gate icon indicating copy to clipboard operation
gate copied to clipboard
verified publisher icon gate-computer

SELinux policy for runtime

Open tsavola opened this issue 6 years ago • 8 comments

tsavola avatar Sep 07 '19 16:09 tsavola

I'd be happy to help out with that @tsavola

wsandin avatar Dec 30 '19 03:12 wsandin

Great to hear!

I threw together an AppArmor profile as I live in the Ubuntu/Debian world (however, there's an issue with it). It applies to the non-Go components (lib) which implement the containment of the user processes. They're the most sensitive and least volatile part.

The programs in bin are a secondary subject. They are built on the reusable Go packages, which leads me to think that a reusable core policy or a template might be helpful. I have no experience with SELinux so don't know what makes sense.

Did you get Gate built and working?

tsavola avatar Dec 30 '19 05:12 tsavola

Hi, thanks for the details. I'm working on setting up the build env now.

wsandin avatar Jan 12 '20 02:01 wsandin

I'm having some trouble building gate on CentOS 8. I had to change $CC to gcc instead of gcc-musl. I have all Development Tools (group package for x86-64 installed).

I'll try to work something out, but just wanted to share as an FYI in case you had any idea @tsavola.

[vagrant@localhost gate]$ cat /etc/centos-release
CentOS Linux release 8.0.1905 (Core) 
[vagrant@localhost gate]$ make
make -C runtime/container CGROUP_BACKEND=systemd
make[1]: Entering directory '/home/vagrant/gate/runtime/container'
mkdir -p ../../lib/gate/runtime/
ln -f ../../lib/runtime-container-cgroup-systemd ../../lib/gate/runtime/gate-runtime-container.0
make[1]: Leaving directory '/home/vagrant/gate/runtime/container'
make -C runtime/executor
make[1]: Entering directory '/home/vagrant/gate/runtime/executor'
mkdir -p ../../lib/gate/runtime/
gcc -std=gnu99 -O2 -fomit-frame-pointer -g -Wall -Wextra -Wno-unused-parameter -pthread -static -o ../../lib/gate/runtime/gate-runtime-executor.0 executor.o reaper.o sentinel.o
/usr/bin/ld: cannot find -lpthread
/usr/bin/ld: cannot find -lc
collect2: error: ld returned 1 exit status
make[1]: *** [Makefile:18: ../../lib/gate/runtime/gate-runtime-executor.0] Error 1
make[1]: Leaving directory '/home/vagrant/gate/runtime/executor'
make: *** [Makefile:34: lib] Error 2

wsandin avatar Jan 13 '20 13:01 wsandin

It might be due to -static. Maybe CentOS doesn't ship static libraries by default, and you need to install something more?

tsavola avatar Jan 13 '20 14:01 tsavola

Just resumed. Will try to reinstall it today on a fresh CentOS install.

wsandin avatar Mar 18 '20 20:03 wsandin

Sorry I don't think I'll be able to commit much to this as it needs a fair bit of customizations of CentOS (including installing musl) to make sense to bundle with SELinux unless there's a bundle of RPMs available first.

wsandin avatar Mar 29 '20 02:03 wsandin

Okay, no problem.

tsavola avatar Mar 31 '20 14:03 tsavola