* manually backport fix commit for journald assertion bug
* bootstrap package, toolchain manifests
* swap out raw diff for the patch, including more information from upstream
* add newline to patch
* remove redundant comment in specs
Additional mitigation step for CVE-2021-20194. Our kernels are typically
hardened with CONFIG_HARDENED_USERCOPY=y so we are not exposed to this
vulnerability specifically. But if this ends up not being the case in
the future, we have this mitigation enabled as well.
Signed-off-by: Chris Co <chrco@microsoft.com>
* Add SELinux packages to Mariner.
This commit add the following packages to Mariner to provide basic
SELinux support:
- checkpolicy
- libsemanage
- mcstrans
- policycoreutils
- secilc
- selinux-policy
- setools
The selinux-policy provided here is a generic base policy, which is not
specifically tuned for Mariner, therefore only permissive mode support
is enabled in this commit. (Although users could load a custom policy
to run in enforcing mode). Future phases have been discussed to add
SELinux enforcing mode support.
This commit does not enable SELinux by default. In order to enable
SELinux support, one must first install necessary packages (libselinux,
policycoreutils, secilc, selinux-policy), and then append "lsm=selinux
selinux=1" to the kernel command line. This will trigger an initial
boot to relabel the system, at which point the system will reboot, and
boot into an SELinux enabled system. SELinux state can be queried with
the "getenforce" command line tool. If SELinux has not been enabled, it
will report "Disabled" (the default). If SELinux support has been
enabled as described in this paragraph, it will report "permissive".
This commit also modifies the following packages to enabled SELinux
functionality in existing packages:
- coreutils
- cronie
- dbus
- openssh
- pam
- rpm
- shadow-utils
- systemd
- util-linux
This enables them to build with SELinux support so that when SELinux is
enabled, they have SELinux related functionality available.
Because coreutils is a basic package and requires building with
libselinux-devel present in order to enable key SELinux functionality,
several dependencies in other packages that rely on coreutils (namely
python2, python3 and systemd-bootstrap) had to be removed in order to
avoid circular dependencies. There does not appear to be a functional
impact from this change based on my testing.
nicolas guibourge