a meaningful way.
>>
>
> Ah, ok. That makes sense.
> As I said, I'm not the maintainer so I don't know why it's where it is.
> So I'll step out of the conversation.
>
Hi,
I am one of the selinux-policy maintainers. Currently, repository for
Fedora is at github.com and RHEL sources are in an internal repo. We have
already discussed moving centos stream sources to some of the public
repositories, but it did not happen. Currently we are discussing it again,
there are a few options how to do so.
To get just the latest repository content, steps described by Troy should
work. Additionally, most of the upstream work is done in Fedora and anyway
every new commit should go to Fedora first, RHEL content is mostly a subset
of Fedora, there are very few differences.
--
Zdenek Pytela
Security SELinux team
1 week, 4 days
label rootfs in compile time not run time
by Henry Zhang
Hi folks,
Any document talking about how to set the SELinux security context of files
and directories of rootfs at compile time.
Any suggestions?
Thanks.
---henry
8 months
busybox with selinux
by Henry Zhang
Hi folks,
New version of SELinux complains of busybox when relabeling.
My busybox was compiled as CONFIG_FEATURE_INDIVIDUAL=n
That means all applets of busybox share the same inode.
But SElinux requires each file assigned to an individual inode so that each
file can be defined by file_contexts.
Any suggestions?
Thanks
---henry
8 months, 2 weeks
conflicting specifications during booting up
by Henry Zhang
Hi guys,
My selinux complains during booting.
setfiles complains conflicting specifications:
selinux-autorelabel.sh[1524]: /sbin/setfiles: conflicting specifications
for /tmp/tmp.flCsmAYyao/usr/lib/systemd/system/smartcard.target and
/tmp/tmp.flCsmAYyao/usr/lib/systemd/user/smartcard.target, using
system_u:object_r:systemd_user_unit_t:s0.
# ls -Z /usr/lib/systemd/system/sound.target
system_u:object_r:systemd_user_unit_t:s0
/usr/lib/systemd/system/sound.target
ls -Z /usr/lib/systemd/user/sound.target
system_u:object_r:systemd_user_unit_t:s0 /usr/lib/systemd/user/sound.target
# grep "/usr/lib/systemd/system"
/etc/selinux/mcs/contexts/files/file_contexts
/usr/lib/systemd/system(/.*)? system_u:object_r:systemd_unit_t:s0
/usr/lib/systemd/user(/.*)? system_u:object_r:systemd_user_unit_t:s0
My question is why "/usr/lib/systemd/system/smartcard.target " does not
take systemd_unit_t from file_contexts?
What is wrong in my selinux?
Thanks.
----henry
8 months, 2 weeks