Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Selinux support #135

Merged
merged 1 commit into from
May 14, 2021
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion packages/cos-features/definition.yaml
Original file line number Diff line number Diff line change
@@ -1,3 +1,3 @@
name: cos-features
category: system
version: 0.3.1+11
version: 0.3.1+12
1 change: 1 addition & 0 deletions packages/cos-features/features/k3s.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,7 @@ stages:
curl -sfL https://get.k3s.io | \
INSTALL_K3S_VERSION="v1.20.4+k3s1" \
INSTALL_K3S_EXEC="--data-dir /usr/local/rancher/k3s" \
INSTALL_K3S_SELINUX_WARN="true" \
sh -
- name: "Setup Longhorn"
commands:
Expand Down
3 changes: 3 additions & 0 deletions packages/cos/build.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,9 @@ requires:
- name: cos-features
category: system
version: ">=0"
- name: "selinux-policies"
category: "system"
version: ">=0"

steps:
- sed -i 's/:VERSION:/{{.Values.version}}/g' setup.yaml
Expand Down
4 changes: 2 additions & 2 deletions packages/cos/setup.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -47,7 +47,7 @@ stages:
set img=/cOS/active.img
loopback loop0 /$img
set root=($root)
linux (loop0)/boot/vmlinuz console=tty1 ro root=LABEL=COS_ACTIVE iso-scan/filename=/cOS/active.img panic=5
linux (loop0)/boot/vmlinuz console=tty1 ro root=LABEL=COS_ACTIVE iso-scan/filename=/cOS/active.img panic=5 security=selinux selinux=1
initrd (loop0)/boot/initrd
}
Expand All @@ -56,7 +56,7 @@ stages:
set img=/cOS/passive.img
loopback loop0 /$img
set root=($root)
linux (loop0)/boot/vmlinuz console=tty1 ro root=LABEL=COS_PASSIVE iso-scan/filename=/cOS/passive.img panic=5
linux (loop0)/boot/vmlinuz console=tty1 ro root=LABEL=COS_PASSIVE iso-scan/filename=/cOS/passive.img panic=5 security=selinux selinux=1
initrd (loop0)/boot/initrd
}
Expand Down
2 changes: 1 addition & 1 deletion packages/installer/definition.yaml
Original file line number Diff line number Diff line change
@@ -1,3 +1,3 @@
name: "installer"
category: "utils"
version: 0.6.33+5
version: 0.6.34
11 changes: 10 additions & 1 deletion packages/installer/installer.sh
Original file line number Diff line number Diff line change
Expand Up @@ -205,7 +205,7 @@ do_copy()
{
echo "Copying cOS.."

rsync -aqz --exclude='mnt' --exclude='proc' --exclude='sys' --exclude='dev' --exclude='tmp' ${DISTRO}/ ${TARGET}
rsync -aqzAX --exclude='mnt' --exclude='proc' --exclude='sys' --exclude='dev' --exclude='tmp' ${DISTRO}/ ${TARGET}
if [ -n "$COS_INSTALL_CONFIG_URL" ]; then
OEM=${TARGET}/oem/99_custom.yaml
get_url "$COS_INSTALL_CONFIG_URL" $OEM
Expand Down Expand Up @@ -234,6 +234,13 @@ EOF
chmod 640 $TARGET/usr/local/cloud-config/90_after_install.yaml
}

SELinux_relabel()
{
if which setfiles > /dev/null && [ -e ${TARGET}/etc/selinux/targeted/contexts/files/file_contexts ]; then
setfiles -r ${TARGET} ${TARGET}/etc/selinux/targeted/contexts/files/file_contexts ${TARGET}
fi
}

install_grub()
{
echo "Installing GRUB.."
Expand Down Expand Up @@ -378,6 +385,8 @@ do_mount
do_copy
install_grub

SELinux_relabel

umount_target 2>/dev/null

prepare_recovery
Expand Down
11 changes: 10 additions & 1 deletion packages/installer/upgrade.sh
Original file line number Diff line number Diff line change
Expand Up @@ -132,16 +132,25 @@ upgrade() {
args=
fi
luet util unpack $args $UPGRADE_IMAGE /usr/local/tmp/rootfs
rsync -aqz --exclude='mnt' --exclude='proc' --exclude='sys' --exclude='dev' --exclude='tmp' /usr/local/tmp/rootfs/ /tmp/upgrade
rsync -aqzAX --exclude='mnt' --exclude='proc' --exclude='sys' --exclude='dev' --exclude='tmp' /usr/local/tmp/rootfs/ /tmp/upgrade
rm -rf /usr/local/tmp/rootfs
fi

SELinux_relabel

rm -rf /usr/local/tmp/upgrade
umount $TARGET/oem
umount $TARGET/usr/local
umount $TARGET
}

SELinux_relabel()
{
if which setfiles > /dev/null && [ -e ${TARGET}/etc/selinux/targeted/contexts/files/file_contexts ]; then
setfiles -r ${TARGET} ${TARGET}/etc/selinux/targeted/contexts/files/file_contexts ${TARGET}
fi
}

switch_active() {
if [[ "$CURRENT" == "active.img" ]]; then
mv -f ${STATEDIR}/cOS/$CURRENT ${STATEDIR}/cOS/passive.img
Expand Down
29 changes: 29 additions & 0 deletions packages/selinux-policies/build.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
requires:
- name: "base"
category: "distro"
version: ">=0"

steps:
{{ if .Values.distribution }}
davidcassany marked this conversation as resolved.
Show resolved Hide resolved
{{if eq .Values.distribution "opensuse" }}
- zypper ar https://download.opensuse.org/repositories/security:/SELinux/openSUSE_Leap_15.3/security:SELinux.repo
- zypper --gpg-auto-import-keys in -y --allow-vendor-change --allow-downgrade selinux-policy audit selinux-tools python3-policycoreutils policycoreutils-python-utils container-selinux -libsemanage1
- zypper cc
{{else if eq .Values.distribution "fedora" }}
- dnf install -y container-selinux selinux-policy-targeted checkpolicy
- dnf clean all
- systemctl mask selinux-autorelabel.service && systemctl mask selinux-autorelabel-mark.service
{{else if eq .Values.distribution "ubuntu" }}
- apt-get install -y selinux-policy-default selinux-utils
- apt-get clean
{{end}}
{{end}}
- sed -i "s|^SELINUX=.*|SELINUX=permissive|g" /etc/selinux/config
- rm -rf /.autorelabel
{{ if .Values.distribution }}
{{if eq .Values.distribution "opensuse" }}
# Install cOS custom policy
- checkmodule -M -m -o cOS.mod cOS.te && semodule_package -o cOS.pp -m cOS.mod
- semodule -i cOS.pp
{{end}}
{{end}}
80 changes: 80 additions & 0 deletions packages/selinux-policies/cOS.te
Original file line number Diff line number Diff line change
@@ -0,0 +1,80 @@
#==== cOS SELinux targeted policy module ========
#
# Disclaimer: This module is definition is for illustration use only. It
# has no guarantees of completeness, accuracy and usefulness. It should
# not be used "as is".
#


module cOS 1.0;

require {
type init_t;
type audisp_t;
type getty_t;
type unconfined_t;
type initrc_t;
type bin_t;
type tmpfs_t;
type wicked_t;
type systemd_logind_t;
type sshd_t;
type lib_t;
type unlabeled_t;
type chkpwd_t;
type unconfined_service_t;
type usr_t;
type local_login_t;
type cert_t;
type system_dbusd_t;
class lnk_file read;
class file { execmod getattr open read };
class dir { getattr read search watch };
}

#============= audisp_t ==============
allow audisp_t tmpfs_t:lnk_file read;

#============= chkpwd_t ==============
allow chkpwd_t tmpfs_t:file { getattr open read };

#============= getty_t ==============
allow getty_t tmpfs_t:file { getattr open read };

#============= init_t ==============
allow init_t cert_t:dir watch;
allow init_t usr_t:dir watch;

#============= initrc_t ==============

#!!!! This avc can be allowed using the boolean 'selinuxuser_execmod'
allow initrc_t bin_t:file execmod;

#============= local_login_t ==============
allow local_login_t tmpfs_t:file { getattr open read };
allow local_login_t tmpfs_t:lnk_file read;

#============= sshd_t ==============
allow sshd_t tmpfs_t:lnk_file read;

#============= system_dbusd_t ==============
allow system_dbusd_t lib_t:dir watch;
allow system_dbusd_t tmpfs_t:lnk_file read;

#============= systemd_logind_t ==============
allow systemd_logind_t unlabeled_t:dir { getattr search };

#============= unconfined_service_t ==============

#!!!! This avc can be allowed using the boolean 'selinuxuser_execmod'
allow unconfined_service_t bin_t:file execmod;

#============= unconfined_t ==============

#!!!! This avc can be allowed using the boolean 'selinuxuser_execmod'
allow unconfined_t bin_t:file execmod;

#============= wicked_t ==============
allow wicked_t tmpfs_t:dir read;
allow wicked_t tmpfs_t:file { getattr open read };
allow wicked_t tmpfs_t:lnk_file read;
4 changes: 4 additions & 0 deletions packages/selinux-policies/definition.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
name: "selinux-policies"
category: "system"
version: "0.0.6"

1 change: 1 addition & 0 deletions values/opensuse.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -35,5 +35,6 @@ packages: >-
haveged
tar
rsync
timezone
Itxaka marked this conversation as resolved.
Show resolved Hide resolved
kernel_package: kernel-default