diff --git a/SPECS/dracut/0016-Handle-SELinux-configuration-for-overlayfs-folders.patch b/SPECS/dracut/0016-Handle-SELinux-configuration-for-overlayfs-folders.patch new file mode 100644 index 00000000000..082bb7968b7 --- /dev/null +++ b/SPECS/dracut/0016-Handle-SELinux-configuration-for-overlayfs-folders.patch @@ -0,0 +1,38 @@ +From 6fe401628d5671cf2f7683e4e0a04b9dcefb0180 Mon Sep 17 00:00:00 2001 +From: George Mileka +Date: Mon, 25 Nov 2024 16:27:41 -0800 +Subject: [PATCH] Handle SELinux configuration for overlayfs folders. + +When SELinux is enabled, the root folder '/' is expected to be marked +'root_t' - otherwise, SELinux will deny access calls. + +When an overlay is created for the root folder, it is created using +the lower and upper folders. The upper folder is created on tmpfs, +and subsequently getted the 'tmpfs_t' assigned by inheritence. +When the root overlay is created, it inherits the 'tmpfs_t'. + +Now, we have a conflict between what SELinux expects ('root_t') and +what we ended-up with ('tmpfs_t') leading to denials and failing to +complete the boot successfully. + +This patch injects a script ('azl-configure-sellinux.sh') that will +run after Dracut's SELinux module runs, and assigns the right SELinux +types (i.e. 'root_t') to the overlay folders. That way, when pivoting +takes place, the visible root folder has the right SELinux labeling. +--- + modules.d/90overlayfs/module-setup.sh | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/modules.d/90overlayfs/module-setup.sh b/modules.d/90overlayfs/module-setup.sh +index dae20093..919df4f5 100755 +--- a/modules.d/90overlayfs/module-setup.sh ++++ b/modules.d/90overlayfs/module-setup.sh +@@ -17,4 +17,5 @@ install() { + inst_hook pre-mount 01 "$moddir/prepare-overlayfs.sh" + inst_hook mount 01 "$moddir/mount-overlayfs.sh" # overlay on top of block device + inst_hook pre-pivot 10 "$moddir/mount-overlayfs.sh" # overlay on top of network device (e.g. nfs) ++ inst_hook pre-pivot 70 "$moddir/azl-configure-selinux.sh" + } +-- +2.34.1 + diff --git a/SPECS/dracut/90overlayfs/azl-configure-selinux.sh b/SPECS/dracut/90overlayfs/azl-configure-selinux.sh new file mode 100644 index 00000000000..3670b00ed69 --- /dev/null +++ b/SPECS/dracut/90overlayfs/azl-configure-selinux.sh @@ -0,0 +1,34 @@ +#!/bin/sh +type getarg > /dev/null 2>&1 || . /lib/dracut-lib.sh + +# If SELinux is disabled exit now +getarg "selinux=0" > /dev/null && return 0 + +SELINUX="enforcing" +# shellcheck disable=SC1090 +[ -e "$NEWROOT/etc/selinux/config" ] && . "$NEWROOT/etc/selinux/config" +[ "$SELINUX" == "disabled" ] && return 0 + +getargbool 0 rd.live.overlay.overlayfs && overlayfs="yes" + +if [ -n "$overlayfs" ]; then + + # Get the current root folder context + rootDirContext=$($NEWROOT/usr/sbin/matchpathcon -f $NEWROOT/etc/selinux/targeted/contexts/files/file_contexts -m dir /) + + # Parse the context to extract the root folder '/' context type. + # The line should be on the form: "/ system_u:object_r:root_t:s0" + + # Split folder and context + IFS='\t' read -r _ selinuxContext <<< "$rootDirContext" + echo "root folder context: ($selinuxContext)" + + # Split context and extract its type + IFS=':' read -r _ _ contextType _ <<< "$selinuxContext" + echo "root folder label : ($contextType)" + + # Set the type on the target folders + [ -e /sysroot ] && chcon -t $contextType /sysroot + [ -e /run/overlayfs ] && chcon -t $contextType /run/overlayfs + [ -e /run/ovlwork ] && chcon -t $contextType /run/ovlwork +fi diff --git a/SPECS/dracut/dracut.signatures.json b/SPECS/dracut/dracut.signatures.json index adc514e9058..65ce41c8701 100644 --- a/SPECS/dracut/dracut.signatures.json +++ b/SPECS/dracut/dracut.signatures.json @@ -6,6 +6,7 @@ "00-vrf.conf": "e2885a4b090d8ca3771e60ce6dcd8b849e28ce5002a5c7b71ff796a92deb2810", "00-xen.conf": "8b7a89b7716cb40a9c0d681caed6994d81ff4dfad4fe50cea15cd47b885dc5a6", "50-noxattr.conf": "61d95f05890ac6ee3355d0a386dd5645d82b7a4202d90305d997fd18c6d139dd", + "azl-configure-selinux.sh": "5f526509910fccdc2dffad4ef5070740847195510e3faefff39b831c9d28a439", "azl-liveos-artifacts-download.service": "888be8c82297cccd510d7f963611c2360ae67559826b2b474da6d9935237de64", "azl-liveos-artifacts-download.sh": "f21dc68de8c81d8a8128e7a9d7be45d25978f0b5e47a4cf1a2d97b1e171ec045", "dracut-102.tar.gz": "601b175cbf4d2ee902bb7bda3af8826ae2ca060c1af880f6da5a833413f4ec70", diff --git a/SPECS/dracut/dracut.spec b/SPECS/dracut/dracut.spec index ade311b548c..f6a3b8568bd 100644 --- a/SPECS/dracut/dracut.spec +++ b/SPECS/dracut/dracut.spec @@ -4,7 +4,7 @@ Summary: dracut to create initramfs Name: dracut Version: 102 -Release: 7%{?dist} +Release: 8%{?dist} # The entire source code is GPLv2+ # except install/* which is LGPLv2+ License: GPLv2+ AND LGPLv2+ @@ -30,6 +30,7 @@ Source11: 50-noxattr.conf # code reviews given that they are new to Dracut. Source12: 90livenet/azl-liveos-artifacts-download.service Source13: 90livenet/azl-liveos-artifacts-download.sh +Source14: 90overlayfs/azl-configure-selinux.sh # allow-liveos-overlay-no-user-confirmation-prompt.patch has been introduced by # the Azure Linux team to allow skipping the user confirmation prompt during @@ -53,6 +54,7 @@ Patch: 0012-fix-dracut-functions-avoid-awk-in-get_maj_min.patch Patch: 0013-revert-fix-crypt-unlock-encrypted-devices-by-default.patch Patch: 0014-fix-systemd-pcrphase-in-hostonly-mode-do-not-try-to-include-systemd-pcrphase.patch Patch: 0015-fix-systemd-pcrphase-make-tpm2-tss-an-optional-dependency.patch +Patch: 0016-Handle-SELinux-configuration-for-overlayfs-folders.patch BuildRequires: bash BuildRequires: kmod-devel @@ -205,6 +207,8 @@ install -m 0644 %{SOURCE11} %{buildroot}%{_sysconfdir}/dracut.conf.d/50-noxattr. install -m 0644 %{SOURCE12} %{buildroot}%{dracutlibdir}/modules.d/90livenet/azl-liveos-artifacts-download.service install -m 0755 %{SOURCE13} %{buildroot}%{dracutlibdir}/modules.d/90livenet/azl-liveos-artifacts-download.sh +install -m 0755 %{SOURCE14} %{buildroot}%{dracutlibdir}/modules.d/90overlayfs/azl-configure-selinux.sh + mkdir -p %{buildroot}%{dracutlibdir}/modules.d/20overlayfs/ install -p -m 0755 %{SOURCE4} %{buildroot}%{dracutlibdir}/modules.d/20overlayfs/ install -p -m 0755 %{SOURCE5} %{buildroot}%{dracutlibdir}/modules.d/20overlayfs/ @@ -310,6 +314,9 @@ ln -srv %{buildroot}%{_bindir}/%{name} %{buildroot}%{_sbindir}/%{name} %dir %{_sharedstatedir}/%{name}/overlay %changelog +* Mon Dec 09 2024 George Mileka - 102-8 +- Augment overlayfs with selinux handling. + * Thu Oct 31 2024 George Mileka - 102-7 - Augment livenet module with a download daemon. diff --git a/SPECS/selinux-policy/0038-enable-liveos-iso-flow.patch b/SPECS/selinux-policy/0038-enable-liveos-iso-flow.patch new file mode 100644 index 00000000000..3d7d3cc9a92 --- /dev/null +++ b/SPECS/selinux-policy/0038-enable-liveos-iso-flow.patch @@ -0,0 +1,223 @@ +From 43b44054474cf139ee11afa386f0d4e5b2204a07 Mon Sep 17 00:00:00 2001 +From: George Mileka +Date: Fri, 6 Dec 2024 14:21:18 -0800 +Subject: [PATCH] Enable LiveOS ISO Flow + +In the LiveOS ISO flow, when selinux is enabled, initrd loads the +default selinux policy from the rootfs, then transitions to the +the rootfs where the final OS processes are started. + +The problem is that selinux denies many of these processes access +to a number of resources (mostly file descriptors, but here is also +access to the boot media, and other resources). + +This patch allows these failing processes access to the resources +they need. +--- + policy/modules/admin/usermanage.te | 2 ++ + policy/modules/apps/loadkeys.te | 2 ++ + policy/modules/kernel/devices.if | 18 ++++++++++++++++++ + policy/modules/kernel/kernel.if | 19 +++++++++++++++++++ + policy/modules/kernel/kernel.te | 1 + + policy/modules/system/authlogin.te | 1 + + policy/modules/system/getty.te | 2 ++ + policy/modules/system/init.te | 7 +++++++ + policy/modules/system/locallogin.te | 1 + + policy/modules/system/selinuxutil.te | 2 ++ + policy/modules/system/udev.te | 2 ++ + 11 files changed, 57 insertions(+) + +diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te +index 57a9848bc..ef24fb85b 100644 +--- a/policy/modules/admin/usermanage.te ++++ b/policy/modules/admin/usermanage.te +@@ -317,6 +317,7 @@ allow passwd_t self:shm create_shm_perms; + allow passwd_t self:sem create_sem_perms; + allow passwd_t self:msgq create_msgq_perms; + allow passwd_t self:msg { send receive }; ++allow passwd_t kernel_t:fd use; + + allow passwd_t crack_db_t:dir list_dir_perms; + read_lnk_files_pattern(passwd_t, crack_db_t, crack_db_t) +@@ -492,6 +493,7 @@ allow useradd_t self:unix_dgram_socket create_socket_perms; + allow useradd_t self:unix_stream_socket create_stream_socket_perms; + allow useradd_t self:unix_dgram_socket sendto; + allow useradd_t self:unix_stream_socket connectto; ++allow useradd_t kernel_t:fd use; + + # for getting the number of groups + kernel_read_kernel_sysctls(useradd_t) +diff --git a/policy/modules/apps/loadkeys.te b/policy/modules/apps/loadkeys.te +index 2263e9dba..61d098341 100644 +--- a/policy/modules/apps/loadkeys.te ++++ b/policy/modules/apps/loadkeys.te +@@ -21,6 +21,8 @@ allow loadkeys_t self:capability { dac_override dac_read_search setuid sys_tty_c + allow loadkeys_t self:fifo_file rw_fifo_file_perms; + allow loadkeys_t self:unix_stream_socket { connect create }; + ++kernel_getattr_unlabeled_dirs(loadkeys_t) ++kernel_use_fds(loadkeys_t) + kernel_read_system_state(loadkeys_t) + + init_use_fds(loadkeys_t) +diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if +index 35e14a021..13026d7a0 100644 +--- a/policy/modules/kernel/devices.if ++++ b/policy/modules/kernel/devices.if +@@ -2206,6 +2206,24 @@ interface(`dev_setattr_input_dev',` + allow $1 event_device_t:chr_file setattr; + ') + ++######################################## ++## ++## Get the attributes of the event devices. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dev_read_input_dev',` ++ gen_require(` ++ type event_device_t; ++ ') ++ ++ allow $1 event_device_t:chr_file read_chr_file_perms; ++') ++ + ######################################## + ## + ## Read input event devices (/dev/input). +diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if +index 1d696a07c..90583facf 100644 +--- a/policy/modules/kernel/kernel.if ++++ b/policy/modules/kernel/kernel.if +@@ -330,6 +330,25 @@ interface(`kernel_stream_connect',` + allow $1 kernel_t:unix_stream_socket connectto; + ') + ++######################################## ++## ++## Connect to kernel using a unix ++## domain stream socket. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`kernel_stream_read_write',` ++ gen_require(` ++ type kernel_t; ++ ') ++ ++ allow $1 kernel_t:unix_stream_socket { rw_socket_perms }; ++') ++ + ######################################## + ## + ## Getattr on kernel unix datagram sockets. +diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te +index ea08036b6..59c1afeaf 100644 +--- a/policy/modules/kernel/kernel.te ++++ b/policy/modules/kernel/kernel.te +@@ -238,6 +238,7 @@ sid tcp_socket gen_context(system_u:object_r:unlabeled_t,mls_systemhigh) + # + + allow kernel_t self:capability { chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap }; ++allow kernel_t self:capability2 checkpoint_restore; + allow kernel_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr noatsecure siginh rlimitinh dyntransition setkeycreate setsockcreate getrlimit }; + allow kernel_t self:shm create_shm_perms; + allow kernel_t self:sem create_sem_perms; +diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te +index 9dfef7a0c..791be68c2 100644 +--- a/policy/modules/system/authlogin.te ++++ b/policy/modules/system/authlogin.te +@@ -116,6 +116,7 @@ allow chkpwd_t self:process { getattr signal }; + dontaudit chkpwd_t self:process getcap; + + allow chkpwd_t shadow_t:file read_file_perms; ++allow chkpwd_t kernel_t:fd use; + files_list_etc(chkpwd_t) + + kernel_dontaudit_search_kernel_sysctl(chkpwd_t) +diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te +index a900226bf..360f7c67f 100644 +--- a/policy/modules/system/getty.te ++++ b/policy/modules/system/getty.te +@@ -37,6 +37,8 @@ dontaudit getty_t self:capability sys_tty_config; + allow getty_t self:capability2 checkpoint_restore; + allow getty_t self:process { getpgid getsession setpgid signal_perms }; + allow getty_t self:fifo_file rw_fifo_file_perms; ++allow getty_t kernel_t:fd use; ++allow getty_t tmpfs_t:dir search; + + read_files_pattern(getty_t, getty_conf_t, getty_conf_t) + read_lnk_files_pattern(getty_t, getty_conf_t, getty_conf_t) +diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te +index 9ec685c74..a1d90762b 100644 +--- a/policy/modules/system/init.te ++++ b/policy/modules/system/init.te +@@ -1542,12 +1542,19 @@ optional_policy(` + zebra_read_config(initrc_t) + ') + ++######################################## ++# ++# Rules applied to all system processes ++# ++kernel_use_fds(systemprocess) ++ + ######################################## + # + # Rules applied to all daemons + # + + domain_dontaudit_use_interactive_fds(daemon) ++kernel_use_fds(daemon) + + # daemons started from init will + # inherit fds from init for the console +diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te +index 8330be8a9..9f2f160a4 100644 +--- a/policy/modules/system/locallogin.te ++++ b/policy/modules/system/locallogin.te +@@ -47,6 +47,7 @@ allow local_login_t self:sem create_sem_perms; + allow local_login_t self:msgq create_msgq_perms; + allow local_login_t self:msg { send receive }; + allow local_login_t self:key { search write link }; ++allow local_login_t kernel_t:fd use; + + allow local_login_t local_login_lock_t:file manage_file_perms; + files_lock_filetrans(local_login_t, local_login_lock_t, file) +diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te +index 8e521e583..c7fb76550 100644 +--- a/policy/modules/system/selinuxutil.te ++++ b/policy/modules/system/selinuxutil.te +@@ -119,6 +119,8 @@ type setfiles_t alias restorecon_t, can_relabelto_binary_policy; + type setfiles_exec_t alias restorecon_exec_t; + init_system_domain(setfiles_t, setfiles_exec_t) + domain_obj_id_change_exemption(setfiles_t) ++dev_read_input_dev(setfiles_t) ++kernel_stream_read_write(setfiles_t) + + ######################################## + # +diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te +index 8af0d90e0..a7bb89658 100644 +--- a/policy/modules/system/udev.te ++++ b/policy/modules/system/udev.te +@@ -57,6 +57,8 @@ allow udev_t self:rawip_socket create_socket_perms; + # rdma_rename + allow udev_t self:netlink_rdma_socket create_socket_perms; + ++fs_getattr_iso9660_files(udev_t) ++ + ifdef(`init_systemd',` + # systemd-vconsole-setup will be called by udev during virtual terminal initialization + allow udev_t self:capability sys_tty_config; +-- +2.34.1 + diff --git a/SPECS/selinux-policy/selinux-policy.spec b/SPECS/selinux-policy/selinux-policy.spec index 8389a1a3166..7fd00e11c04 100644 --- a/SPECS/selinux-policy/selinux-policy.spec +++ b/SPECS/selinux-policy/selinux-policy.spec @@ -9,7 +9,7 @@ Summary: SELinux policy Name: selinux-policy Version: %{refpolicy_major}.%{refpolicy_minor} -Release: 8%{?dist} +Release: 9%{?dist} License: GPLv2 Vendor: Microsoft Corporation Distribution: Azure Linux @@ -56,6 +56,7 @@ Patch34: 0034-systemd-Fix-dac_override-use-in-systemd-machine-id-s.patch Patch35: 0035-rpm-Run-systemd-sysctl-from-post.patch Patch36: 0036-fstools-Add-additional-perms-for-cloud-utils-growpar.patch Patch37: 0037-docker-Fix-dockerc-typo-in-container_engine_executab.patch +Patch38: 0038-enable-liveos-iso-flow.patch BuildRequires: bzip2 BuildRequires: checkpolicy >= %{CHECKPOLICYVER} BuildRequires: m4 @@ -327,11 +328,14 @@ exit 0 selinuxenabled && semodule -nB exit 0 %changelog +* Wed Nov 20 2024 George Mileka - 2.20240226-9 +- Enable SELinux for LiveOS ISO. + * Wed Sep 11 2024 Chris PeBenito - 2.20240226-8 - Add additional required permissions for cloud-utils-growpart. - Cherry-pick upstream fix for typo in docker module. -* Mon Aug 13 2024 Chris PeBenito - 2.20240226-7 +* Tue Aug 13 2024 Chris PeBenito - 2.20240226-7 - Change policy composition so the base module only consits of policy modules that must be in the base. This will allow dowstream users to disable or override the individual policy modules.