Cannot build selinux policy extensions from the bottlerocket main policy package

[mikn]

What I expected to happen:
I expected to be able to depend on the bottlerocket selinux-policy package to extend and add policies.

What actually happened:
Since selinux-policy installs /etc/selinux it conflicts with the libsemanage package that is already installed in the SDK.

  #13 0.221 --repofrompath=bottlerocket-bottlerocket-core-kit,/bypass/build/external-kits/bottlerocket/bottlerocket-core-kit/x86_64 --enablerepo bottlerocket-bottlerocket-core-kit --repofrompath=bottlerocket-bottlerocket-kernel-kit,/bypass/build/external-kits/bottlerocket/bottlerocket-kernel-kit/x86_64 --enablerepo bottlerocket-bottlerocket-kernel-kit
  #13 0.483 Added repo repo from ./rpmbuild/RPMS
  #13 0.483 Added bottlerocket-bottlerocket-core-kit repo from /bypass/build/external-kits/bottlerocket/bottlerocket-core-kit/x86_64
  #13 0.483 Added bottlerocket-bottlerocket-kernel-kit repo from /bypass/build/external-kits/bottlerocket/bottlerocket-kernel-kit/x86_64
  #13 0.546 repo                                             44 kB/s | 241  B     00:00    
  #13 0.558 bottlerocket-bottlerocket-core-kit               19 MB/s | 127 kB     00:00    
  #13 0.611 bottlerocket-bottlerocket-kernel-kit             19 MB/s | 132 kB     00:00    
  #13 0.928 Package secilc-3.5-2.fc39.x86_64 is already installed.
  #13 0.947 Dependencies resolved.
  #13 0.955 ==================================================================================================================
  #13 0.955  Package                         Arch    Version                         Repository                           Size
  #13 0.955 ==================================================================================================================
  #13 0.955 Installing:
  #13 0.955  bottlerocket-selinux-policy     x86_64  1:0.0-1.1734718075.9b8be026.br1 bottlerocket-bottlerocket-core-kit   52 k
  #13 0.955 
  #13 0.955 Transaction Summary
  #13 0.955 ==================================================================================================================
  #13 0.955 Install  1 Package
  #13 0.955 
  #13 0.955 Total size: 52 k
  #13 0.956 Installed size: 159 k
  #13 0.956 Downloading Packages:
  #13 0.956 Running transaction check
  #13 0.960 Transaction check succeeded.
  #13 0.960 Running transaction test
  #13 0.991 Error: Transaction test error:
  #13 0.991   file /etc/selinux from install of bottlerocket-selinux-policy-1:0.0-1.1734718075.9b8be026.br1.x86_64 conflicts with file from package libsemanage-3.5-4.fc39.x86_64

How to reproduce the problem:
Try building a package that has a BuildRequires on selinux-policy and it will fail on conflicting file on /etc/selinux.

[bcressey]

If you don't specifically need the files from selinux-policy - which roughly speaking is a) some CIL files and b) integration glue like the /etc/selinux symlink - then I'd recommend doing this instead:

1. install your own CIL files to the /usr/share/factory/var/lib/selinux path (like this
2. have a oneshot systemd unit that runs after (via Requires/After dependencies) selinux-policy-files.service that runs semodule -B to rebuild and reload the policy, which will include your own CIL files in the resulting policy.

That assumes that you don't need the revised policy to label files on the root filesystem, to mount local storage, or for systemd-tmpfiles-setup.service to run. If any of that applies, then this workaround won't work, and we'll need some sort of Twoliter integration instead so that the policy gets rebuilt at the time the image is created.

I can also see about moving the /etc/selinux symlink to the filesystem package, which would let you "wrap" the policy by repackaging its files, adding your own, and doing something like this to force yours to be used:

BuildRequires: %{_cross_os}selinux-policy
Provides: %{_cross_os}selinux-policy = 1:

[mikn]

So I'm not an SELinux expert, but this was to add kata containers as a runtime to containerd, which requires me to label the new binaries as runtime_t and introduce a new domain, container_kvm_t, to grant access to named pipe + socket communication and isolate it in its own tmpfs domain (similar to lease_t), but also strip some privileges compared to container_t. I'm sure there's a better way however and I could share the policy upstream. It would've been a lot shorter if container_kvm_t was part of the base policy set.

…

On Tue, 7 Jan 2025, 01:25 Ben Cressey, ***@***.***> wrote: If you don't specifically need the files from selinux-policy - which roughly speaking is a) some CIL files and b) integration glue like the /etc/selinux symlink - then I'd recommend doing this instead: 1. install your own CIL files to the /usr/share/factory/var/lib/selinux path (like this <https://github.com/bottlerocket-os/bottlerocket-core-kit/blob/f837568769bf9131d042ad58e0023114c99eab45/packages/selinux-policy/selinux-policy.spec#L63> 2. have a oneshot systemd unit that runs after (via Requires/After dependencies) selinux-policy-files.service that runs semodule -B to rebuild and reload the policy, which will include your own CIL files in the resulting policy. That assumes that you don't need the revised policy to label files on the root filesystem, to mount local storage, or for systemd-tmpfiles-setup.service to run. If any of that applies, then this workaround won't work, and we'll need some sort of Twoliter integration instead so that the policy gets rebuilt at the time the image is created. I can also see about moving the /etc/selinux symlink to the filesystem package, which would let you "wrap" the policy by repackaging its files, adding your own, and doing something like this to force yours to be used: BuildRequires: %{_cross_os}selinux-policy Provides: %{_cross_os}selinux-policy = 1: — Reply to this email directly, view it on GitHub <#332 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AABAI6F2RYYXJWAMAE27VHL2JMNIPAVCNFSM6AAAAABUJWLNMGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDKNZUGE3DEMRVGE> . You are receiving this because you authored the thread.Message ID: ***@***.***>