Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Revert "config: Enable CONFIG_SECURITY_SELINUX" #58

Merged
merged 1 commit into from
Apr 29, 2024
Merged

Revert "config: Enable CONFIG_SECURITY_SELINUX" #58

merged 1 commit into from
Apr 29, 2024

Conversation

albertofaria
Copy link
Member

This reverts commit ce7277c.

SELinux was enabled for crun-vm's [1] use case of running bootc-install, but the dependency on SELinux was since dropped.

Re-disable SELinux to avoid bloat. This has no effect on the x86_64 image since its defconfig includes CONFIG_SECURITY_SELINUX=y, but it should help reduce the aarch64 image size.

[1] https://github.com/containers/crun-vm

@albertofaria
Revert "config: Enable CONFIG_SECURITY_SELINUX"
60f62c9 
This reverts commit ce7277c.

SELinux was enabled for crun-vm's [1] use case of running bootc-install,
but the dependency on SELinux was since dropped.

Re-disable SELinux to avoid bloat. This has no effect on the x86_64
image since its defconfig includes CONFIG_SECURITY_SELINUX=y, but it
should help reduce the aarch64 image size.

[1] https://github.com/containers/crun-vm

Signed-off-by: Alberto Faria <afaria@redhat.com>
@albertofaria
Copy link
Member Author

Re-disable SELinux to avoid bloat. This has no effect on the x86_64 image since its defconfig includes CONFIG_SECURITY_SELINUX=y, but it should help reduce the aarch64 image size.

Actually, if this is true I wonder how x86_64 buils at all without the adjustment to the downstream patches. I'm missing something here.

@tylerfanelli
Copy link
Collaborator

@albertofaria What are you referring to by "downstream patches"? Are you referring to the patches already applied to the kernel provided by libkrunfw?

@albertofaria
Copy link
Member Author

@albertofaria What are you referring to by "downstream patches"? Are you referring to the patches already applied to the kernel provided by libkrunfw?

Yes.

@slp
Copy link
Contributor

slp commented Apr 29, 2024

Re-disable SELinux to avoid bloat. This has no effect on the x86_64 image since its defconfig includes CONFIG_SECURITY_SELINUX=y, but it should help reduce the aarch64 image size.

Actually, if this is true I wonder how x86_64 buils at all without the adjustment to the downstream patches. I'm missing something here.

We're using make olddefconfig so the kernel config system is not using the value for SELinux from x86_64_defconfig.

Thanks for the PR!

@slp slp merged commit bb1506b into containers:main Apr 29, 2024
3 checks passed
@albertofaria
Copy link
Member Author

@slp I see. FWIW I didn't see a reduction in image size when disabling CONFIG_SECURITY_SELINUX.

@albertofaria albertofaria deleted the disable-selinux branch April 29, 2024 10:13
@germag
Copy link

germag commented Jul 19, 2024

I think this was reverted too quickly, it seems that SELinux is a requirement again

@albertofaria
Copy link
Member Author

albertofaria commented Jul 19, 2024
edited
Loading

@germag Do you mean it is a requirement for crun-vm specifically, or for bootc install in general?

@germag
Copy link

germag commented Jul 19, 2024

@germag Do you mean it is a requirement for crun-vm specifically, or for bootc install in general?

bootc install it fails to install when it tries to set the selinux labels (at least for me)

@germag
Copy link

germag commented Jul 19, 2024
edited
Loading

bootc install it fails to install when it tries to set the selinux labels (at least for me)

@albertofaria it seems my issue is unrelated to this PR.
But, in any case, installing a bootc image using a kernel that doesn't support selinux is not well tested

@albertofaria
Copy link
Member Author

True:

Host kernel does not have SELinux support, but target enables it by default; this is less well tested. See https://github.com/containers/bootc/issues/419

But containers/bootc#419 seems to indicate that it will eventually be (sufficiently?) tested?

@germag
Copy link

germag commented Jul 19, 2024

True:

Host kernel does not have SELinux support, but target enables it by default; this is less well tested. See https://github.com/containers/bootc/issues/419

But containers/bootc#419 seems to indicate that it will eventually be (sufficiently?) tested?

I have this discussion with Colin about installing with different kernel/kernel feature, I'm not sure if it will be free of issues. Since it doesn't change the kernel size, maybe it's safer to leave it enabled (?)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@slp slp slp approved these changes

@crobinso crobinso Awaiting requested review from crobinso

@tylerfanelli tylerfanelli Awaiting requested review from tylerfanelli tylerfanelli is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@albertofaria @tylerfanelli @slp @germag