From 7eb4d4ecd9f405b3f919477387e7734dd44164a9 Mon Sep 17 00:00:00 2001 From: Kai Lueke Date: Wed, 20 Dec 2023 11:20:39 +0100 Subject: [PATCH 1/2] SELinux: Label /usr and sysext image contents So far we did not correctly label /usr because it broke certain things like Docker. With the sysext Docker and new policies we should try again. First generate the policy before branching off the base squashfs (which already misses a lot of things because they the most postprocessing is done late in finish_image!). Then label /usr and also the sysext contents in their folder - not in the overlay mount because this would operate on the whole image. --- build_library/build_image_util.sh | 35 +++++++++++++++++++++-------- build_library/dev_container_util.sh | 2 ++ build_library/prod_image_util.sh | 15 +++++++++++++ build_sysext | 1 + 4 files changed, 44 insertions(+), 9 deletions(-) diff --git a/build_library/build_image_util.sh b/build_library/build_image_util.sh index a29470dc82..1ec826e163 100755 --- a/build_library/build_image_util.sh +++ b/build_library/build_image_util.sh @@ -580,6 +580,30 @@ start_image() { --board="${BOARD}" } +# Actions common to the dev container and the image +# but which should be run before the image branches off +# the base squashfs (used for systemd-sysext image building) +finish_image_common() { + local image_name="$1" + local disk_layout="$2" + local root_fs_dir="$3" + local image_contents="$4" + local image_contents_wtd="$5" + local image_kernel="$6" + local pcr_policy="$7" + local image_grub="$8" + local image_shim="$9" + local image_kconfig="${10}" + local image_initrd_contents="${11}" + local image_initrd_contents_wtd="${12}" + local image_disk_space_usage="${13}" + + # Build the selinux policy + if pkg_use_enabled coreos-base/coreos selinux; then + sudo chroot "${root_fs_dir}" bash -c "cd /usr/share/selinux/mcs && semodule -s mcs -i *.pp" + fi +} + finish_image() { local image_name="$1" local disk_layout="$2" @@ -694,11 +718,6 @@ EOF "${BUILD_DIR}/${image_kconfig}" fi - # Build the selinux policy - if pkg_use_enabled coreos-base/coreos selinux; then - sudo chroot "${root_fs_dir}" bash -c "cd /usr/share/selinux/mcs && semodule -s mcs -i *.pp" - fi - # Run tmpfiles once to make sure that /etc has everything in place before # we freeze it in /usr/share/flatcar/etc as lowerdir in the overlayfs. @@ -731,10 +750,8 @@ EOF # The labeling has to be done before moving /etc to /usr/share/flatcar/etc to prevent wrong labels for these files and as # the relabeling on boot would cause upcopies in the overlay. if pkg_use_enabled coreos-base/coreos selinux; then - # TODO: Breaks the system: - # sudo setfiles -Dv -r "${root_fs_dir}" "${root_fs_dir}"/etc/selinux/mcs/contexts/files/file_contexts "${root_fs_dir}" - # sudo setfiles -Dv -r "${root_fs_dir}" "${root_fs_dir}"/etc/selinux/mcs/contexts/files/file_contexts "${root_fs_dir}"/usr - # For now we only try it with /etc + sudo setfiles -Dv -r "${root_fs_dir}" "${root_fs_dir}"/etc/selinux/mcs/contexts/files/file_contexts "${root_fs_dir}" + sudo setfiles -Dv -r "${root_fs_dir}" "${root_fs_dir}"/etc/selinux/mcs/contexts/files/file_contexts "${root_fs_dir}"/usr sudo setfiles -Dv -r "${root_fs_dir}" "${root_fs_dir}"/etc/selinux/mcs/contexts/files/file_contexts "${root_fs_dir}"/etc fi diff --git a/build_library/dev_container_util.sh b/build_library/dev_container_util.sh index f87bd1235a..227471c1df 100755 --- a/build_library/dev_container_util.sh +++ b/build_library/dev_container_util.sh @@ -112,6 +112,8 @@ create_dev_container() { # The remount services are provided by coreos-base/coreos-init systemd_enable "${root_fs_dir}" "multi-user.target" "remount-usr.service" + finish_image_common "${image_name}" "${disk_layout}" "${root_fs_dir}" "${image_contents}" "${image_contents_wtd}" + finish_image "${image_name}" "${disk_layout}" "${root_fs_dir}" "${image_contents}" "${image_contents_wtd}" declare -a files_to_evaluate diff --git a/build_library/prod_image_util.sh b/build_library/prod_image_util.sh index 561766aa21..3af2c9a562 100755 --- a/build_library/prod_image_util.sh +++ b/build_library/prod_image_util.sh @@ -92,6 +92,21 @@ create_prod_image() { run_ldconfig "${root_fs_dir}" run_localedef "${root_fs_dir}" + finish_image_common \ + "${image_name}" \ + "${disk_layout}" \ + "${root_fs_dir}" \ + "${image_contents}" \ + "${image_contents_wtd}" \ + "${image_kernel}" \ + "${image_pcr_policy}" \ + "${image_grub}" \ + "${image_shim}" \ + "${image_kconfig}" \ + "${image_initrd_contents}" \ + "${image_initrd_contents_wtd}" \ + "${image_disk_usage}" + local root_with_everything="${root_fs_dir}" # Call helper script for adding sysexts to the base OS. diff --git a/build_sysext b/build_sysext index ed05390732..00eb7754fe 100755 --- a/build_sysext +++ b/build_sysext @@ -237,6 +237,7 @@ export SOURCE_DATE_EPOCH=$(stat -c '%Y' "${BUILD_DIR}/fs-root/usr/lib/os-release # Unmount in order to get rid of the overlay umount "${BUILD_DIR}/install-root" +sudo setfiles -Dv -r "${BUILD_DIR}/install-root" "${BUILD_DIR}/fs-root"/etc/selinux/mcs/contexts/files/file_contexts "${BUILD_DIR}/install-root"/usr umount "${BUILD_DIR}/fs-root" if [[ "$FLAGS_generate_pkginfo" = "${FLAGS_TRUE}" ]] ; then From 2d6e8046d8803d839685597cdf3d599758a4b3bd Mon Sep 17 00:00:00 2001 From: Mathieu Tortuyaux Date: Fri, 29 Nov 2024 09:48:48 +0100 Subject: [PATCH 2/2] sec-policy/selinux-docker: add selinux-docker This is missing for containerd and docker labels: Current: ``` $ selabel_lookup -k /usr/bin/docker Default context: system_u:object_r:bin_t:s0 ``` Signed-off-by: Mathieu Tortuyaux --- .../workflows/portage-stable-packages-list | 1 + .../coreos-base/coreos/coreos-0.0.1.ebuild | 1 + .../sec-policy/selinux-docker/Manifest | 4 ++++ .../sec-policy/selinux-docker/metadata.xml | 8 +++++++ .../selinux-docker-2.20240226-r2.ebuild | 21 +++++++++++++++++++ .../selinux-docker-2.20240916-r1.ebuild | 21 +++++++++++++++++++ .../selinux-docker/selinux-docker-9999.ebuild | 21 +++++++++++++++++++ 7 files changed, 77 insertions(+) create mode 100644 sdk_container/src/third_party/portage-stable/sec-policy/selinux-docker/Manifest create mode 100644 sdk_container/src/third_party/portage-stable/sec-policy/selinux-docker/metadata.xml create mode 100644 sdk_container/src/third_party/portage-stable/sec-policy/selinux-docker/selinux-docker-2.20240226-r2.ebuild create mode 100644 sdk_container/src/third_party/portage-stable/sec-policy/selinux-docker/selinux-docker-2.20240916-r1.ebuild create mode 100644 sdk_container/src/third_party/portage-stable/sec-policy/selinux-docker/selinux-docker-9999.ebuild diff --git a/.github/workflows/portage-stable-packages-list b/.github/workflows/portage-stable-packages-list index 6894ad7faa..9d759e49d0 100644 --- a/.github/workflows/portage-stable-packages-list +++ b/.github/workflows/portage-stable-packages-list @@ -559,6 +559,7 @@ sec-policy/selinux-base sec-policy/selinux-base-policy sec-policy/selinux-container sec-policy/selinux-dbus +sec-policy/selinux-docker sec-policy/selinux-policykit sec-policy/selinux-sssd sec-policy/selinux-unconfined diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos/coreos-0.0.1.ebuild b/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos/coreos-0.0.1.ebuild index bfe8b96ed1..c6f0d49527 100644 --- a/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos/coreos-0.0.1.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos/coreos-0.0.1.ebuild @@ -148,6 +148,7 @@ RDEPEND="${RDEPEND} sec-policy/selinux-base-policy sec-policy/selinux-container sec-policy/selinux-dbus + sec-policy/selinux-docker sec-policy/selinux-policykit sec-policy/selinux-unconfined sys-apps/acl diff --git a/sdk_container/src/third_party/portage-stable/sec-policy/selinux-docker/Manifest b/sdk_container/src/third_party/portage-stable/sec-policy/selinux-docker/Manifest new file mode 100644 index 0000000000..5727621b3a --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/sec-policy/selinux-docker/Manifest @@ -0,0 +1,4 @@ +DIST patchbundle-selinux-base-policy-2.20240226-r2.tar.bz2 442650 BLAKE2B f2f7c5e4a595afafc072fd78fc4ef3930cf739d05cbe9670f2fb2956fe84e3045518345e103bc3880603d2562f06ba0597fc005d8d394e9f8cd057363f9bf95f SHA512 2cb00d088eebdb098a6496f156eeb3dcee026fc6e53d732bac5bc8a4cfee1ce3bf2bdbbbfbbe9bba237d61c06f299d96bb9d123a57a44aaaa17cc122e15ea268 +DIST patchbundle-selinux-base-policy-2.20240916-r1.tar.bz2 274891 BLAKE2B 72b8181424450998164979ab582e8edee6d73b9110b4535e7880d1f7c989bd0ac391422872858da7bad3e3d77516996af93aa2f149f7d4a7f8fd329c481964cf SHA512 fd8259c91cc779301d6e0964827133529a9141dc235301da135210ea4359b800023848a25e33c45678477fa4f54e75da51be9ec85a3bed8b07cf5487e73b84f3 +DIST refpolicy-2.20240226.tar.bz2 610561 BLAKE2B 5dc54dcf7238776d4e4b282c1dcbc499f45c0d96676dbf931da39592854034874b5dd6197a2e2776fccec5106d5f245eea3fb9419959bd4d61e9b2c12aeaaa85 SHA512 896a57afb024bd131f25d2831a9a5ac90ee7e5d76b0565bc818c156f6c310d86758bcd4cedbd9df5b29954c9a92a42300d16685a7e07a5efd8f789320724b3f9 +DIST refpolicy-2.20240916.tar.bz2 618218 BLAKE2B d86ca75d254eef10f4aa57ef3977825211200cdf1eaa9bf9d416c9a52acee476b3f8719c3b0c8c17fdff2abc0c396989961e37e313a7b3bd3b4b0266a6280e75 SHA512 a8b6c90f8e186796b4c7db1e2d8ed3c3b8690bb5b8f180dcb6d5468ba80467e2969012c4edddf74429c0f5ce900d68fbbc0c2f8e253165af28f93f191039f064 diff --git a/sdk_container/src/third_party/portage-stable/sec-policy/selinux-docker/metadata.xml b/sdk_container/src/third_party/portage-stable/sec-policy/selinux-docker/metadata.xml new file mode 100644 index 0000000000..781bc07e6d --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/sec-policy/selinux-docker/metadata.xml @@ -0,0 +1,8 @@ + + + + + selinux@gentoo.org + SELinux Team + + diff --git a/sdk_container/src/third_party/portage-stable/sec-policy/selinux-docker/selinux-docker-2.20240226-r2.ebuild b/sdk_container/src/third_party/portage-stable/sec-policy/selinux-docker/selinux-docker-2.20240226-r2.ebuild new file mode 100644 index 0000000000..f8e3f816a1 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/sec-policy/selinux-docker/selinux-docker-2.20240226-r2.ebuild @@ -0,0 +1,21 @@ +# Copyright 1999-2024 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI="7" + +MODS="docker" + +inherit selinux-policy-2 + +DESCRIPTION="SELinux policy for docker" + +if [[ ${PV} != 9999* ]] ; then + KEYWORDS="amd64 arm arm64 x86" +fi + +DEPEND="${DEPEND} + sec-policy/selinux-container +" +RDEPEND="${RDEPEND} + sec-policy/selinux-container +" diff --git a/sdk_container/src/third_party/portage-stable/sec-policy/selinux-docker/selinux-docker-2.20240916-r1.ebuild b/sdk_container/src/third_party/portage-stable/sec-policy/selinux-docker/selinux-docker-2.20240916-r1.ebuild new file mode 100644 index 0000000000..f8e3f816a1 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/sec-policy/selinux-docker/selinux-docker-2.20240916-r1.ebuild @@ -0,0 +1,21 @@ +# Copyright 1999-2024 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI="7" + +MODS="docker" + +inherit selinux-policy-2 + +DESCRIPTION="SELinux policy for docker" + +if [[ ${PV} != 9999* ]] ; then + KEYWORDS="amd64 arm arm64 x86" +fi + +DEPEND="${DEPEND} + sec-policy/selinux-container +" +RDEPEND="${RDEPEND} + sec-policy/selinux-container +" diff --git a/sdk_container/src/third_party/portage-stable/sec-policy/selinux-docker/selinux-docker-9999.ebuild b/sdk_container/src/third_party/portage-stable/sec-policy/selinux-docker/selinux-docker-9999.ebuild new file mode 100644 index 0000000000..2c75223af5 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/sec-policy/selinux-docker/selinux-docker-9999.ebuild @@ -0,0 +1,21 @@ +# Copyright 1999-2024 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI="7" + +MODS="docker" + +inherit selinux-policy-2 + +DESCRIPTION="SELinux policy for docker" + +if [[ ${PV} != 9999* ]] ; then + KEYWORDS="~amd64 ~arm ~arm64 ~x86" +fi + +DEPEND="${DEPEND} + sec-policy/selinux-container +" +RDEPEND="${RDEPEND} + sec-policy/selinux-container +"