Skip to content

Commit

Permalink
Add ostree selinux module for transient etc
Browse files Browse the repository at this point in the history
When using transient /etc, ostree-prepare-root will mount an overlayfs on /etc
from the initrd. This overlay mount will have the context kernel_t, meaning
that not only will an external process need to pass its selinux checks against
the overlay file, the overlay filesystem itself need to pass the selinux check
against the overlayfs upper/work dirs.

Unfortunately, for historical reasons kernel_t doesn't really have any permissions in
the selinux, so the overlayfs will not be able to do most operations against the etc_t
(and similar) upper files.

To fix this we make the kernel context unconfined. It essentially is
anyway, as the kernel is the entity that validates the permissions
anyway. This was the recommended approach by Dan Walsh to solve this
issue.

Signed-off-by: Alexander Larsson <[email protected]>
  • Loading branch information
alexlarsson committed Oct 2, 2023
1 parent 5e3ee4c commit b143fdf
Show file tree
Hide file tree
Showing 8 changed files with 69 additions and 0 deletions.
1 change: 1 addition & 0 deletions Makefile-decls.am
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,7 @@ NULL =
BUILT_SOURCES =
MANPAGES =
CLEANFILES =
DISTCLEANFILES =
EXTRA_DIST =
bin_PROGRAMS =
sbin_PROGRAMS =
Expand Down
18 changes: 18 additions & 0 deletions Makefile-selinux.am
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
if BUILD_SELINUX_MODULE
selinux_moduledir = ${datadir}/selinux/packages
selinux_module_DATA = $(NULL)

ostree.pp.bz2: selinux/ostree.te selinux/ostree.fc selinux/build-selinux.sh
$(srcdir)/selinux/build-selinux.sh . $^

selinux_module_DATA += ostree.pp.bz2
endif

EXTRA_DIST += \
selinux/build-selinux.sh \
selinux/ostree.te \
selinux/ostree.fc \
selinux/ostree.if \
$(NULL)

DISTCLEANFILES += ostree.pp.bz2
1 change: 1 addition & 0 deletions Makefile.am
Original file line number Diff line number Diff line change
Expand Up @@ -138,6 +138,7 @@ include Makefile-tests.am
include Makefile-boot.am
include Makefile-man.am
include Makefile-bash.am
include Makefile-selinux.am

release-tag:
cd $(srcdir) && git $(srcdir) tag -m "Release $(VERSION)" v$(VERSION)
Expand Down
12 changes: 12 additions & 0 deletions configure.ac
Original file line number Diff line number Diff line change
Expand Up @@ -681,6 +681,17 @@ AM_COND_IF([BUILDOPT_IS_DEVEL_BUILD],
release_build_type=release)
OSTREE_FEATURES="$OSTREE_FEATURES $release_build_type"

AC_ARG_ENABLE(selinux-module,
[AS_HELP_STRING([--enable-selinux-module],[Enable selinux module for system-helper])],
enable_selinux_module=$enableval, enable_selinux_module=auto)
if test x$enable_selinux_module = xauto ; then
AC_CHECK_FILE([/usr/share/selinux/devel/Makefile], [enable_selinux_module=yes], [enable_selinux_module=no])
fi
if test x$enable_selinux_module = xyes ; then
AC_CHECK_FILE([/usr/share/selinux/devel/Makefile], [], [AC_MSG_ERROR([selinux-policy-devel needed to build selinux module])])
fi
AM_CONDITIONAL(BUILD_SELINUX_MODULE, test x$enable_selinux_module = xyes)

# P2P API is public in OSTree >= 2018.6
OSTREE_FEATURES="$OSTREE_FEATURES p2p"

Expand Down Expand Up @@ -722,6 +733,7 @@ echo "
dracut: $with_dracut
mkinitcpio: $with_mkinitcpio
Static compiler for ostree-prepare-root: $with_static_compiler
Build selinux module: $enable_selinux_module
Composefs: $with_composefs"
AS_IF([test x$with_builtin_grub2_mkconfig = xyes], [
echo " builtin grub2-mkconfig (instead of system): $with_builtin_grub2_mkconfig"
Expand Down
16 changes: 16 additions & 0 deletions selinux/build-selinux.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
#!/bin/sh
# Copyright 2023 Red Hat Inc.
# SPDX-License-Identifier: LGPL-2.1-or-later

set -x
set -eu

TMP=$(mktemp -d selinux-build-XXXXXX)
output="$1"
shift
cp -- "$@" "$TMP/"

make -C "$TMP" -f /usr/share/selinux/devel/Makefile ostree.pp
bzip2 -9 "$TMP/ostree.pp"
cp "$TMP/ostree.pp.bz2" "$output"
rm -fr "$TMP"
Empty file added selinux/ostree.fc
Empty file.
1 change: 1 addition & 0 deletions selinux/ostree.if
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
## <summary>selinux</summary>
20 changes: 20 additions & 0 deletions selinux/ostree.te
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
policy_module(ostree, 1.0)

gen_require(`
type kernel_t;
')

# When using transient /etc, ostree-prepare-root will mount an overlayfs on /etc
# from the initrd. This overlay mount will have the context kernel_t, meaning
# that not only will an external process need to pass its selinux checks against
# the overlay file, the overlay filesystem itself need to pass the selinux check
# against the overlayfs upper/work dirs.
#
# Unfortunately, for historical reasons kernel_t doesn't really have any permissions in
# the selinux, so the overlayfs will not be able to do most operations against the etc_t
# (and similar) upper files.
#
# To fix this we make the kernel context unconfined. It essentially is anyway, as
# the kernel is the entity that validates the permissions anyway.

unconfined_domain(kernel_t)

0 comments on commit b143fdf

Please sign in to comment.