From 5c25c3835cebd064b159e20f8b2ecb38d5586616 Mon Sep 17 00:00:00 2001 From: Mathieu Tortuyaux Date: Wed, 17 Nov 2021 16:45:58 +0100 Subject: [PATCH] sec-policy/selinux-base-policy: add capability to unlabeled_t with this patch, we allow `unlabeled_t` to associate to tmpfs filesystem. It aims to solve the AVC we have with `torcx` with the `torcx-generator`: ``` Nov 15 09:45:43 localhost audit[688]: AVC avc: denied { associate } for pid=688 comm="torcx-generator" name="docker" dev="tmpfs" ino=2 scontext=system_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=filesystem permissive=0 ``` It has been not been caught earlier because it occurs when the system boots with `SELinux` in `enforcing` mode. This denial was preventing torcx to finish correctly its setup and so Docker was not able to start. Signed-off-by: Mathieu Tortuyaux --- .../selinux-base-policy/files/unlabeled.patch | 11 +++++++++++ .../selinux-base-policy-2.20200818-r2.ebuild | 4 ++++ 2 files changed, 15 insertions(+) create mode 100644 sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base-policy/files/unlabeled.patch diff --git a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base-policy/files/unlabeled.patch b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base-policy/files/unlabeled.patch new file mode 100644 index 0000000000..972b954b2b --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base-policy/files/unlabeled.patch @@ -0,0 +1,11 @@ +index 7c60eda2c..736187b7a 100644 +--- refpolicy/policy/modules/kernel/kernel.te ++++ refpolicy/policy/modules/kernel/kernel.te +@@ -191,6 +191,7 @@ genfscon proc /sys/dev gen_context(system_u:object_r:sysctl_dev_t,s0) + type unlabeled_t; + kernel_rootfs_mountpoint(unlabeled_t) + fs_associate(unlabeled_t) ++fs_associate_tmpfs(unlabeled_t) + sid file gen_context(system_u:object_r:unlabeled_t,s0) + sid unlabeled gen_context(system_u:object_r:unlabeled_t,mls_systemhigh) + neverallow * unlabeled_t:file entrypoint; diff --git a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base-policy/selinux-base-policy-2.20200818-r2.ebuild b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base-policy/selinux-base-policy-2.20200818-r2.ebuild index 148ed5ff06..0c920e702e 100644 --- a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base-policy/selinux-base-policy-2.20200818-r2.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base-policy/selinux-base-policy-2.20200818-r2.ebuild @@ -39,6 +39,10 @@ PATCHES=( "${FILESDIR}/init.patch" "${FILESDIR}/locallogin.patch" "${FILESDIR}/logging.patch" + # this patch is required to prevent `torcx-generator` + # to fail if SELinux is enforced in early boot. + # It can be removed once we drop torcx support. + "${FILESDIR}/unlabeled.patch" ) # Code entirely copied from selinux-eclass (cannot inherit due to dependency on