-
Notifications
You must be signed in to change notification settings - Fork 54
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Relabel ephemeral filesystems after initramfs stage if selinux is activated #1492
Comments
The card description is still valid and now SELinux has become a priority in Elemental. Just note that that the immutable-rootfs dracut module is no longer valid, as of today the appropriate module is the elemental-rootfs feature. As stated in the card description it is relevant to note the relabelling should having in Alternatively, we could explore if there is some way to configure certain paths to be relabeled right when the policy is loaded. By default SELinux relabels |
Discovered that we can instruct systemd to relabel automatically certain paths after loading a policy, this is exactly what we need in order to relabel ephemeral sensitive paths such as See comment in https://github.com/systemd/systemd/blob/557c04a382e3ed77d965c79b7b5d74ce78fc1a9c/src/shared/mount-setup.c#L332-L342 Ideally simply adding this relabel file should be enough, but probably we will need force a manual relabel one by one due bsc#1210690 (some extended attributes are lost on copy-up). Which paths to relabel is the actual question, shall we relabel persistent storage? I'd say yes for now for simplicity, but this could turn to be too much. |
Closed in #2074 |
This card is devoted to include the logic provided by
packages/cloud-config/oem/10_selinux.yaml
as part of the immutable rootfs dracut module.Why:
/.autorelabel
procedure does not work for elemental as it kicks in too late and produces a reboot when done (all changes are lost on reboot), which could lead to an infinite reboot loop.Despite having already few reasons to code this logic, I believe we should wait a bit and gather further input about the SELinux expectations in elemental scope. Code inside initramfs is tricky and tends to strike back, so I'd be in favor to code it when we have better or more mature picture about what we need regarding SELinux.
The text was updated successfully, but these errors were encountered: