-
Notifications
You must be signed in to change notification settings - Fork 51
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SELinux: Label /usr and sysext image contents #1517
base: main
Are you sure you want to change the base?
Conversation
Needs a rebase when #1518 is merged |
Build action triggered: https://github.com/flatcar/scripts/actions/runs/7395050910 |
I've started a test run and when that passes I'll try again with flatcar/mantle#487 |
The |
We get a lot of denials - the image only works in permissive mode:
|
I think that if we want to start labeling the whole filesystem, we should at least start enabling selinux USE flag globally and pull in the missing |
So far we did not correctly label /usr because it broke certain things like Docker. With the sysext Docker and new policies we should try again. First generate the policy before branching off the base squashfs (which already misses a lot of things because they the most postprocessing is done late in finish_image!). Then label /usr and also the sysext contents in their folder - not in the overlay mount because this would operate on the whole image.
This is missing for containerd and docker labels: Current: ``` $ selabel_lookup -k /usr/bin/docker Default context: system_u:object_r:bin_t:s0 ``` Signed-off-by: Mathieu Tortuyaux <[email protected]>
So far we did not correctly label /usr because it broke certain things like Docker. With the sysext Docker and new policies we should try again.
First generate the policy before branching off the base squashfs (which already misses a lot of things because they the most postprocessing is done late in finish_image!). Then label /usr and also the sysext contents in their folder - not in the overlay mount because this would operate on the whole image.
How to use
Hope that setfiles is clever enough
Verify with flatcar/mantle#487
Testing done
The sysext contents have the right label:
changelog/
directory (user-facing change, bug fix, security fix, update)/boot
and/usr
size, packages, list files for any missing binaries, kernel modules, config files, kernel modules, etc.