RFC: If existent, apply SELinux label from full non-chroot path #3967
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
ca-hu
changed the title
ca-hu
force-pushed
the
selinux-chroot-handling
branch
3 times, most recently
from
5e5c526 to
d20cca2
Compare
ca-hu
force-pushed
the
selinux-chroot-handling
branch
from
d20cca2 to
c0dcfac
Compare
What? Add chroot handling to the SELinux plugin as follows: - If there is a label in the policy for the full non-chroot path, apply it. - If the policy specifies <<none>> for the full non-chroot-path, apply the labels that are in the policy assuming the chroot is like the main root dir. This is what the rpm plugin did before this change. Non-chroot transactions should stay exactly the same. Why? Currently, there is no proper way to specify in the SELinux policy if the target chroot path of a rpm installation should be labelled the same as the main root dir, or if it should use the label that is defined in the policy. For example, if we install a package with `/var/lib/machines/openqa1` as chroot directory, rpm will set the labels as if it was the topmost root directory. If the user runs `restorecon -Rv /var/lib/machines/openqa1`, the labels get reset to the label defined for that path, instead of the chroot environment it was set to by rpm. This can lead to issues, as the labels on the file systems set by rpm and that of policy mismatch. Issues include things like permission being denied, transactions not being complete, etc. For example: https://bugzilla.suse.com/show_bug.cgi?id=1248857 With this commit it is now possible to specify in the SELinux policy, if the target path shall be SELinux confined as usual (e.g. regular chroot environment on the host), or if the target path confinement shall be handled by another user space application (e.g. containers, systemd-machined) To do that, users or policy writers can set '<<none>>' in the policy for a chroot path to specify they want to have the same labels as in the rootdir, and if they don't want it, they can set the label to a specific one. Example: This would tell the rpm plugin to use the same labels in the chroot `/var/lib/machines/openqa1` as it would in the rootdir. ``` semanage fcontext -a '/var/lib/machines/openqa1(/.*)?' -t '<<none>>' // afterwards, run rpm with the path as chroot ``` With that, `restorecon` will also skip this directory, since there is no default label for it defined. While setting a fixed label, would result in the plugin to use the fixed label: ``` semanage fcontext -a '/var/lib/machines/openqa1(/.*)?' -t 'systemd_machined_var_lib_t' // afterwards, run rpm with the path as chroot, it will set the // labels of the files as systemd_machined_var_lib_t ```
ca-hu
force-pushed
the
selinux-chroot-handling
branch
from
c0dcfac to
c33fc14
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR is more to start a discussion if that would be a good way to handle the problem or not.
Why?
Currently, there is no proper way to specify in the SELinux policy if the target chroot path of a rpm installation should be labelled the same as the main root dir, or if it should use the label that is defined in the policy.
For example, if we install a package with
/var/lib/machines/openqa1as chroot directory, rpm will set the labels as if it was the topmost root directory. If the user runsrestorecon -Rv /var/lib/machines/openqa1, the labels get reset to the label defined for that path, instead of the chroot environment it was set to by rpm.This can lead to issues, as the labels on the file systems set by rpm and that of policy mismatch. Issues include things like permission being denied, transactions not being complete, etc.
Quick example of the problem
User wants to install packages to
/var/lib/machines/openqa1and run systemd machined from that chroot afterwards. This example uses zypper, and zypper usesrpm --root /var/lib/machines/openqa1underneath.In the selinux policy we have the rule that says that files in
/var/lib/machinesshould besystemd_machined_var_lib_t:The user executes:
The labels that are generated are inconsistent, since the rpm selinux plugin only sets the labels of the files that are in the database:
This means, that as soon as something runs
restoreconthe labels will be set tosystemd_machined_var_lib_t. Which means that after the first install the labels are not consistent with the policy.Additionally, some package installations fail due to the label mismatch, which can be observed in this bugreport: https://bugzilla.suse.com/show_bug.cgi?id=1248857
What we propose as solution is (for chroot scenarios only!) a way in the selinux policy to control if it is okay that rpm sets the labels inconsistently, or uses the label that is defined in the policy.
Proposed solution
Add chroot handling to the SELinux plugin as follows:
<<none>>for the full non-chroot-path, apply the labels that are in the policy assuming the chroot is like the main root dir. This is what the rpm plugin did before this change.Non-chroot transactions should stay exactly the same.
What is in this PR
With this commit it is now possible to specify in the SELinux policy, if the target path shall be SELinux confined as usual (e.g. regular chroot environment on the host), or if the target path confinement shall be handled by another user space application (e.g. containers, systemd-machined)
To do that, users or policy writers can set
<<none>>in the policy for a chroot path to specify they want to have the same labels as in the rootdir, and if they don't want it, they can set the label to a specific one.Example:
This would tell the rpm plugin to use the same labels in the chroot
/var/lib/machines/openqa1as it would in the rootdir.With that,
restoreconwill also skip this directory, since there is no default label for it defined.While setting a fixed label, would result in the plugin to use the fixed label: