From 196410e4f5665d4d2bf6c818d06f1c8d03cfa8cc Mon Sep 17 00:00:00 2001 From: Dmitry Vyukov Date: Wed, 5 Sep 2018 12:50:53 +0200 Subject: dashboard/config: re-enable selinux Upstream "selinux: fix mounting of cgroup2 under older policies" commit fixes mounting of cgroup2 under wheezy selinux policy. So don't disable selinux on start. Create separate cmdline arguments that enable selinux and apparmor. --- dashboard/config/upstream-apparmor.cmdline | 9 +++++++++ dashboard/config/upstream-selinux.cmdline | 9 +++++++++ dashboard/config/upstream.cmdline | 8 -------- pkg/build/linux_generated.go | 1 - tools/create-gce-image.sh | 3 --- tools/create-image.sh | 1 - 6 files changed, 18 insertions(+), 13 deletions(-) create mode 100644 dashboard/config/upstream-apparmor.cmdline create mode 100644 dashboard/config/upstream-selinux.cmdline delete mode 100644 dashboard/config/upstream.cmdline diff --git a/dashboard/config/upstream-apparmor.cmdline b/dashboard/config/upstream-apparmor.cmdline new file mode 100644 index 000000000..1a85912cb --- /dev/null +++ b/dashboard/config/upstream-apparmor.cmdline @@ -0,0 +1,9 @@ +security=apparmor +workqueue.watchdog_thresh=140 +kvm-intel.nested=1 +nf-conntrack-ftp.ports=20000 +nf-conntrack-tftp.ports=20000 +nf-conntrack-sip.ports=20000 +nf-conntrack-irc.ports=20000 +nf-conntrack-sane.ports=20000 +nopcid diff --git a/dashboard/config/upstream-selinux.cmdline b/dashboard/config/upstream-selinux.cmdline new file mode 100644 index 000000000..fbfc9f6f9 --- /dev/null +++ b/dashboard/config/upstream-selinux.cmdline @@ -0,0 +1,9 @@ +security=selinux +workqueue.watchdog_thresh=140 +kvm-intel.nested=1 +nf-conntrack-ftp.ports=20000 +nf-conntrack-tftp.ports=20000 +nf-conntrack-sip.ports=20000 +nf-conntrack-irc.ports=20000 +nf-conntrack-sane.ports=20000 +nopcid diff --git a/dashboard/config/upstream.cmdline b/dashboard/config/upstream.cmdline deleted file mode 100644 index b475f380a..000000000 --- a/dashboard/config/upstream.cmdline +++ /dev/null @@ -1,8 +0,0 @@ -workqueue.watchdog_thresh=140 -kvm-intel.nested=1 -nf-conntrack-ftp.ports=20000 -nf-conntrack-tftp.ports=20000 -nf-conntrack-sip.ports=20000 -nf-conntrack-irc.ports=20000 -nf-conntrack-sane.ports=20000 -nopcid diff --git a/pkg/build/linux_generated.go b/pkg/build/linux_generated.go index 11a00bba4..14df94954 100644 --- a/pkg/build/linux_generated.go +++ b/pkg/build/linux_generated.go @@ -67,7 +67,6 @@ for i in {0..31}; do echo "KERNEL==\"binder$i\", NAME=\"binder$i\", MODE=\"0666\"" | \ sudo tee -a disk.mnt/etc/udev/50-binder.rules done -echo 'SELINUX=disabled' | sudo tee disk.mnt/etc/selinux/config echo "kernel.printk = 7 4 1 3" | sudo tee -a disk.mnt/etc/sysctl.conf echo "debug.exception-trace = 0" | sudo tee -a disk.mnt/etc/sysctl.conf diff --git a/tools/create-gce-image.sh b/tools/create-gce-image.sh index 177c208ee..0db7fc065 100755 --- a/tools/create-gce-image.sh +++ b/tools/create-gce-image.sh @@ -108,9 +108,6 @@ for i in {0..31}; do echo "KERNEL==\"binder$i\", NAME=\"binder$i\", MODE=\"0666\"" | \ sudo tee -a disk.mnt/etc/udev/50-binder.rules done -# We disable selinux for now because the default policy on wheezy prevents -# mounting of cgroup2 (and stretch we don't know how to configure yet). -echo 'SELINUX=disabled' | sudo tee disk.mnt/etc/selinux/config # sysctls echo "kernel.printk = 7 4 1 3" | sudo tee -a disk.mnt/etc/sysctl.conf diff --git a/tools/create-image.sh b/tools/create-image.sh index a0ad610c8..91eb0a133 100755 --- a/tools/create-image.sh +++ b/tools/create-image.sh @@ -19,7 +19,6 @@ echo 'T0:23:respawn:/sbin/getty -L ttyS0 115200 vt100' | sudo tee -a $DIR/etc/in printf '\nauto eth0\niface eth0 inet dhcp\n' | sudo tee -a $DIR/etc/network/interfaces echo 'debugfs /sys/kernel/debug debugfs defaults 0 0' | sudo tee -a $DIR/etc/fstab echo 'binfmt_misc /proc/sys/fs/binfmt_misc binfmt_misc defaults 0 0' | sudo tee -a $DIR/etc/fstab -echo 'SELINUX=disabled' | sudo tee $DIR/etc/selinux/config echo "kernel.printk = 7 4 1 3" | sudo tee -a $DIR/etc/sysctl.conf echo 'debug.exception-trace = 0' | sudo tee -a $DIR/etc/sysctl.conf echo "net.core.bpf_jit_enable = 1" | sudo tee -a $DIR/etc/sysctl.conf -- cgit mrf-deployment