Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enable SELinux for tumbleweed and green #2052

Merged
merged 5 commits into from
Apr 29, 2024
Merged

Enable SELinux for tumbleweed and green #2052

merged 5 commits into from
Apr 29, 2024

Conversation

davidcassany
Copy link
Contributor

@davidcassany davidcassany commented Apr 22, 2024
edited
Loading

This PR uses SELinux in enforce mode for the active/passive systems and in permissive mode for recovery and ISO systems.

The elemental labelling code changed slightly, basically the change is that now it is also executed as part of the close transaction step once the new root is already rsynced. In addition it also tries to label from the outer system any eventual mountpoint that was labeled in a chroot env (/dev, /proc, /sys, etc.).

Current unsolved issues:

  • In github actions the host has SELinux enabled and relabeling the new root within a container turns to fail (see build disk and build iso logs in GH)... as a consequence the disk and iso images are not properly labeled, hence they are not really usabled in enforce mode. This does not happen in a host without the container-selinux policy module. This has impact on our capability to build ISOs and Disks inside a k8s cluster using unprivileged pods.

  • Running upgrades from the recovery system (elemental upgrade command) is not functional if the target is in btrfs. There seams to be an issue with selinux labels when mounting the .snapshots subvolume preventing snapper to properly operate. One option would be to rethink the btrfs snapshotter env in recovery mode, instead of mounting .snapshots in <some/root>/.snapshots just use /.snapshots so any eventual relabel is done with the appropriate path.

Fixes #2054

Signed-off-by: David Cassany [email protected]

@davidcassany davidcassany requested a review from a team as a code owner April 22, 2024 08:55
@davidcassany davidcassany marked this pull request as draft April 22, 2024 08:58
@davidcassany davidcassany force-pushed the SELinux_in_enforce_mode_TW branch 2 times, most recently from b64d099 to 817021c Compare April 22, 2024 11:42
@anmazzotti
Copy link
Contributor

@davidcassany FYI on Tumbleweed a patterns-microos-selinux is available. I used it for the dev image.

@anmazzotti anmazzotti mentioned this pull request Apr 22, 2024
Closed
@davidcassany davidcassany force-pushed the SELinux_in_enforce_mode_TW branch 2 times, most recently from 6588e72 to 40a71de Compare April 22, 2024 17:38
fgiudici
fgiudici previously approved these changes Apr 23, 2024
View reviewed changes
@davidcassany davidcassany force-pushed the SELinux_in_enforce_mode_TW branch 5 times, most recently from 56debcf to b748a92 Compare April 24, 2024 09:14
@davidcassany davidcassany marked this pull request as ready for review April 24, 2024 09:14
@davidcassany davidcassany force-pushed the SELinux_in_enforce_mode_TW branch 4 times, most recently from 54a4fa4 to 67b94f9 Compare April 29, 2024 08:24
@davidcassany
Improve SELinux labelling
f6c3b83 
Signed-off-by: David Cassany <[email protected]>
@davidcassany
Fix unit tests
2fb783e 
Signed-off-by: David Cassany <[email protected]>
@davidcassany davidcassany dismissed fgiudici’s stale review April 29, 2024 11:10

added few commits on top

frelon
frelon approved these changes Apr 29, 2024
View reviewed changes
Copy link
Contributor

@frelon frelon left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Very nice, this should be enough to start experimenting with selinux in the cluster provisioning!

frelon
frelon reviewed Apr 29, 2024
View reviewed changes
pkg/elemental/elemental.go
contextFile := filepath.Join(rootDir, cnst.SELinuxTargetedContextFile)
contextExists, _ := utils.Exists(c.Fs, contextFile)

if err == nil && contextExists && c.Runner.CommandExists("setfiles") {
if contextExists && c.Runner.CommandExists("setfiles") {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

maybe we should check that rootDir is RW as well? might be enough to get the recovery test green.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It is RW... disable selinux and the test will pass, I believe the snapper error msg is just misleading, it could not write due to some denial, but not because of being RO.

@davidcassany davidcassany merged commit 4d469e7 into rancher:main Apr 29, 2024
16 of 17 checks passed
@davidcassany davidcassany deleted the SELinux_in_enforce_mode_TW branch April 29, 2024 13:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@frelon frelon frelon approved these changes

@anmazzotti anmazzotti anmazzotti left review comments

@fgiudici fgiudici fgiudici left review comments

Assignees
No one assigned
Labels
None yet
Projects
Elemental
Archived in project
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

elemental-toolkit tests suite in enforce mode for TW
4 participants
@davidcassany @anmazzotti @frelon @fgiudici