feat: label created files in /etc

Implement SELinux labeling support in EtcFileController, label both squashfs and runtime-created files in /etc and /system/etc.

Add corresponding test cases.

Signed-off-by: Dmitry Sharshakov <dmitry.sharshakov@siderolabs.com>

api/resource/definitions/files/files.proto

@@ -9,6 +9,7 @@ option java_package = "dev.talos.api.resource.definitions.files";
 message EtcFileSpecSpec {
   bytes contents = 1;
   uint32 mode = 2;
+  string selinux_label = 3;
 }
 
 // EtcFileStatusSpec describes status of rendered secrets.

internal/app/machined/pkg/controllers/cluster/node_identity.go

@@ -115,6 +115,7 @@ func (ctrl *NodeIdentityController) Run(ctx context.Context, r controller.Runtim
 
 				r.TypedSpec().Contents, err = clusteradapter.IdentitySpec(&localIdentity).ConvertMachineID()
 				r.TypedSpec().Mode = 0o444
+				r.TypedSpec().SelinuxLabel = constants.EtcSelinuxLabel
 
 				return err
 			}); err != nil {

internal/app/machined/pkg/controllers/files/cri_config_parts.go

@@ -83,6 +83,7 @@ func (ctrl *CRIConfigPartsController) Run(ctx context.Context, r controller.Runt
 
 				spec.Contents = out
 				spec.Mode = 0o600
+				spec.SelinuxLabel = constants.EtcSelinuxLabel
 
 				return nil
 			}); err != nil {

internal/app/machined/pkg/controllers/files/cri_registry_config.go

@@ -118,6 +118,7 @@ func (ctrl *CRIRegistryConfigController) Run(ctx context.Context, r controller.R
 
 				spec.Contents = criRegistryContents
 				spec.Mode = 0o600
+				spec.SelinuxLabel = constants.EtcSelinuxLabel
 
 				return nil
 			}); err != nil {

internal/app/machined/pkg/controllers/files/etcfile.go

@@ -18,6 +18,7 @@ import (
 	"go.uber.org/zap"
 	"golang.org/x/sys/unix"
 
+	"github.com/siderolabs/talos/internal/pkg/selinux"
 	"github.com/siderolabs/talos/pkg/machinery/resources/files"
 )
 
@@ -133,7 +134,7 @@ func (ctrl *EtcFileController) Run(ctx context.Context, r controller.Runtime, lo
 
 				logger.Debug("writing file contents", zap.String("dst", dst), zap.Stringer("version", spec.Metadata().Version()))
 
-				if err = UpdateFile(dst, spec.TypedSpec().Contents, spec.TypedSpec().Mode); err != nil {
+				if err = UpdateFile(dst, spec.TypedSpec().Contents, spec.TypedSpec().Mode, spec.TypedSpec().SelinuxLabel); err != nil {
 					return fmt.Errorf("error updating %q: %w", dst, err)
 				}
 
@@ -194,11 +195,16 @@ func createBindMount(src, dst string, mode os.FileMode) (err error) {
 
 // UpdateFile is like `os.WriteFile`, but it will only update the file if the
 // contents have changed.
-func UpdateFile(filename string, contents []byte, mode os.FileMode) error {
+func UpdateFile(filename string, contents []byte, mode os.FileMode, selinuxLabel string) error {
 	oldContents, err := os.ReadFile(filename)
 	if err == nil && bytes.Equal(oldContents, contents) {
-		return nil
+		return selinux.SetLabel(filename, selinuxLabel)
 	}
 
-	return os.WriteFile(filename, contents, mode)
+	err = os.WriteFile(filename, contents, mode)
+	if err != nil {
+		return err
+	}
+
+	return selinux.SetLabel(filename, selinuxLabel)
 }

internal/app/machined/pkg/controllers/network/etcfile.go

@@ -27,6 +27,7 @@ import (
 	efiles "github.com/siderolabs/talos/internal/app/machined/pkg/controllers/files"
 	"github.com/siderolabs/talos/internal/app/machined/pkg/runtime"
 	talosconfig "github.com/siderolabs/talos/pkg/machinery/config"
+	"github.com/siderolabs/talos/pkg/machinery/constants"
 	"github.com/siderolabs/talos/pkg/machinery/resources/config"
 	"github.com/siderolabs/talos/pkg/machinery/resources/files"
 	"github.com/siderolabs/talos/pkg/machinery/resources/network"
@@ -150,6 +151,7 @@ func (ctrl *EtcFileController) Run(ctx context.Context, r controller.Runtime, _
 				func(r *files.EtcFileSpec) error {
 					r.TypedSpec().Contents = renderResolvConf(pickNameservers(hostDNSCfg, resolverStatus), hostnameStatusSpec, cfgProvider)
 					r.TypedSpec().Mode = 0o644
+					r.TypedSpec().SelinuxLabel = constants.EtcSelinuxLabel
 
 					return nil
 				}); err != nil {
@@ -173,7 +175,7 @@ func (ctrl *EtcFileController) Run(ctx context.Context, r controller.Runtime, _
 				return fmt.Errorf("error creating pod resolv.conf dir: %w", err)
 			}
 
-			err = efiles.UpdateFile(ctrl.PodResolvConfPath, conf, 0o644)
+			err = efiles.UpdateFile(ctrl.PodResolvConfPath, conf, 0o644, constants.EtcSelinuxLabel)
 			if err != nil {
 				return fmt.Errorf("error writing pod resolv.conf: %w", err)
 			}
@@ -184,6 +186,7 @@ func (ctrl *EtcFileController) Run(ctx context.Context, r controller.Runtime, _
 				func(r *files.EtcFileSpec) error {
 					r.TypedSpec().Contents, err = ctrl.renderHosts(hostnameStatus.TypedSpec(), nodeAddressStatus.TypedSpec(), cfgProvider)
 					r.TypedSpec().Mode = 0o644
+					r.TypedSpec().SelinuxLabel = constants.EtcSelinuxLabel
 
 					return err
 				}); err != nil {

internal/app/machined/pkg/runtime/v1alpha1/v1alpha1_sequencer_tasks.go

@@ -825,6 +825,7 @@ func injectCRIConfigPatch(ctx context.Context, st state.State, content []byte) e
 	etcFileSpec := resourcefiles.NewEtcFileSpec(resourcefiles.NamespaceName, constants.CRICustomizationConfigPart)
 	etcFileSpec.TypedSpec().Mode = 0o600
 	etcFileSpec.TypedSpec().Contents = content
+	etcFileSpec.TypedSpec().SelinuxLabel = constants.EtcSelinuxLabel
 
 	if err := st.Create(ctx, etcFileSpec); err != nil {
 		return err

internal/app/machined/pkg/startup/tasks.go

@@ -40,7 +40,7 @@ func SetupSystemDirectories(ctx context.Context, log *zap.Logger, rt runtime.Run
 
 		switch path {
 		case constants.SystemEtcPath:
-			label = constants.SystemEtcSelinuxLabel
+			label = constants.EtcSelinuxLabel
 		case constants.SystemVarPath:
 			label = constants.SystemVarSelinuxLabel
 		default: // /system/state is another mount

internal/integration/api/selinux.go

@@ -81,7 +81,6 @@ func (suite *SELinuxSuite) TestFileMountLabels() {
 		constants.SystemPath:          constants.SystemSelinuxLabel,
 		constants.EphemeralMountPoint: constants.EphemeralSelinuxLabel,
 		constants.StateMountPoint:     constants.StateSelinuxLabel,
-		constants.SystemEtcPath:       constants.SystemEtcSelinuxLabel,
 		constants.SystemVarPath:       constants.SystemVarSelinuxLabel,
 		constants.RunPath:             constants.RunSelinuxLabel,
 		"/var/run":                    constants.RunSelinuxLabel,
@@ -102,6 +101,9 @@ func (suite *SELinuxSuite) TestFileMountLabels() {
 		// Directories
 		"/var/lib/containerd": "system_u:object_r:containerd_state_t:s0",
 		"/var/lib/kubelet":    "system_u:object_r:kubelet_state_t:s0",
+		// Mounts and runtime-generated files
+		constants.SystemEtcPath: constants.EtcSelinuxLabel,
+		"/etc":                  constants.EtcSelinuxLabel,
 	}
 
 	// Only running on controlplane
@@ -254,7 +256,6 @@ func (suite *SELinuxSuite) TestProcessLabels() {
 	}
 }
 
-// TODO: test for all machined-created files
 // TODO: test for system and CRI container labels
 // TODO: test labels for unconfined system extensions, pods
 // TODO: test for no avc denials in dmesg

internal/pkg/selinux/policy/file_contexts

@@ -1,3 +1,4 @@
+/etc(/.*)?	system_u:object_r:etc_t:s0
 /opt(/.*)?	system_u:object_r:opt_t:s0
 /sbin(/.*)?	system_u:object_r:sbin_exec_t:s0
 /etc/cni(/.*)?	system_u:object_r:cni_conf_t:s0
@@ -6,6 +7,7 @@
 /usr/lib/udev(/.*)?	system_u:object_r:udev_exec_t:s0
 /etc/kubernetes(/.*)?	system_u:object_r:k8s_conf_t:s0
 /opt/containerd(/.*)?	system_u:object_r:containerd_plugin_t:s0
+/usr/share/zoneinfo(/.*)?	system_u:object_r:etc_t:s0
 /usr/lib/udev/rules.d(/.*)?	system_u:object_r:udev_rules_t:s0
 /usr/libexec/kubernetes(/.*)?	system_u:object_r:k8s_plugin_t:s0
 /	system_u:object_r:rootfs_t:s0

internal/pkg/selinux/policy/selinux/common/files.cil

@@ -3,10 +3,14 @@
 (call filesystem_f (system_t))
 (allow system_t tmpfs_t (filesystem (associate)))
 
-(type system_etc_t)
+(type etc_t)
-(call system_f (system_etc_t))
+(call system_f (etc_t))
-(allow system_etc_t fs_t (filesystem (associate)))
+(allow etc_t fs_t (filesystem (associate)))
-(allow system_etc_t tmpfs_t (filesystem (associate)))
+(allow etc_t tmpfs_t (filesystem (associate)))
+(context etc_t (system_u object_r etc_t (systemLow systemLow)))
+(filecon "/etc(/.*)?" any etc_t)
+(filecon "/usr/share/zoneinfo(/.*)?" any etc_t)
+
 (type system_var_t)
 (call system_f (system_var_t))
 (allow system_var_t fs_t (filesystem (associate)))

pkg/machinery/api/resource/definitions/files/files.pb.go

@@ -27,8 +27,9 @@ type EtcFileSpecSpec struct {
 	sizeCache     protoimpl.SizeCache
 	unknownFields protoimpl.UnknownFields
 
-	Contents []byte `protobuf:"bytes,1,opt,name=contents,proto3" json:"contents,omitempty"`
+	Contents     []byte `protobuf:"bytes,1,opt,name=contents,proto3" json:"contents,omitempty"`
-	Mode     uint32 `protobuf:"varint,2,opt,name=mode,proto3" json:"mode,omitempty"`
+	Mode         uint32 `protobuf:"varint,2,opt,name=mode,proto3" json:"mode,omitempty"`
+	SelinuxLabel string `protobuf:"bytes,3,opt,name=selinux_label,json=selinuxLabel,proto3" json:"selinux_label,omitempty"`
 }
 
 func (x *EtcFileSpecSpec) Reset() {
@@ -75,6 +76,13 @@ func (x *EtcFileSpecSpec) GetMode() uint32 {
 	return 0
 }
 
+func (x *EtcFileSpecSpec) GetSelinuxLabel() string {
+	if x != nil {
+		return x.SelinuxLabel
+	}
+	return ""
+}
+
 // EtcFileStatusSpec describes status of rendered secrets.
 type EtcFileStatusSpec struct {
 	state         protoimpl.MessageState
@@ -128,23 +136,25 @@ var file_resource_definitions_files_files_proto_rawDesc = []byte{
 	0x69, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x2f, 0x66, 0x69, 0x6c, 0x65, 0x73, 0x2f, 0x66, 0x69, 0x6c,
 	0x65, 0x73, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x20, 0x74, 0x61, 0x6c, 0x6f, 0x73, 0x2e,
 	0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x2e, 0x64, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74,
-	0x69, 0x6f, 0x6e, 0x73, 0x2e, 0x66, 0x69, 0x6c, 0x65, 0x73, 0x22, 0x41, 0x0a, 0x0f, 0x45, 0x74,
+	0x69, 0x6f, 0x6e, 0x73, 0x2e, 0x66, 0x69, 0x6c, 0x65, 0x73, 0x22, 0x66, 0x0a, 0x0f, 0x45, 0x74,
 	0x63, 0x46, 0x69, 0x6c, 0x65, 0x53, 0x70, 0x65, 0x63, 0x53, 0x70, 0x65, 0x63, 0x12, 0x1a, 0x0a,
 	0x08, 0x63, 0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x73, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0c, 0x52,
 	0x08, 0x63, 0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x73, 0x12, 0x12, 0x0a, 0x04, 0x6d, 0x6f, 0x64,
-	0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0d, 0x52, 0x04, 0x6d, 0x6f, 0x64, 0x65, 0x22, 0x36, 0x0a,
+	0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0d, 0x52, 0x04, 0x6d, 0x6f, 0x64, 0x65, 0x12, 0x23, 0x0a,
-	0x11, 0x45, 0x74, 0x63, 0x46, 0x69, 0x6c, 0x65, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x53, 0x70,
+	0x0d, 0x73, 0x65, 0x6c, 0x69, 0x6e, 0x75, 0x78, 0x5f, 0x6c, 0x61, 0x62, 0x65, 0x6c, 0x18, 0x03,
-	0x65, 0x63, 0x12, 0x21, 0x0a, 0x0c, 0x73, 0x70, 0x65, 0x63, 0x5f, 0x76, 0x65, 0x72, 0x73, 0x69,
+	0x20, 0x01, 0x28, 0x09, 0x52, 0x0c, 0x73, 0x65, 0x6c, 0x69, 0x6e, 0x75, 0x78, 0x4c, 0x61, 0x62,
-	0x6f, 0x6e, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0b, 0x73, 0x70, 0x65, 0x63, 0x56, 0x65,
+	0x65, 0x6c, 0x22, 0x36, 0x0a, 0x11, 0x45, 0x74, 0x63, 0x46, 0x69, 0x6c, 0x65, 0x53, 0x74, 0x61,
-	0x72, 0x73, 0x69, 0x6f, 0x6e, 0x42, 0x74, 0x0a, 0x28, 0x64, 0x65, 0x76, 0x2e, 0x74, 0x61, 0x6c,
+	0x74, 0x75, 0x73, 0x53, 0x70, 0x65, 0x63, 0x12, 0x21, 0x0a, 0x0c, 0x73, 0x70, 0x65, 0x63, 0x5f,
-	0x6f, 0x73, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x2e,
+	0x76, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0b, 0x73,
-	0x64, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x2e, 0x66, 0x69, 0x6c, 0x65,
+	0x70, 0x65, 0x63, 0x56, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x42, 0x74, 0x0a, 0x28, 0x64, 0x65,
-	0x73, 0x5a, 0x48, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x73, 0x69,
+	0x76, 0x2e, 0x74, 0x61, 0x6c, 0x6f, 0x73, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x72, 0x65, 0x73, 0x6f,
-	0x64, 0x65, 0x72, 0x6f, 0x6c, 0x61, 0x62, 0x73, 0x2f, 0x74, 0x61, 0x6c, 0x6f, 0x73, 0x2f, 0x70,
+	0x75, 0x72, 0x63, 0x65, 0x2e, 0x64, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x73,
-	0x6b, 0x67, 0x2f, 0x6d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x72, 0x79, 0x2f, 0x61, 0x70, 0x69,
+	0x2e, 0x66, 0x69, 0x6c, 0x65, 0x73, 0x5a, 0x48, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63,
-	0x2f, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x2f, 0x64, 0x65, 0x66, 0x69, 0x6e, 0x69,
+	0x6f, 0x6d, 0x2f, 0x73, 0x69, 0x64, 0x65, 0x72, 0x6f, 0x6c, 0x61, 0x62, 0x73, 0x2f, 0x74, 0x61,
-	0x74, 0x69, 0x6f, 0x6e, 0x73, 0x2f, 0x66, 0x69, 0x6c, 0x65, 0x73, 0x62, 0x06, 0x70, 0x72, 0x6f,
+	0x6c, 0x6f, 0x73, 0x2f, 0x70, 0x6b, 0x67, 0x2f, 0x6d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x72,
-	0x74, 0x6f, 0x33,
+	0x79, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x2f, 0x64,
+	0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x2f, 0x66, 0x69, 0x6c, 0x65, 0x73,
+	0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
 }
 
 var (

pkg/machinery/api/resource/definitions/files/files_vtproto.pb.go

@@ -49,6 +49,13 @@ func (m *EtcFileSpecSpec) MarshalToSizedBufferVT(dAtA []byte) (int, error) {
 		i -= len(m.unknownFields)
 		copy(dAtA[i:], m.unknownFields)
 	}
+	if len(m.SelinuxLabel) > 0 {
+		i -= len(m.SelinuxLabel)
+		copy(dAtA[i:], m.SelinuxLabel)
+		i = protohelpers.EncodeVarint(dAtA, i, uint64(len(m.SelinuxLabel)))
+		i--
+		dAtA[i] = 0x1a
+	}
 	if m.Mode != 0 {
 		i = protohelpers.EncodeVarint(dAtA, i, uint64(m.Mode))
 		i--
@@ -117,6 +124,10 @@ func (m *EtcFileSpecSpec) SizeVT() (n int) {
 	if m.Mode != 0 {
 		n += 1 + protohelpers.SizeOfVarint(uint64(m.Mode))
 	}
+	l = len(m.SelinuxLabel)
+	if l > 0 {
+		n += 1 + l + protohelpers.SizeOfVarint(uint64(l))
+	}
 	n += len(m.unknownFields)
 	return n
 }
@@ -217,6 +228,38 @@ func (m *EtcFileSpecSpec) UnmarshalVT(dAtA []byte) error {
 					break
 				}
 			}
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field SelinuxLabel", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return protohelpers.ErrIntOverflow
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= uint64(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return protohelpers.ErrInvalidLength
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex < 0 {
+				return protohelpers.ErrInvalidLength
+			}
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.SelinuxLabel = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
 		default:
 			iNdEx = preIndex
 			skippy, err := protohelpers.Skip(dAtA[iNdEx:])

pkg/machinery/constants/constants.go

@@ -723,8 +723,8 @@ const (
 	// SystemEtcPath is the path to the system etc directory.
 	SystemEtcPath = SystemPath + "/etc"
 
-	// SystemEtcSelinuxLabel is the SELinux label for the system etc directory.
+	// EtcSelinuxLabel is the SELinux label for the /etc and /system/etc directories.
-	SystemEtcSelinuxLabel = "system_u:object_r:system_etc_t:s0"
+	EtcSelinuxLabel = "system_u:object_r:etc_t:s0"
 
 	// SystemLibexecPath is the path to the system libexec directory.
 	SystemLibexecPath = SystemPath + "/libexec"

pkg/machinery/resources/files/etcfile_spec.go

@@ -27,8 +27,9 @@ type EtcFileSpec = typed.Resource[EtcFileSpecSpec, EtcFileSpecExtension]
 //
 //gotagsrewrite:gen
 type EtcFileSpecSpec struct {
-	Contents []byte      `yaml:"contents" protobuf:"1"`
+	Contents     []byte      `yaml:"contents" protobuf:"1"`
-	Mode     fs.FileMode `yaml:"mode" protobuf:"2"`
+	Mode         fs.FileMode `yaml:"mode" protobuf:"2"`
+	SelinuxLabel string      `yaml:"selinux_label" protobuf:"3"`
 }
 
 // NewEtcFileSpec initializes a EtcFileSpec resource.

website/content/v1.9/reference/api.md

@@ -2213,6 +2213,7 @@ EtcFileSpecSpec describes status of rendered secrets.
 | ----- | ---- | ----- | ----------- |
 | contents | [bytes](#bytes) |  |  |
 | mode | [uint32](#uint32) |  |  |
+| selinux_label | [string](#string) |  |  |