-
-
Notifications
You must be signed in to change notification settings - Fork 1.3k
Supporting SELinux in the coreutils
SELinux stands for Security Enhanced Linux. An excerpt from the official documentation:
Security Enhanced Linux (SELinux) provides an additional layer of system security. SELinux fundamentally answers the question: May <subject> do <action> to <object>?, for example: May a web server access files in users' home directories?
This page isn't meant to introduce the reader to SELinux (refer to the documentation for this). Instead it attempts to guide developers on how to work with SELinux while implementing coreutils, as some utils have options that work with SELinux (examples include the -Z flag present in cp, install and others).
This feature is only available in unprivileged mode on Linux systems (#![cfg(all(target_os = "linux", not(target_env = "kernel")))]).
All SELinux-related features are feature gated by the feat_selinux argument, which isn't included in the default features. In order to activate SELinux in the built binaries, please provide the --features feat_selinux argument to cargo, like this:
# Build 'id' with SELinux
$ cargo build -p uu_id --no-default-features --features feat_selinux
# Build 'id' without SELinux
$ cargo build -p uu_id --no-default-featuresInterfacing with SELinux from Rust is handled by the selinux crate.
An existing implementation of SELinux can be found in the id util, the changes that introduced it are found in this commit.
Githubs CI/CD runners don't permit using SELinux. As such, any features that rely on SELinux cannot be tested through CI/CD and thus can only be tested by developers that have appropriate host devices or virtual machines at their disposal.
This limitation stems from the fact that Github runners are containers that are spawned inside a VM running Ubuntu. The Ubuntu installations used for this don't run SELinux-enabled kernels, and as containers interface with the Host kernels, these can't use SELinux either. Red Hat Enterprise Linux-like distributions (e.g., Fedora, CentOS, RockyLinux) are suitable for testing software based on SELinux, either on hardware or inside virtual machines, but not in containers.