I ran into integration issues with systemd-tmpfiles on Chrome OS because it is built without selinux support. With selinux configure option: drwxr-xr-x. 41 root root u:object_r:cros_run:s0 1020 Oct 1 11:23 /run drwxr-xr-x. 2 messagebus messagebus u:object_r:cros_run_dbus:s0 60 Mar 25 2020 /run/dbus srwxrwxrwx. 1 root root u:object_r:cros_system_bus_socket:s0 0 Mar 25 2020 /run/dbus/system_bus_socket Without selinux configure option: drwxr-xr-x. 46 root root u:object_r:cros_run:s0 1120 Nov 30 09:55 /run drwxr-xr-x. 2 messagebus messagebus u:object_r:tmpfs:s0 60 Nov 30 09:55 /run/dbus srwxrwxrwx. 1 root root u:object_r:tmpfs:s0 0 Nov 30 09:55 /run/dbus/system_bus_socket This is the change I tested: diff --git a/sys-apps/systemd-tmpfiles/systemd-tmpfiles-246.ebuild b/sys-apps/systemd-tmpfiles/systemd-tmpfiles-246.ebuild index 6898ebfa1..e0c74a0d9 100644 --- a/sys-apps/systemd-tmpfiles/systemd-tmpfiles-246.ebuild +++ b/sys-apps/systemd-tmpfiles/systemd-tmpfiles-246.ebuild @@ -117,7 +117,6 @@ src_configure() { resolve rfkill seccomp - selinux smack sysusers timedated I didn't see any additional files when I ran equery, but it might be worth putting the option behind the selinux USE flag. Reproducible: Always
Created attachment 675970 [details, diff] Patch that gates selinux support based on USE flag
This probably introduces a dependency on sys-libs/libselinux.
Created attachment 675973 [details, diff] Patch that gates selinux support based on USE flag This includes a gated DEPEND on sys-libs/libselinux
attached ebuild adds $(usex selinux '' selinux) in systemd_disable_options array, I'd use it below in emesonargs explicitly. it's just logical. I'll fix on merge. what about policy? I doubt it needs full systemd refpolicy, but does not it need at least something? I don't have selinux installations around, so can't really test it.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=07c3932854eace4d4970c3845c3213d075097868 commit 07c3932854eace4d4970c3845c3213d075097868 Author: Georgy Yakovlev <gyakovlev@gentoo.org> AuthorDate: 2020-12-02 19:14:51 +0000 Commit: Georgy Yakovlev <gyakovlev@gentoo.org> CommitDate: 2020-12-02 19:19:53 +0000 sys-apps/systemd-tmpfiles: add selinux useflag Bug: https://bugs.gentoo.org/757810 Package-Manager: Portage-3.0.11, Repoman-3.0.2 Signed-off-by: Georgy Yakovlev <gyakovlev@gentoo.org> sys-apps/systemd-tmpfiles/systemd-tmpfiles-246.ebuild | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-)
Leaving this bug open till it's verified that this fix is enough. My guess is it's enough for tmpfiles to set selinux attrs on files properly, but not sure if it's enough to run tmpfiles itself =)
(In reply to Georgy Yakovlev from comment #4) > attached ebuild adds $(usex selinux '' selinux) in systemd_disable_options > array, I'd use it below in emesonargs explicitly. it's just logical. I'll > fix on merge. > > what about policy? > I doubt it needs full systemd refpolicy, but does not it need at least > something? > > > I don't have selinux installations around, so can't really test it. I am testing on Chrome OS, so the SELinux policy is already present. I had assumed if someone has USE=selinux set there was already an profile provided elsewhere in Gentoo, but maybe I was wrong? Are you talking about a label for /bin/systemd-tmpfiles itself?
ok everything seems to be ok now here, closing.
