Skip to content

Commit b3602a1

Browse files
ckyrouacckyrouac
authored
Merge pull request #1250 from cgwalters/doc-selinux-reexec
lsm: Add more comments about the SELinux reexec
2 parents f01fbae + a88fad5 commit b3602a1

File tree

1 file changed

+20
-0
lines changed

1 file changed

+20
-0
lines changed

lib/src/lsm.rs

Lines changed: 20 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -37,9 +37,15 @@ fn get_current_security_context() -> Result<String> {
3737
std::fs::read_to_string(SELF_CURRENT).with_context(|| format!("Reading {SELF_CURRENT}"))
3838
}
3939

40+
/// Check if the current process has the capability to write SELinux security
41+
/// contexts unknown to the current policy. In SELinux terms this capability is
42+
/// gated under `mac_admin` (admin control over SELinux state), and in the Fedora
43+
/// policy at least it's part of `install_t`.
4044
#[context("Testing install_t")]
4145
fn test_install_t() -> Result<bool> {
4246
let tmpf = tempfile::NamedTempFile::new()?;
47+
// Our implementation here writes a label which is always unknown to the current policy
48+
// to verify that we have the capability to do so.
4349
let st = Command::new("chcon")
4450
.args(["-t", "invalid_bootcinstall_testlabel_t"])
4551
.arg(tmpf.path())
@@ -48,6 +54,20 @@ fn test_install_t() -> Result<bool> {
4854
Ok(st.success())
4955
}
5056

57+
/// Ensure that the current process has the capability to write SELinux security
58+
/// contexts unknown to the current policy.
59+
///
60+
/// See [`test_install_t`] above for how we check for that capability.
61+
///
62+
/// In the general case of both upgrade or install, we may e.g. jump major versions
63+
/// or even operating systems, and we need the ability to write arbitrary labels.
64+
/// If the current process doesn't already have `mac_admin/install_t` then we
65+
/// make a new temporary copy of our binary, and give it the same label as /usr/bin/ostree,
66+
/// which in Fedora derivatives at least was already historically labeled with
67+
/// the correct install_t label.
68+
///
69+
/// However, if you maintain a bootc operating system with SELinux, you should from
70+
/// the start ensure that /usr/bin/bootc has the correct capabilities.
5171
#[context("Ensuring selinux install_t type")]
5272
pub(crate) fn selinux_ensure_install() -> Result<bool> {
5373
let guardenv = "_bootc_selinuxfs_mounted";

0 commit comments

Comments
 (0)