Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SELinux policy for runtime #25

Open
tsavola opened this issue Sep 7, 2019 · 8 comments
Open

SELinux policy for runtime #25

tsavola opened this issue Sep 7, 2019 · 8 comments
Labels
enhancement security

Comments

@tsavola
Copy link
Member

tsavola commented Sep 7, 2019

No description provided.

@wsandin
Copy link

wsandin commented Dec 30, 2019

I'd be happy to help out with that @tsavola

@tsavola
Copy link
Member Author

tsavola commented Dec 30, 2019

Great to hear!

I threw together an AppArmor profile as I live in the Ubuntu/Debian world (however, there's an issue with it). It applies to the non-Go components (lib) which implement the containment of the user processes. They're the most sensitive and least volatile part.

The programs in bin are a secondary subject. They are built on the reusable Go packages, which leads me to think that a reusable core policy or a template might be helpful. I have no experience with SELinux so don't know what makes sense.

Did you get Gate built and working?

@wsandin
Copy link

wsandin commented Jan 12, 2020

Hi, thanks for the details. I'm working on setting up the build env now.

@wsandin
Copy link

wsandin commented Jan 13, 2020

I'm having some trouble building gate on CentOS 8. I had to change $CC to gcc instead of gcc-musl. I have all Development Tools (group package for x86-64 installed).

I'll try to work something out, but just wanted to share as an FYI in case you had any idea @tsavola.

[vagrant@localhost gate]$ cat /etc/centos-release
CentOS Linux release 8.0.1905 (Core) 
[vagrant@localhost gate]$ make
make -C runtime/container CGROUP_BACKEND=systemd
make[1]: Entering directory '/home/vagrant/gate/runtime/container'
mkdir -p ../../lib/gate/runtime/
ln -f ../../lib/runtime-container-cgroup-systemd ../../lib/gate/runtime/gate-runtime-container.0
make[1]: Leaving directory '/home/vagrant/gate/runtime/container'
make -C runtime/executor
make[1]: Entering directory '/home/vagrant/gate/runtime/executor'
mkdir -p ../../lib/gate/runtime/
gcc -std=gnu99 -O2 -fomit-frame-pointer -g -Wall -Wextra -Wno-unused-parameter -pthread -static -o ../../lib/gate/runtime/gate-runtime-executor.0 executor.o reaper.o sentinel.o
/usr/bin/ld: cannot find -lpthread
/usr/bin/ld: cannot find -lc
collect2: error: ld returned 1 exit status
make[1]: *** [Makefile:18: ../../lib/gate/runtime/gate-runtime-executor.0] Error 1
make[1]: Leaving directory '/home/vagrant/gate/runtime/executor'
make: *** [Makefile:34: lib] Error 2

@tsavola
Copy link
Member Author

tsavola commented Jan 13, 2020

It might be due to -static. Maybe CentOS doesn't ship static libraries by default, and you need to install something more?

@wsandin
Copy link

wsandin commented Mar 18, 2020

Just resumed. Will try to reinstall it today on a fresh CentOS install.

@wsandin
Copy link

wsandin commented Mar 29, 2020

Sorry I don't think I'll be able to commit much to this as it needs a fair bit of customizations of CentOS (including installing musl) to make sense to bundle with SELinux unless there's a bundle of RPMs available first.

@tsavola
Copy link
Member Author

tsavola commented Mar 31, 2020

Okay, no problem.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement security
Milestone
No milestone
Development

No branches or pull requests
2 participants
@tsavola @wsandin