Experimental Rawhide Kernels Part 223 Apr 2019 tags: audit selinux
Back in 2015 I started building Fedora Rawhide kernel packages with the SELinux and audit linux-next patches applied and making them available via a Fedora COPR repository. I did this both to try and make the SELinux and audit development work more accessible to people not familiar with patching and building kernels, as well as to help enable regular, automated testing of these development patches before they made their way into Linus’ tree. I spoke about this in more detail during a 2016 Flock presentation on Testing Bleeding Edge Kernels.
Now, almost four years after building the first of these kernels, I’ve reached a point where the entire process from generating a patched kernel SRPM, to testing the resulting kernel build is fully automated. Occasionally the system does require intervention to resolve patch merge conflicts, but those are surprisingly infrequent, and something that only needs to be dealt with once for each conflict. At some point in the future I’ll write up how everything works, but the plumbing is still a bit crude at the moment and I’d like to clean it up first. In the meantime you can look at my copr-pkg_scipts repository on GitHub, those scripts are the “smarts” for generating the patches from the development trees and creating the patched kernel SRPMs.
With everything in place, and working well for a few months, I want to make the results (both the kernel builds and the test results) available to a wider audience. However, as these are “bleeding edge” development kernel builds, I feel it is important to stress that these kernels are use-at-your-own-risk; they may be awesome, but they also may blow up in spectacular fashion and take your filesystem with it - be warned.
Kernel “secnext” Test Results
Those of you who wish to see the Fedora Rawhide kernel patches, the build notifications, and the test results, can find them on the kernel-secnext Google group:
The test system is a Fedora Rawhide VM that is fully updated prior to running the selinux-testsuite and audit-testsuite. Mellanox has kindly provided some InfiniBand hardware so that the SELinux InfiniBand tests can be run as well.
Kernel “secnext” Builds
Unfortunately, the Fedora COPR build system has been growing increasingly problematic for kernel builds over the past several years. Build times have been increasing to the point where eight hour builds are not uncommon, and the build chroot often breaks when Fedora Rawhide moves to the next release. While I really like the idea of COPR, I feel the reality of the Fedora COPR implementation is a disappointment for kernel builders. Because of this, in addition to the COPR builds, I’ve started building the kernel packages myself, you can find links to my YUM/DNF repository below. At the moment the repository has both x86_64 and aarch64 kernel packages, as well as the SRPMs. For those who prefer COPR, I will keep submitting the COPR builds, but I’m unlikely to spend any time resolving COPR specific build breakages.