Keep/Remove Python dependent package: policycoreutils-python

[sinnykumari]

FCOS community members are trying not to ship Python in base system. In ticket #92, we have identified list of Python dependent packages which are currently installed in FCOS.

This ticket is to investigate that do we really need policycoreutils-python in FCOS base system? If yes, how can we provide policycoreutils-python or equivalent functionalities without shipping Python.

[dustymabe]

This currently isn't in Fedora CoreOS but the policycoreutils-python-utils rpm (which requires python3-policycoreutils) maybe should be. It provides:

[root@vanilla-f29-atomic ~]# rpm -ql policycoreutils-python-utils | head -n 6
/etc/dbus-1/system.d/org.selinux.conf
/usr/bin/audit2allow
/usr/bin/audit2why
/usr/bin/chcat
/usr/bin/sandbox
/usr/sbin/semanage

To me the biggest one of those is semanage IMHO. I don't know if we can get by without it as there is a lot that it does.

cc @cgwalters @bgilbert @lucab

[sinnykumari]

@rhatdan We are trying to remove Python dependent packages from FCOS base system. Right now we have policycoreutils-python-utils included in host providing utilities like semanage . Will it be possible to run it inside container and manage selinux policy of host from container? If not do we have any other alternative option?

[rhatdan]

I think you should be able to remove semanage from the system.

semodule for loading selinux policy modules, and setsebool for setting booleans should be all that is needed, and those are written in C.

[dustymabe]

what happens if someone needs to change file contexts ?

[rhatdan]

They have chcon and restorecon for that. Issue would be if someone ran a restorecon on entire system.
semanage fcontext ... Modifies the file context database but not the labels on disk. It is not ideal, but should work for the most part, and you could always add semanage via layering.

[dustymabe]

cool. thanks for the info @rhatdan
only final question I have is how hard would it be to rewrite semanage in a compiled language :)

[rhatdan]

In general, very difficult. I think writing something that manipulated the file contexts would be fairly simple.

[dustymabe]

Discussed in the meeting this past wednesday:

We agreed to ask dan walsh for feedback, which he has conveniently already provided :)

[sinnykumari]

Adding this for information:
semodule, setsebool and restorecon are provided by policycoreutils package. chcon is provided by coreutils (already included in FCOS)

[sinnykumari]

During FCOS community meeting, we agreed to experiment with initially not shipping policycoreutils-python-utils in the FCOS base system.