I have implemented SELinux support for live-build.
Security-Enhanced Linux (SELinux) is a Linux kernel security module that
provides a mechanism for supporting access control security policies,
including mandatory access controls (MAC).
This commit:
- Adds extended attributes to the squashfs filesystem so that SELinux
can be properly supported
- Adds the needed SELinux packages so that SELinux can work in the
squashfs Debian GNU/Linux system
- Adds the proper kernel command line parametres to enable SELinux
according to the chosen enforced or permissive mode.
All of that combined let's you either:
- Harden your live system ( `--selinux enforced` )
- Enables you to interact with other SELinux filesystems without
hardening the live system ( `--selinux permissive` ).
- enforced mode means that the system will not allow a program/process
to interact with a file with which it does not have the proper
filesystem permission (based on SELinux extended attributes).
- permissive mode means that the system will allow program/process to
interact with a file with which it does not have the proper filesystem
permission (based on SELinux extended attributes). This SELinux policy
infrigenment will be logged though so that it can be properly fixed if
needed.
Default mode is `auto` which equals to `disable
You can review its associated Merge Request at:
https://salsa.debian.org/live-team/live-build/-/merge_requests/354 .
Feedback is appreciated either here or on the MR itself.
Thank you!
adrian15
