chore: build SELinux policy using tools

Use reproducible tools, not host secilc unavailable on some systems Signed-off-by: Dmitry Sharshakov <[email protected]>
siderolabs · Aug 26, 2024 · e12bc2e · e12bc2e
1 parent 42a3ea9
commit e12bc2e
Show file tree

Hide file tree

Showing 3 changed files with 11 additions and 13 deletions.
diff --git a/.dockerignore b/.dockerignore
@@ -1,8 +1,6 @@
 **
 !api
 !selinux
-!policy.33
-!file_contexts
 !cmd
 !docs
 !hack

diff --git a/Dockerfile b/Dockerfile
@@ -614,11 +614,16 @@ EOF
 FROM scratch AS modules-arm64
 COPY --from=depmod-arm64 /build/lib/modules /lib/modules
 
+FROM tools as selinux
+COPY ./selinux /selinux
+RUN secilc -c 33 /selinux/**/*.cil -vvvvv
+RUN mkdir -p /rootfs/selinux
+RUN mkdir -p /rootfs/etc/selinux/talos
+RUN cp /policy.33 /rootfs/etc/selinux/talos/
+
 # The rootfs target provides the Talos rootfs.
 FROM build AS rootfs-base-amd64
 COPY --link --from=pkg-fhs / /rootfs
-RUN mkdir /rootfs/selinux
-RUN mkdir -p /rootfs/etc/selinux/talos
 COPY --link --from=pkg-ca-certificates / /rootfs
 COPY --link --from=pkg-apparmor-amd64 / /rootfs
 COPY --link --from=pkg-cni-stripped-amd64 / /rootfs
@@ -687,14 +692,10 @@ RUN <<END
     ln -s /etc/ssl /rootfs/usr/local/share/ca-certificates
     ln -s /etc/ssl /rootfs/etc/ca-certificates
 END
-COPY ./selinux /rootfs/etc/selinux/talos/cil
-COPY ./file_contexts /rootfs/etc/selinux/talos/
-COPY ./policy.33 /rootfs/etc/selinux/talos/
+COPY --link --from=selinux /rootfs /rootfs
 
 FROM build AS rootfs-base-arm64
 COPY --link --from=pkg-fhs / /rootfs
-RUN mkdir /rootfs/selinux
-RUN mkdir -p /rootfs/etc/selinux/talos
 COPY --link --from=pkg-apparmor-arm64 / /rootfs
 COPY --link --from=pkg-cni-stripped-arm64 / /rootfs
 COPY --link --from=pkg-flannel-cni-arm64 / /rootfs
@@ -761,6 +762,7 @@ RUN <<END
     ln -s /etc/ssl /rootfs/usr/local/share/ca-certificates
     ln -s /etc/ssl /rootfs/etc/ca-certificates
 END
+COPY --link --from=selinux /rootfs /rootfs
 
 FROM rootfs-base-${TARGETARCH} AS rootfs-base
 RUN find /rootfs -print0 \
@@ -770,7 +772,7 @@ FROM rootfs-base-arm64 AS rootfs-squashfs-arm64
 ARG ZSTD_COMPRESSION_LEVEL
 RUN find /rootfs -print0 \
     | xargs -0r touch --no-dereference --date="@${SOURCE_DATE_EPOCH}"
-COPY ./file_contexts /file_contexts
+COPY --from=selinux /file_contexts /file_contexts
 COPY ./hack/labeled-squashfs.sh /
 ENV SHELL=/toolchain/bin/bash
 RUN fakeroot /labeled-squashfs.sh /rootfs /rootfs.sqsh /file_contexts ${ZSTD_COMPRESSION_LEVEL}
@@ -779,7 +781,7 @@ FROM rootfs-base-amd64 AS rootfs-squashfs-amd64
 ARG ZSTD_COMPRESSION_LEVEL
 RUN find /rootfs -print0 \
     | xargs -0r touch --no-dereference --date="@${SOURCE_DATE_EPOCH}"
-COPY ./file_contexts /file_contexts
+COPY --from=selinux /file_contexts /file_contexts
 COPY ./hack/labeled-squashfs.sh /
 ENV SHELL=/toolchain/bin/bash
 RUN fakeroot /labeled-squashfs.sh /rootfs /rootfs.sqsh /file_contexts ${ZSTD_COMPRESSION_LEVEL}

diff --git a/selinux/immutable/preamble.cil b/selinux/immutable/preamble.cil
@@ -1,5 +1,3 @@
-; FIXME: integrate into build system: secilc -c 33 selinux/**/*.cil
-
 (sensitivity s0)
 (sensitivityorder (s0))
 (level systemLow (s0))