Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Relabel ephemeral filesystems after initramfs stage if selinux is activated #1492

Closed
Tracked by #251
davidcassany opened this issue Jun 8, 2022 · 3 comments
Closed
Tracked by #251
Assignees
Labels
area/selinux kind/enhancement New feature or request
Milestone

Comments

@davidcassany
Copy link
Contributor

This card is devoted to include the logic provided by packages/cloud-config/oem/10_selinux.yaml as part of the immutable rootfs dracut module.

Why:

  • Because the setup of both things is tightly coupled (immutable rootfs is where ephemeral and persistent paths are set)
  • Because exposing selinux relabelling setup to users can easily lead to confusion and hard to guess and debug errors
  • Because the commonly used /.autorelabel procedure does not work for elemental as it kicks in too late and produces a reboot when done (all changes are lost on reboot), which could lead to an infinite reboot loop.

Despite having already few reasons to code this logic, I believe we should wait a bit and gather further input about the SELinux expectations in elemental scope. Code inside initramfs is tricky and tends to strike back, so I'd be in favor to code it when we have better or more mature picture about what we need regarding SELinux.

@davidcassany davidcassany added the kind/enhancement New feature or request label Jun 8, 2022
@davidcassany davidcassany changed the title Relabel ephemeral filesystems after initramfs if selinux is activated Relabel ephemeral filesystems after initramfs stage if selinux is activated Jun 8, 2022
@kkaempf kkaempf moved this to 💡 Untriaged in Elemental Jun 13, 2022
@kkaempf kkaempf removed this from Elemental Aug 9, 2022
@frelon frelon added this to Elemental Apr 17, 2024
@frelon frelon moved this to 🗳️ To Do in Elemental Apr 17, 2024
@frelon frelon added this to the Micro6 milestone Apr 17, 2024
@davidcassany
Copy link
Contributor Author

The card description is still valid and now SELinux has become a priority in Elemental. Just note that that the immutable-rootfs dracut module is no longer valid, as of today the appropriate module is the elemental-rootfs feature.

As stated in the card description it is relevant to note the relabelling should having in initramfs.after or later but before switching root. This way we can be sure changes generated in initramfs are also included.

Alternatively, we could explore if there is some way to configure certain paths to be relabeled right when the policy is loaded. By default SELinux relabels /dev, /dev/shm, /run and /sys/fs/cgroup according to journal logs. I wonder if we could configure it somehow to include extra paths here.

@kkaempf kkaempf modified the milestones: Micro6, Micro6.1 Apr 23, 2024
@frelon frelon self-assigned this Apr 23, 2024
@frelon frelon moved this from 🗳️ To Do to 🏃🏼‍♂️ In Progress in Elemental Apr 23, 2024
@davidcassany
Copy link
Contributor Author

Discovered that we can instruct systemd to relabel automatically certain paths after loading a policy, this is exactly what we need in order to relabel ephemeral sensitive paths such as etc.

See comment in https://github.com/systemd/systemd/blob/557c04a382e3ed77d965c79b7b5d74ce78fc1a9c/src/shared/mount-setup.c#L332-L342

Ideally simply adding this relabel file should be enough, but probably we will need force a manual relabel one by one due bsc#1210690 (some extended attributes are lost on copy-up).

Which paths to relabel is the actual question, shall we relabel persistent storage? I'd say yes for now for simplicity, but this could turn to be too much.

@frelon frelon linked a pull request May 8, 2024 that will close this issue
@frelon frelon moved this from 🏃🏼‍♂️ In Progress to 👀 Needs review in Elemental May 8, 2024
@frelon
Copy link
Contributor

frelon commented May 10, 2024

Closed in #2074

@frelon frelon closed this as completed May 10, 2024
@github-project-automation github-project-automation bot moved this from 👀 Needs review to ✅ Done in Elemental May 10, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
area/selinux kind/enhancement New feature or request
Projects
Archived in project
Development

Successfully merging a pull request may close this issue.

3 participants