Skip to content

Commit

Permalink
Enable SELinux for tumbleweed and rename it to green
Browse files Browse the repository at this point in the history
Signed-off-by: David Cassany <[email protected]>
  • Loading branch information
davidcassany committed Apr 22, 2024
1 parent c80eaa9 commit 817021c
Show file tree
Hide file tree
Showing 11 changed files with 81 additions and 53 deletions.
2 changes: 1 addition & 1 deletion .github/workflows/build.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,7 @@ jobs:
- id: set-matrix
run: |
if [ "${{ contains(github.event.pull_request.labels.*.name, 'all-distros') }}" == "true" ]; then
echo "flavor=['green', 'tumbleweed', 'blue', 'orange']" >> $GITHUB_OUTPUT
echo "flavor=['green', 'blue', 'orange']" >> $GITHUB_OUTPUT
else
echo "flavor=['green']" >> $GITHUB_OUTPUT
fi
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/manual_arm.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ jobs:
build-matrix:
strategy:
matrix:
flavor: ['green', 'tumbleweed']
flavor: ['green']
uses: ./.github/workflows/build_and_test_arm.yaml
with:
flavor: ${{ matrix.flavor }}
2 changes: 1 addition & 1 deletion .github/workflows/nightly.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,7 @@ jobs:
build-matrix:
strategy:
matrix:
flavor: ['green', 'tumbleweed']
flavor: ['green']
uses: ./.github/workflows/build_and_test_x86.yaml
with:
flavor: ${{ matrix.flavor }}
File renamed without changes.
43 changes: 16 additions & 27 deletions examples/tumbleweed/Dockerfile → examples/green-legacy/Dockerfile
Original file line number Diff line number Diff line change
@@ -1,38 +1,24 @@
# run `make build` to build local/elemental-toolkit image
ARG TOOLKIT_REPO
ARG VERSION
ARG OS_IMAGE=registry.opensuse.org/opensuse/tumbleweed
ARG OS_VERSION=latest

FROM ${TOOLKIT_REPO}:${VERSION} AS TOOLKIT

# OS base image of our choice
FROM ${OS_IMAGE}:${OS_VERSION} AS OS
FROM registry.opensuse.org/opensuse/leap:15.5 as OS
ARG REPO
ARG VERSION
ENV REPO=${REPO}
ENV VERSION=${VERSION}

# Workaround for RISC-V, specific kernel might be needed for some boards
ARG ADD_REPO
ENV ADD_REPO=${ADD_REPO}

# Install kernel, systemd, dracut, grub2 and other required tools
# install kernel, systemd, dracut, grub2 and other required tools
RUN ARCH=$(uname -m); \
zypper --non-interactive removerepo repo-update || true; \
if [[ -n "${ADD_REPO}" ]]; then \
zypper --non-interactive addrepo --enable --refresh ${ADD_REPO} added-repo; \
fi; \
if [[ "${ARCH}" != "riscv64" ]]; then \
ADD_PKGS+=" shim"; \
[[ "${ARCH}" == "aarch64" ]] && ARCH="arm64"; \
fi; \
zypper --non-interactive --gpg-auto-import-keys install --no-recommends -- \
[[ "${ARCH}" == "aarch64" ]] && ARCH="arm64"; \
zypper --non-interactive install --no-recommends -- \
kernel-default \
device-mapper \
dracut \
grub2 \
grub2-${ARCH}-efi \
shim \
haveged \
systemd \
NetworkManager \
Expand All @@ -56,28 +42,31 @@ RUN ARCH=$(uname -m); \
less \
sudo \
curl \
sed \
patch \
iproute2 \
btrfsprogs \
btrfsmaintenance \
snapper \
podman \
${ADD_PKGS} && \
sed && \
zypper clean --all

# Just add the elemental cli
COPY --from=TOOLKIT /usr/bin/elemental /usr/bin/elemental

# Enable essential services
RUN systemctl enable NetworkManager.service && \
systemctl enable sshd.service
RUN systemctl enable NetworkManager.service

# This is for automatic testing purposes, do not do this in production.
RUN echo "PermitRootLogin yes" > /etc/ssh/sshd_config.d/rootlogin.conf
# Enable /tmp to be on tmpfs
RUN cp /usr/share/systemd/tmp.mount /etc/systemd/system

# Add default network configuration
ADD 05_network.yaml /system/oem/05_network.yaml

# Generate initrd with required elemental services
RUN elemental --debug init --force
RUN elemental init --debug --force

# Add default snapshotter setup
ADD snapshotter.yaml /etc/elemental/config.d/snapshotter.yaml

# Update os-release file with some metadata
RUN echo IMAGE_REPO=\"${REPO}\" >> /etc/os-release && \
Expand Down
3 changes: 3 additions & 0 deletions examples/green-legacy/snapshotter.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
snapshotter:
type: btrfs
max-snaps: 4
48 changes: 36 additions & 12 deletions examples/green/Dockerfile
Original file line number Diff line number Diff line change
@@ -1,24 +1,38 @@
# run `make build` to build local/elemental-toolkit image
ARG TOOLKIT_REPO
ARG VERSION
ARG OS_IMAGE=registry.opensuse.org/opensuse/tumbleweed
ARG OS_VERSION=latest

FROM ${TOOLKIT_REPO}:${VERSION} AS TOOLKIT

# OS base image of our choice
FROM registry.opensuse.org/opensuse/leap:15.5 as OS
FROM ${OS_IMAGE}:${OS_VERSION} AS OS
ARG REPO
ARG VERSION
ENV REPO=${REPO}
ENV VERSION=${VERSION}

# install kernel, systemd, dracut, grub2 and other required tools
# Workaround for RISC-V, specific kernel might be needed for some boards
ARG ADD_REPO
ENV ADD_REPO=${ADD_REPO}

# Install kernel, systemd, dracut, grub2 and other required tools
RUN ARCH=$(uname -m); \
[[ "${ARCH}" == "aarch64" ]] && ARCH="arm64"; \
zypper --non-interactive install --no-recommends -- \
zypper --non-interactive removerepo repo-update || true; \
if [[ -n "${ADD_REPO}" ]]; then \
zypper --non-interactive addrepo --enable --refresh ${ADD_REPO} added-repo; \
fi; \
if [[ "${ARCH}" != "riscv64" ]]; then \
ADD_PKGS+=" shim"; \
[[ "${ARCH}" == "aarch64" ]] && ARCH="arm64"; \
fi; \
zypper --non-interactive --gpg-auto-import-keys install --no-recommends -- \
kernel-default \
device-mapper \
dracut \
grub2 \
grub2-${ARCH}-efi \
shim \
haveged \
systemd \
NetworkManager \
Expand All @@ -42,29 +56,39 @@ RUN ARCH=$(uname -m); \
less \
sudo \
curl \
sed \
patch \
iproute2 \
audit \
selinux-tools \
selinux-policy \
selinux-policy-targeted \
container-selinux \
k3s-selinux \
btrfsprogs \
btrfsmaintenance \
snapper \
transactional-update \
podman \
sed && \
${ADD_PKGS} && \
zypper clean --all

# Just add the elemental cli
COPY --from=TOOLKIT /usr/bin/elemental /usr/bin/elemental

# Enable essential services
RUN systemctl enable NetworkManager.service
RUN systemctl enable NetworkManager.service && \
systemctl enable sshd.service

# Enable /tmp to be on tmpfs
RUN cp /usr/share/systemd/tmp.mount /etc/systemd/system
# This is for automatic testing purposes, do not do this in production.
RUN echo "PermitRootLogin yes" > /etc/ssh/sshd_config.d/rootlogin.conf

# Add default network configuration
ADD 05_network.yaml /system/oem/05_network.yaml

# SELinux in enforce mode
RUN sed -i "s|SELINUX=.*|SELINUX=enforcing|g" /etc/selinux/config

# Generate initrd with required elemental services
RUN elemental init --debug --force
RUN elemental --debug init --force

# Add default snapshotter setup
ADD snapshotter.yaml /etc/elemental/config.d/snapshotter.yaml
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -14,4 +14,4 @@ stages:
entity: |
kind: "shadow"
username: "root"
password: "cos"
password: "root"
Original file line number Diff line number Diff line change
Expand Up @@ -8,10 +8,23 @@
name: "SELinux"
stages:
initramfs:
- name: "Relabelling"
- name: "SELinux labels for targeted policy"
commands:
- |
if grep -q "selinux=1" /proc/cmdline; then
load_policy -i
restorecon -R -i -v /etc /root /opt /srv /var /home /usr/local /oem
if grep -qw selinux /sys/kernel/security/lsm; then
# Some extended attributes are lost on copy-up bsc#1210690. Workaround visit children first, then parents
for path in /etc /srv /var /oem /home /root /opt; do
if [ -d "${path}" ]; then
find ${path} -depth -exec /sbin/setfiles -F -v "/etc/selinux/targeted/contexts/files/file_contexts" \{\} +
fi
done
fi
fs:
- name: "Restore SELinux labels for targeted policy after switching root"
commands:
- |
if grep -qw selinux /sys/kernel/security/lsm; then
# Once SELinux label kicks in there is a relabel step for /run causing an unwanted relabelling
# to /etc and other tmpfs upper dirs, lets restore the context here.
restorecon -R -i -v /etc /srv /var /oem /home /root /opt
fi
Original file line number Diff line number Diff line change
Expand Up @@ -15,12 +15,12 @@ if [ -n "${img}" ]; then
fi

if [ "${mode}" == "recovery" ]; then
set kernelcmd="console=tty1 console=ttyS0 root=LABEL=${recovery_label} ${img_arg} elemental.mode=${mode} elemental.oemlabel=${oem_label} security=selinux selinux=0 rd.neednet=1"
set kernelcmd="console=tty1 console=ttyS0 root=LABEL=${recovery_label} ${img_arg} elemental.mode=${mode} elemental.oemlabel=${oem_label} security=selinux selinux=1 enforcing=0 rd.neednet=1"
else
if [ "${snapshotter}" == "btrfs" ]; then
set snap_arg="elemental.snapshotter=btrfs"
fi
set kernelcmd="console=tty1 console=ttyS0 root=LABEL=${state_label} ${img_arg} ${snap_arg} elemental.mode=${mode} elemental.oemlabel=${oem_label} panic=5 security=selinux selinux=0 rd.neednet=1 fsck.mode=force fsck.repair=yes"
set kernelcmd="console=tty1 console=ttyS0 root=LABEL=${state_label} ${img_arg} ${snap_arg} elemental.mode=${mode} elemental.oemlabel=${oem_label} panic=5 security=selinux selinux=1 rd.neednet=1 fsck.mode=force fsck.repair=yes"
fi

set kernel=/boot/vmlinuz
Expand Down
7 changes: 3 additions & 4 deletions tests/vm/sut.go
Original file line number Diff line number Diff line change
Expand Up @@ -48,7 +48,6 @@ const (
Ext2 = "ext2"
Ext3 = "ext3"
Ext4 = "ext4"
Cos = "cos"
)

// DiskLayout is the struct that contains the disk output from lsblk
Expand Down Expand Up @@ -91,7 +90,7 @@ func NewSUT() *SUT {
}
pass := os.Getenv("COS_PASS")
if pass == "" {
pass = Cos
pass = "root"
}

host := os.Getenv("COS_HOST")
Expand Down Expand Up @@ -137,9 +136,9 @@ func (s *SUT) ChangeBoot(b string) error {

switch b {
case Active:
bootEntry = Cos
bootEntry = "active"
case Passive:
bootEntry = "fallback"
bootEntry = "1"
case Recovery:
bootEntry = "recovery"
}
Expand Down

0 comments on commit 817021c

Please sign in to comment.