Add selinux-policies

This commit adds SELinux support to the system. Note this only installs some already packaged policies and enable them at install/upgrade time. Signed-off-by: David Cassany <[email protected]>
rancher · May 13, 2021 · de13283 · de13283
1 parent 24ad145
commit de13283
Show file tree

Hide file tree

Showing 9 changed files with 140 additions and 5 deletions.
diff --git a/packages/cos/build.yaml b/packages/cos/build.yaml
@@ -23,6 +23,9 @@ requires:
 - name: cos-features
   category: system
   version: ">=0"
+- name: "selinux-policies"
+  category: "system"
+  version: ">=0"
 
 steps:
 - sed -i 's/:VERSION:/{{.Values.version}}/g' setup.yaml

diff --git a/packages/cos/setup.yaml b/packages/cos/setup.yaml
@@ -47,7 +47,7 @@ stages:
               set img=/cOS/active.img
               loopback loop0 /$img
               set root=($root)
-              linux (loop0)/boot/vmlinuz console=tty1 ro root=LABEL=COS_ACTIVE iso-scan/filename=/cOS/active.img panic=5
+              linux (loop0)/boot/vmlinuz console=tty1 ro root=LABEL=COS_ACTIVE iso-scan/filename=/cOS/active.img panic=5 security=selinux selinux=1
               initrd (loop0)/boot/initrd
             }
 
@@ -56,7 +56,7 @@ stages:
               set img=/cOS/passive.img
               loopback loop0 /$img
               set root=($root)
-              linux (loop0)/boot/vmlinuz console=tty1 ro root=LABEL=COS_PASSIVE iso-scan/filename=/cOS/passive.img panic=5
+              linux (loop0)/boot/vmlinuz console=tty1 ro root=LABEL=COS_PASSIVE iso-scan/filename=/cOS/passive.img panic=5 security=selinux selinux=1
               initrd (loop0)/boot/initrd
             }
 

diff --git a/packages/installer/definition.yaml b/packages/installer/definition.yaml
@@ -1,3 +1,3 @@
 name: "installer"
 category: "utils"
-version: 0.6.33+5
+version: 0.6.34
diff --git a/packages/installer/installer.sh b/packages/installer/installer.sh
@@ -205,7 +205,7 @@ do_copy()
 {
     echo "Copying cOS.."
 
-    rsync -aqz --exclude='mnt' --exclude='proc' --exclude='sys' --exclude='dev' --exclude='tmp' ${DISTRO}/ ${TARGET}
+    rsync -aqzAX --exclude='mnt' --exclude='proc' --exclude='sys' --exclude='dev' --exclude='tmp' ${DISTRO}/ ${TARGET}
      if [ -n "$COS_INSTALL_CONFIG_URL" ]; then
         OEM=${TARGET}/oem/99_custom.yaml
         get_url "$COS_INSTALL_CONFIG_URL" $OEM
@@ -234,6 +234,13 @@ EOF
     chmod 640 $TARGET/usr/local/cloud-config/90_after_install.yaml
 }
 
+SELinux_relabel()
+{
+    if which setfiles > /dev/null && [ -e ${TARGET}/etc/selinux/targeted/contexts/files/file_contexts ]; then
+        setfiles -r ${TARGET} ${TARGET}/etc/selinux/targeted/contexts/files/file_contexts ${TARGET}
+    fi
+}
+
 install_grub()
 {
     echo "Installing GRUB.."
@@ -378,6 +385,8 @@ do_mount
 do_copy
 install_grub
 
+SELinux_relabel
+
 umount_target 2>/dev/null
 
 prepare_recovery

diff --git a/packages/installer/upgrade.sh b/packages/installer/upgrade.sh
@@ -132,16 +132,25 @@ upgrade() {
           args=
         fi
         luet util unpack $args $UPGRADE_IMAGE /usr/local/tmp/rootfs
-        rsync -aqz --exclude='mnt' --exclude='proc' --exclude='sys' --exclude='dev' --exclude='tmp' /usr/local/tmp/rootfs/ /tmp/upgrade
+        rsync -aqzAX --exclude='mnt' --exclude='proc' --exclude='sys' --exclude='dev' --exclude='tmp' /usr/local/tmp/rootfs/ /tmp/upgrade
         rm -rf /usr/local/tmp/rootfs
     fi
 
+    SELinux_relabel
+
     rm -rf /usr/local/tmp/upgrade
     umount $TARGET/oem
     umount $TARGET/usr/local
     umount $TARGET
 }
 
+SELinux_relabel()
+{
+    if which setfiles > /dev/null && [ -e ${TARGET}/etc/selinux/targeted/contexts/files/file_contexts ]; then
+        setfiles -r ${TARGET} ${TARGET}/etc/selinux/targeted/contexts/files/file_contexts ${TARGET}
+    fi
+}
+
 switch_active() {
     if [[ "$CURRENT" == "active.img" ]]; then
         mv -f ${STATEDIR}/cOS/$CURRENT ${STATEDIR}/cOS/passive.img

diff --git a/packages/selinux-policies/build.yaml b/packages/selinux-policies/build.yaml
@@ -0,0 +1,29 @@
+requires:
+- name: "base"
+  category: "distro"
+  version: ">=0"
+
+steps:
+{{ if .Values.distribution }}
+{{if eq .Values.distribution "opensuse" }}
+- zypper ar https://download.opensuse.org/repositories/security:/SELinux/openSUSE_Leap_15.3/security:SELinux.repo
+- zypper --gpg-auto-import-keys in -y --allow-vendor-change --allow-downgrade selinux-policy audit selinux-tools python3-policycoreutils policycoreutils-python-utils container-selinux -libsemanage1
+- zypper cc
+{{else if eq .Values.distribution "fedora" }}
+- dnf install -y container-selinux selinux-policy-targeted checkpolicy
+- dnf clean all
+- systemctl mask selinux-autorelabel.service && systemctl mask selinux-autorelabel-mark.service
+{{else if eq .Values.distribution "ubuntu" }}
+- apt-get install -y selinux-policy-default selinux-utils
+- apt-get clean
+{{end}}
+{{end}}
+- sed -i "s|^SELINUX=.*|SELINUX=permissive|g" /etc/selinux/config
+- rm -rf /.autorelabel
+{{ if .Values.distribution }}
+{{if eq .Values.distribution "opensuse" }}
+# Install cOS custom policy
+- checkmodule -M -m -o cOS.mod cOS.te && semodule_package -o cOS.pp -m cOS.mod
+- semodule -i cOS.pp
+{{end}}
+{{end}}
diff --git a/packages/selinux-policies/cOS.te b/packages/selinux-policies/cOS.te
@@ -0,0 +1,80 @@
+#==== cOS SELinux targeted policy module ========
+#
+# Disclaimer: This module is definition is for illustration use only. It
+# has no guarantees of completeness, accuracy and usefulness. It should
+# not be used "as is".
+# 
+
+
+module cOS 1.0;
+
+require {
+	type init_t;
+	type audisp_t;
+	type getty_t;
+	type unconfined_t;
+	type initrc_t;
+	type bin_t;
+	type tmpfs_t;
+	type wicked_t;
+	type systemd_logind_t;
+	type sshd_t;
+	type lib_t;
+	type unlabeled_t;
+	type chkpwd_t;
+	type unconfined_service_t;
+	type usr_t;
+	type local_login_t;
+	type cert_t;
+	type system_dbusd_t;
+	class lnk_file read;
+	class file { execmod getattr open read };
+	class dir { getattr read search watch };
+}
+
+#============= audisp_t ==============
+allow audisp_t tmpfs_t:lnk_file read;
+
+#============= chkpwd_t ==============
+allow chkpwd_t tmpfs_t:file { getattr open read };
+
+#============= getty_t ==============
+allow getty_t tmpfs_t:file { getattr open read };
+
+#============= init_t ==============
+allow init_t cert_t:dir watch;
+allow init_t usr_t:dir watch;
+
+#============= initrc_t ==============
+
+#!!!! This avc can be allowed using the boolean 'selinuxuser_execmod'
+allow initrc_t bin_t:file execmod;
+
+#============= local_login_t ==============
+allow local_login_t tmpfs_t:file { getattr open read };
+allow local_login_t tmpfs_t:lnk_file read;
+
+#============= sshd_t ==============
+allow sshd_t tmpfs_t:lnk_file read;
+
+#============= system_dbusd_t ==============
+allow system_dbusd_t lib_t:dir watch;
+allow system_dbusd_t tmpfs_t:lnk_file read;
+
+#============= systemd_logind_t ==============
+allow systemd_logind_t unlabeled_t:dir { getattr search };
+
+#============= unconfined_service_t ==============
+
+#!!!! This avc can be allowed using the boolean 'selinuxuser_execmod'
+allow unconfined_service_t bin_t:file execmod;
+
+#============= unconfined_t ==============
+
+#!!!! This avc can be allowed using the boolean 'selinuxuser_execmod'
+allow unconfined_t bin_t:file execmod;
+
+#============= wicked_t ==============
+allow wicked_t tmpfs_t:dir read;
+allow wicked_t tmpfs_t:file { getattr open read };
+allow wicked_t tmpfs_t:lnk_file read;
diff --git a/packages/selinux-policies/definition.yaml b/packages/selinux-policies/definition.yaml
@@ -0,0 +1,4 @@
+name: "selinux-policies"
+category: "system"
+version: "0.0.6"
+
diff --git a/values/opensuse.yaml b/values/opensuse.yaml
@@ -35,5 +35,6 @@ packages: >-
     haveged
     tar
     rsync
+    timezone
 
 kernel_package: kernel-default