Make sure a privileged pod cannot violate some of the important security rules enforced by SELinux.
Fixes#10615
Signed-off-by: Dmitrii Sharshakov <dmitry.sharshakov@siderolabs.com>
This complements the previous PRs to implement more volume features:
directory volumes control their permissions, SELinux labels, etc.
Overlay mounts support additional parent relationship.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Update tools, pkgs and extras to use fully bootstrapped [Stageˣ]-derived toolchain for building Talos and its dependencies.
This brings in changes related to root being usrmerged now, so some paths have changed. Extras have been cleaned up: use only the needed package.
Addresses: #10187
Signed-off-by: Dmitry Sharshakov <dmitry.sharshakov@siderolabs.com>
Implement SELinux labeling support in EtcFileController, label both squashfs and runtime-created files in /etc and /system/etc.
Add corresponding test cases.
Signed-off-by: Dmitry Sharshakov <dmitry.sharshakov@siderolabs.com>
Label mounted filesystems like ephemeral, overlay mounts, as well as data directories (going to become volumes later).
Signed-off-by: Dmitry Sharshakov <dmitry.sharshakov@siderolabs.com>
Do not do string lookups in repetitive calls. We do not support changing SELinux status during runtime, so once we read this we can assume status does not change.
Also avoid unneeded FS writes when appropriate label is already set on file.
Signed-off-by: Dmitry Sharshakov <dmitry.sharshakov@siderolabs.com>
I added those in the early days of the current policy development, yet there was no use for them. This change simplifies the policy and handling of labels.
Signed-off-by: Dmitry Sharshakov <dmitry.sharshakov@siderolabs.com>
Part of: #9127
Label executables and processes, build, load and manage SELinux policy, enable audit support.
Labeling filesystems, devices and runtime files will be done in further changes, see the full PR.
Signed-off-by: Dmitry Sharshakov <dmitry.sharshakov@siderolabs.com>
