Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SELinux relabel on boot #2070

Closed
wants to merge 1 commit into from
Closed

SELinux relabel on boot #2070

wants to merge 1 commit into from

Conversation

frelon
Copy link
Contributor

@frelon frelon commented May 8, 2024

This commit introduces a new command 'elemental relabel' for relabeling
files and directories.

The command is invoked during initramfs stage in the new optional
'selinux' feature.

In essence it runs setfiles in mounted persistent and ephemeral
directories in order to circumvent a bug with overlayfs and
selinux copy-up on xattrs.

During mount we also put a list of persistent+ephemeral directories in
/run/systemd/extra-relabel.d/elemental.layout in order to make systemd
relabel the directories before loading the policy.

Signed-off-by: Fredrik Lönnegren fredrik.lonnegren@suse.com

@frelon
SELinux relabel on boot
092a37b 
This commit introduces a new command 'elemental relabel' for relabeling
files and directories.

The command is invoked during initramfs stage in the new optional
'selinux' feature.

In essence it runs setfiles in mounted persistent and ephemeral
directories in order to circumvent a bug with overlayfs and
selinux copy-up on xattrs.

During mount we also put a list of persistent+ephemeral directories in
/run/systemd/extra-relabel.d/elemental.layout in order to make systemd
relabel the directories before loading the policy.

Signed-off-by: Fredrik Lönnegren <fredrik.lonnegren@suse.com>
@frelon frelon requested a review from a team as a code owner May 8, 2024 11:41
@frelon frelon linked an issue May 8, 2024 that may be closed by this pull request
Relabel ephemeral filesystems after initramfs stage if selinux is activated #1492
Closed
@frelon frelon mentioned this pull request May 8, 2024
Merged
davidcassany
davidcassany reviewed May 8, 2024
View reviewed changes
Copy link
Contributor

@davidcassany davidcassany left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice! Looks quite good.

I miss some unit tests for the relabel command and the WriteSelinuxRelabelFile method. Shouldn't be hard to cover those.

Moreover the relabel cloud-config 10_selinux.yaml I don't think is functional after my changes of the mount setup. Now the mount command setup is written in /etc/elemental/config.d in initramfs, which is not visible in initramfs stage, as it runs chrooted to the new root.

Wouldn't it be easier to just omit the relabel command and run a script defined in 10_selinux.yaml that reads the relabel file and relabels those paths and once the kernel is fixed we just drop this 10_selinux.yaml. What you think?

On the other side I think it would also be good to read the mount configuration from /run/elemental/ instead of /etc/elemental, this way we can see the mount setup after the switch root too. Shouldn't be hard to set, see #2073

@frelon
Copy link
Contributor Author

frelon commented May 8, 2024

Nice! Looks quite good.

I miss some unit tests for the relabel command and the WriteSelinuxRelabelFile method. Shouldn't be hard to cover those.

Moreover the relabel cloud-config 10_selinux.yaml I don't think is functional after my changes of the mount setup. Now the mount command setup is written in /etc/elemental/config.d in initramfs, which is not visible in initramfs stage, as it runs chrooted to the new root.

Wouldn't it be easier to just omit the relabel command and run a script defined in 10_selinux.yaml that reads the relabel file and relabels those paths and once the kernel is fixed we just drop this 10_selinux.yaml. What you think?

On the other side I think it would also be good to read the mount configuration from /run/elemental/ instead of /etc/elemental, this way we can see the mount setup after the switch root too. Should be hard to set, I can do it in a separate PR.

Yep, good idea to use the relabel file to run the setfiles.. I will change that and then we can remove the relabel command!

@frelon frelon closed this May 10, 2024
@frelon frelon deleted the dynamic-selinux-relabel branch May 10, 2024 09:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@davidcassany davidcassany davidcassany left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Relabel ephemeral filesystems after initramfs stage if selinux is activated
2 participants
@frelon @davidcassany