Summary: | Unconfined module is never loaded even when USE=unconfined in non-targeted policy (strict/mcs/mls) | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | Rahul Sandhu <rahul> |
Component: | SELinux | Assignee: | SE Linux Bugs <selinux> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | rahul |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- | |
Attachments: | emerge --info |
Description
Rahul Sandhu
2024-06-06 23:39:27 UTC
Created attachment 895278 [details]
emerge --info
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=75d12a333e1866ad6affa62b95fe88be48f5b118 commit 75d12a333e1866ad6affa62b95fe88be48f5b118 Author: Rahul Sandhu <rahul@sandhuservices.dev> AuthorDate: 2024-08-02 19:37:54 +0000 Commit: Jason Zaman <perfinion@gentoo.org> CommitDate: 2024-08-25 00:48:19 +0000 selinux-policy-2.eclass: Load unconfined module for mcs/mls policy types Currently, there doesn't seem to be a reason to block the loading of the unconfined policy module on the mcs and mls policy types. Let's ensure we load the unconfined policy module unconditionally in the eclass. The loading of the unconfined policy module was initially blocked in 82e30f21ab85b6de3ebc45ae10b28b9bd280e4a1, however as far as I can tell, there is no longer a reason to do this. Considering there are use flags for sec-policy/selinux-base and sec-policy/selinux-base-policy for the unconfined policy module, and using the unconfined policy module is supported for the mcs and mls policy types, it makes sense to no longer block the loading of the policy module. It is also worth mentioning that grabbing an selinux stage3 has the unconfined policy module already loaded. As the strict policy is effectively the targeted policy without support for the unconfined domain, it makes sense to not load the unconfined module for strict policy types. Let's keep a conitional check for the strict policy to ensure we don't load the unconfined module in that case. Closes: https://bugs.gentoo.org/933709 Closes: https://github.com/gentoo/gentoo/pull/37931 Signed-off-by: Rahul Sandhu <rahul@sandhuservices.dev> Signed-off-by: Jason Zaman <perfinion@gentoo.org> eclass/selinux-policy-2.eclass | 12 ++++-------- 1 file changed, 4 insertions(+), 8 deletions(-) |