-
Notifications
You must be signed in to change notification settings - Fork 305
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add ostree selinux module for transient etc
When using transient /etc, ostree-prepare-root will mount an overlayfs on /etc from the initrd. This overlay mount will have the context kernel_t, meaning that not only will an external process need to pass its selinux checks against the overlay file, the overlay filesystem itself need to pass the selinux check against the overlayfs upper/work dirs. Unfortunately, for historical reasons kernel_t doesn't really have any permissions in the selinux, so the overlayfs will not be able to do most operations against the etc_t (and similar) upper files. To fix this we make the kernel context unconfined. It essentially is anyway, as the kernel is the entity that validates the permissions anyway. This was the recommended approach by Dan Walsh to solve this issue. Signed-off-by: Alexander Larsson <[email protected]>
- Loading branch information
1 parent
073a65c
commit 4b65d2d
Showing
8 changed files
with
69 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,18 @@ | ||
if BUILD_SELINUX_MODULE | ||
selinux_moduledir = ${datadir}/selinux/packages | ||
selinux_module_DATA = $(NULL) | ||
|
||
ostree.pp.bz2: selinux/ostree.te selinux/ostree.fc selinux/build-selinux.sh | ||
$(srcdir)/selinux/build-selinux.sh . $^ | ||
|
||
selinux_module_DATA += ostree.pp.bz2 | ||
endif | ||
|
||
EXTRA_DIST += \ | ||
selinux/build-selinux.sh \ | ||
selinux/ostree.te \ | ||
selinux/ostree.fc \ | ||
selinux/ostree.if \ | ||
$(NULL) | ||
|
||
DISTCLEANFILES += ostree.pp.bz2 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,16 @@ | ||
#!/bin/sh | ||
# Copyright 2023 Red Hat Inc. | ||
# SPDX-License-Identifier: LGPL-2.1-or-later | ||
|
||
set -x | ||
set -eu | ||
|
||
TMP=$(mktemp -d selinux-build-XXXXXX) | ||
output="$1" | ||
shift | ||
cp -- "$@" "$TMP/" | ||
|
||
make -C "$TMP" -f /usr/share/selinux/devel/Makefile ostree.pp | ||
bzip2 -9 "$TMP/ostree.pp" | ||
cp "$TMP/ostree.pp.bz2" "$output" | ||
rm -fr "$TMP" |
Empty file.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
## <summary>selinux</summary> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,20 @@ | ||
policy_module(ostree, 1.0) | ||
|
||
gen_require(` | ||
type kernel_t; | ||
') | ||
|
||
# When using transient /etc, ostree-prepare-root will mount an overlayfs on /etc | ||
# from the initrd. This overlay mount will have the context kernel_t, meaning | ||
# that not only will an external process need to pass its selinux checks against | ||
# the overlay file, the overlay filesystem itself need to pass the selinux check | ||
# against the overlayfs upper/work dirs. | ||
# | ||
# Unfortunately, for historical reasons kernel_t doesn't really have any permissions in | ||
# the selinux, so the overlayfs will not be able to do most operations against the etc_t | ||
# (and similar) upper files. | ||
# | ||
# To fix this we make the kernel context unconfined. It essentially is anyway, as | ||
# the kernel is the entity that validates the permissions anyway. | ||
|
||
unconfined_domain(kernel_t) |