selinux relabel support #30
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
As far as I know, the SELinux policy type is taken from |
Update our workflow to actually fail if clippy/fmt are unhappy. Signed-off-by: Allison Karlitskaya <[email protected]>
We can also use fakeroot to make sure we see the correct selinux contexts on the created filesystem, but xattrs aren't saved in fakeroot's "save file", so we need to do this in a single running session: move all of those operations to a new script and run the entire script under one fakeroot invocation. Signed-off-by: Allison Karlitskaya <[email protected]>
allisonkarlitskaya
force-pushed
the
selinux
branch
2 times, most recently
from
1805910
to
c7acb39
Compare
Rc<> doesn't want us to mutate the inner value when it has multiple outstanding refs (as we have for hardlinks). That's going to be a problem for us soon when we want to visit the tree, adding selinux xattrs. Use RefCell<> to gain interior mutability on the xattr field. This is terribly ad-hoc, but it solves the problem at hand in the least intrusive way possible. Signed-off-by: Allison Karlitskaya <[email protected]>
We're about to start using this API with a lot more constant strings (to fish out the selinux policy), so let's make it a bit less awful to use in that case. Signed-off-by: Allison Karlitskaya <[email protected]>
This is a fairly straight-forward operation on the in-memory filesystem tree. The actual work done by libselinux here is fairly trivial, and with the use of the excellent `regex-automata` crate we can mostly do it ourselves: we just need to consult a list of regexps for each file and whichever one matches first decides the label. We can build a DFA to do all of the "real work" for us in a single step. There's even probably more room for improvement: if we figure out a way to deal with cache invalidation (and path substitutions), we could completely avoid path building and just pass around state identifiers, but let's keep things simple for the time being. It's worth noting that `regex-automata` is fairly complete, but doesn't support some of the more advanced features of PCRE. Nobody apparently uses these features when writing SELinux policy, though, as the labelling on the booted container is 100% correct (as reported by `restorecon`). Still: doing the work ourselves means that we don't need to take a dependency on an external library which might change its behaviour in the future. The labelling sits on our critical "must be deterministic" path, so this is quite nice. Closes #29 Signed-off-by: Allison Karlitskaya <[email protected]>
We can now run the container with SELinux enabled and enforcing, with only one very minor issue: our `/run/systemd/volatile-root` hack is causing an AVC rejection with the GPT scanner. We can put it into permissive mode until we find a better solution. Signed-off-by: Allison Karlitskaya <[email protected]>
allisonkarlitskaya
force-pushed
the
selinux
branch
from
c7acb39
to
b0a5b7d
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There are some outstanding items here:
targetedright nowfigure out a nicer way to handle linking todon't link libselinux: do it ourselveslibselinux, possibly making it a conditional feature?/run/systemd/volatile-roothack symlink to avoid this:[ 3.055118] audit: type=1400 audit(1731016644.835:3): avc: denied { read } for pid=447 comm="systemd-gpt-aut" name="volatile-root" dev="tmpfs" ino=679 scontext=system_u:system_r:systemd_gpt_generator_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=lnk_file permissive=1enforcing=0Closes #29