Skip to content

Add SELinux support

adrian15sgd requested to merge adrian15sgd-guest/live-build:add_selinux_support into master
  1. live-build and modifying LB_ variables.
  • In order to SELinux to work properly I need to add some custom kernel command line parametres. So I needed to append those to the LB_BOOTAPPEND_LIVE variable.
  • I also needed to do that only once.
  • I didn't find any example of any other script doing that (in such way that the variable can be used by other scripts).
  • So I have come up with my own code that you can find in configuration.sh. If you think that live-build should be redesigned in a different way to support those LB_ variables change in a more elegant way please tell me how you would it and I might give it a go.

  1. Can you please tell me if the git commit message is good enough? Or is there anything that you should be improved?

  2. These packages: policycoreutils, selinux-policy-default should be added to the Suggests section of the debian/control file. They are actually needed in the host system so that either the permissive or enforced options work properly.

  3. The selinuxfs script that already exists in live-build, checks if SELinux is enabled and enforced in your system. If that's the case it mounts /sys/fs/selinux on the chroot. I think that it's actually needed in an enforced SELinux system if you want to actually build an image.

This selinux script does not care about you having setup SELinux in your system but enables the SELinux functionality in the resultant image.

  1. I was thinking to add under the 'lb config man page --selinux section':
  • The different SELinux needed packages that you need to install in your host system if you use the --build-with-chroot false option.
  • The different SELinux needed packages that you need to install in your host system if you use the default --build-with-chroot true option. but as I have not seen any of the other options suggesting to install any package I haven't done that.

If you think this should be documented there please let me know.

  1. Please notice that the current --selinux enforced images (even when using lb config --selinux enforced ; sudo lb build) do not boot into an usable prompt or desktop. Some of the systemd units do not seem to start properly and then a root prompt is attempted to be run. However that's not possible because the root account is locked.

This happens because either:

  • Not all of the Debian packages are setup well enough for enforced SELinux to work.
  • live-build and maybe live-boot need some more changes for this to work. I'll let the SELinux guys on #debian know that they have a base playground where they can experiment. Maybe this works with a minimal live-build image after all. I'm doing my tests with some packages that I need for Rescatux but I don't have special hooks or anything for now.
  1. This SELinux support will only work with squashfs systems which I guess it will be fine with most of the people. The configuration.sh file has an specific check for this.

It would not be so difficult to add support for ext2|ext3|ext4 filesystems but I am afraid I'm not interested on doing that (with all of the test that it has underneath) unless someone is actually interested.

  1. I will add three more comments:
  • The tests that I have done. Those tests are succesful for what I aim with this feature. This Permissive SELinux support enables me to modify files from SELinux filesystems without resetting or removing its SELinux attributes which it's what happens right now without the SELinux support.
  • An OCR of what the screen shows when enforced SELinux is tried to be run. Just in case it's useful for the SELinux interested people.
  • How the SELinux attributes from / directory are shown in permissive mode. Just in case it's useful for the SELinux interested people.

Merge request reports