ben/silverblue-images
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

Removing unnecessary selinux stuff

Browse Source
This commit is contained in:
Ben Radey
2025-10-11 15:10:44 -04:00
parent 97196af0f3
commit 46069ff630
3 changed files with 2 additions and 54 deletions
Download Patch File Download Diff File Expand all files Collapse all files
f42-server/Containerfile
+2 -16
View File
@@ -14,21 +14,6 @@ FROM quay.io/fedora/fedora-silverblue:42
COPY --from=builder /gocryptfs/gocryptfs /usr/bin/gocryptfs COPY --from=builder /gocryptfs/gocryptfs /usr/bin/gocryptfs
# Set up custom SELinux policies
#COPY synapse.te /tmp/synapse.te
#COPY benZfsSnapshotAutomount.te /tmp/benZfsSnapshotAutomount.te
#RUN checkmodule -M -m -o /tmp/synapse.mod /tmp/synapse.te \
# && semodule_package -o /tmp/synapse.pp -m /tmp/synapse.mod \
# && semodule -r synapse || true \
# && semodule -i /tmp/synapse.pp \
# && rm -f /tmp/synapse.{te,mod,pp} \
# && checkmodule -M -m -o /tmp/benZfsSnapshotAutomount.mod /tmp/benZfsSnapshotAutomount.te \
# && semodule_package -o /tmp/benZfsSnapshotAutomount.pp -m /tmp/benZfsSnapshotAutomount.mod \
# && semodule -r benZfsSnapshotAutomount || true \
# && semodule -i /tmp/benZfsSnapshotAutomount.pp \
# && rm -f /tmp/benZfsSnapshotAutomount.{te,mod,pp}
# Install ZFS repository # Install ZFS repository
RUN dnf install -y https://github.com/zfsonlinux/zfsonlinux.github.com/raw/master/fedora/zfs-release-2-8$(rpm --eval "%{dist}").noarch.rpm && \ RUN dnf install -y https://github.com/zfsonlinux/zfsonlinux.github.com/raw/master/fedora/zfs-release-2-8$(rpm --eval "%{dist}").noarch.rpm && \
# cleanup and verification stage # cleanup and verification stage
@@ -89,7 +74,8 @@ RUN dnf install -y \
stress-ng \ stress-ng \
telnet \ telnet \
vim \ vim \
zrepl-v0.6.0-1.x86_64 zrepl-v0.6.0-1.x86_64 \
&& dnf clean all
# Cleanup image for linting # Cleanup image for linting
RUN test -f /usr/lib/sysusers.d/libvirt.conf || echo -e 'g libvirt 963' > /usr/lib/sysusers.d/libvirt.conf && \ RUN test -f /usr/lib/sysusers.d/libvirt.conf || echo -e 'g libvirt 963' > /usr/lib/sysusers.d/libvirt.conf && \
f42-server/benZfsSnapshotAutomount.te
-24
View File
@@ -1,24 +0,0 @@
module benZfsSnapshotAutomount 1.1;
require {
type container_file_t;
type device_t;
type fs_t;
type kernel_generic_helper_t;
type mount_exec_t;
type unlabeled_t;
class capability { setgid setuid sys_admin };
class chr_file { ioctl open read write };
class dir { mounton search };
class file { execute open read execute_no_trans map getattr };
class filesystem mount;
}
#============= kernel_generic_helper_t ==============
allow kernel_generic_helper_t container_file_t:dir search;
allow kernel_generic_helper_t device_t:chr_file { ioctl open read write };
allow kernel_generic_helper_t fs_t:filesystem mount;
allow kernel_generic_helper_t mount_exec_t:file { execute open read execute_no_trans map getattr };
allow kernel_generic_helper_t self:capability { setgid setuid sys_admin };
allow kernel_generic_helper_t unlabeled_t:dir { mounton search };
f42-server/synapse.te
-14
View File
@@ -1,14 +0,0 @@
module synapse 1.1;
require {
type httpd_t;
type unreserved_port_t;
class tcp_socket name_bind;
}
#============= httpd_t ==============
#!!!! This avc can be allowed using the boolean 'nis_enabled'
allow httpd_t unreserved_port_t:tcp_socket name_bind;