feat: label etc files

Implement SELinux labeling support in EtcFileController. Signed-off-by: Dmitry Sharshakov <[email protected]>
siderolabs · Oct 30, 2024 · 13e9c1d · 13e9c1d
1 parent f2e667e
commit 13e9c1d
Show file tree

Hide file tree

Showing 11 changed files with 93 additions and 24 deletions.
diff --git a/api/resource/definitions/files/files.proto b/api/resource/definitions/files/files.proto
@@ -9,6 +9,7 @@ option java_package = "dev.talos.api.resource.definitions.files";
 message EtcFileSpecSpec {
   bytes contents = 1;
   uint32 mode = 2;
+  string selinux_label = 3;
 }
 
 // EtcFileStatusSpec describes status of rendered secrets.

diff --git a/internal/app/machined/pkg/controllers/cluster/node_identity.go b/internal/app/machined/pkg/controllers/cluster/node_identity.go
@@ -114,6 +114,7 @@ func (ctrl *NodeIdentityController) Run(ctx context.Context, r controller.Runtim
 
 				r.(*files.EtcFileSpec).TypedSpec().Contents, err = clusteradapter.IdentitySpec(&localIdentity).ConvertMachineID()
 				r.(*files.EtcFileSpec).TypedSpec().Mode = 0o444
+				r.(*files.EtcFileSpec).TypedSpec().SelinuxLabel = "system_u:object_r:etc_machine_id_t:s0"
 
 				return err
 			}); err != nil {

diff --git a/internal/app/machined/pkg/controllers/files/cri_config_parts.go b/internal/app/machined/pkg/controllers/files/cri_config_parts.go
@@ -83,6 +83,7 @@ func (ctrl *CRIConfigPartsController) Run(ctx context.Context, r controller.Runt
 
 				spec.Contents = out
 				spec.Mode = 0o600
+				spec.SelinuxLabel = "system_u:object_r:k8s_conf_t:s0"
 
 				return nil
 			}); err != nil {

diff --git a/internal/app/machined/pkg/controllers/files/cri_registry_config.go b/internal/app/machined/pkg/controllers/files/cri_registry_config.go
@@ -119,6 +119,7 @@ func (ctrl *CRIRegistryConfigController) Run(ctx context.Context, r controller.R
 
 				spec.Contents = criRegistryContents
 				spec.Mode = 0o600
+				spec.SelinuxLabel = "system_u:object_r:k8s_conf_t:s0"
 
 				return nil
 			}); err != nil {

diff --git a/internal/app/machined/pkg/controllers/files/etcfile.go b/internal/app/machined/pkg/controllers/files/etcfile.go
@@ -17,6 +17,7 @@ import (
 	"go.uber.org/zap"
 	"golang.org/x/sys/unix"
 
+	"github.com/siderolabs/talos/internal/pkg/selinux"
 	"github.com/siderolabs/talos/pkg/machinery/resources/files"
 )
 
@@ -133,7 +134,7 @@ func (ctrl *EtcFileController) Run(ctx context.Context, r controller.Runtime, lo
 
 				logger.Debug("writing file contents", zap.String("dst", dst), zap.Stringer("version", spec.Metadata().Version()))
 
-				if err = UpdateFile(dst, spec.TypedSpec().Contents, spec.TypedSpec().Mode); err != nil {
+				if err = UpdateFile(dst, spec.TypedSpec().Contents, spec.TypedSpec().Mode, spec.TypedSpec().SelinuxLabel); err != nil {
 					return fmt.Errorf("error updating %q: %w", dst, err)
 				}
 
@@ -194,11 +195,16 @@ func createBindMount(src, dst string, mode os.FileMode) (err error) {
 
 // UpdateFile is like `os.WriteFile`, but it will only update the file if the
 // contents have changed.
-func UpdateFile(filename string, contents []byte, mode os.FileMode) error {
+func UpdateFile(filename string, contents []byte, mode os.FileMode, selinuxLabel string) error {
 	oldContents, err := os.ReadFile(filename)
 	if err == nil && bytes.Equal(oldContents, contents) {
-		return nil
+		return selinux.SetLabel(filename, selinuxLabel)
 	}
 
-	return os.WriteFile(filename, contents, mode)
+	err = os.WriteFile(filename, contents, mode)
+	if err != nil {
+		return err
+	}
+
+	return selinux.SetLabel(filename, selinuxLabel)
 }
diff --git a/internal/app/machined/pkg/controllers/network/etcfile.go b/internal/app/machined/pkg/controllers/network/etcfile.go
@@ -147,6 +147,7 @@ func (ctrl *EtcFileController) Run(ctx context.Context, r controller.Runtime, lo
 				func(r *files.EtcFileSpec) error {
 					r.TypedSpec().Contents = renderResolvConf(pickNameservers(hostDNSCfg, resolverStatus), hostnameStatusSpec, cfgProvider)
 					r.TypedSpec().Mode = 0o644
+					r.TypedSpec().SelinuxLabel = "system_u:object_r:dns_conf_t:s0"
 
 					return nil
 				}); err != nil {
@@ -167,7 +168,7 @@ func (ctrl *EtcFileController) Run(ctx context.Context, r controller.Runtime, lo
 				return fmt.Errorf("error creating pod resolv.conf dir: %w", err)
 			}
 
-			err = efiles.UpdateFile(ctrl.PodResolvConfPath, conf, 0o644)
+			err = efiles.UpdateFile(ctrl.PodResolvConfPath, conf, 0o644, "system_u:object_r:dns_conf_t:s0")
 			if err != nil {
 				return fmt.Errorf("error writing pod resolv.conf: %w", err)
 			}
@@ -178,6 +179,7 @@ func (ctrl *EtcFileController) Run(ctx context.Context, r controller.Runtime, lo
 				func(r *files.EtcFileSpec) error {
 					r.TypedSpec().Contents, err = ctrl.renderHosts(hostnameStatus.TypedSpec(), nodeAddressStatus.TypedSpec(), cfgProvider)
 					r.TypedSpec().Mode = 0o644
+					r.TypedSpec().SelinuxLabel = "system_u:object_r:hosts_conf_t:s0"
 
 					return err
 				}); err != nil {

diff --git a/internal/app/machined/pkg/runtime/v1alpha1/v1alpha1_sequencer_tasks.go b/internal/app/machined/pkg/runtime/v1alpha1/v1alpha1_sequencer_tasks.go
@@ -44,6 +44,7 @@ import (
 	"golang.org/x/sys/unix"
 	runtimeapi "k8s.io/cri-api/pkg/apis/runtime/v1"
 
+	efiles "github.com/siderolabs/talos/internal/app/machined/pkg/controllers/files"
 	"github.com/siderolabs/talos/internal/app/machined/pkg/runtime"
 	"github.com/siderolabs/talos/internal/app/machined/pkg/runtime/emergency"
 	"github.com/siderolabs/talos/internal/app/machined/pkg/runtime/v1alpha1/bootloader/grub"
@@ -484,7 +485,7 @@ func OSRelease() (err error) {
 		return err
 	}
 
-	return os.WriteFile(filepath.Join(constants.SystemEtcPath, "os-release"), contents, 0o644)
+	return efiles.UpdateFile(filepath.Join(constants.SystemEtcPath, "os-release"), contents, 0o644, "system_u:object_r:etc_os_release_t:s0")
 }
 
 // createBindMount creates a common way to create a writable source file with a
@@ -1158,6 +1159,7 @@ func injectCRIConfigPatch(ctx context.Context, st state.State, content []byte) e
 	etcFileSpec := resourcefiles.NewEtcFileSpec(resourcefiles.NamespaceName, constants.CRICustomizationConfigPart)
 	etcFileSpec.TypedSpec().Mode = 0o600
 	etcFileSpec.TypedSpec().Contents = content
+	etcFileSpec.TypedSpec().SelinuxLabel = "system_u:object_r:k8s_conf_t:s0"
 
 	if err := st.Create(ctx, etcFileSpec); err != nil {
 		return err

diff --git a/pkg/machinery/api/resource/definitions/files/files.pb.go b/pkg/machinery/api/resource/definitions/files/files.pb.go
diff --git a/pkg/machinery/api/resource/definitions/files/files_vtproto.pb.go b/pkg/machinery/api/resource/definitions/files/files_vtproto.pb.go
diff --git a/pkg/machinery/resources/files/etcfile_spec.go b/pkg/machinery/resources/files/etcfile_spec.go
@@ -27,8 +27,9 @@ type EtcFileSpec = typed.Resource[EtcFileSpecSpec, EtcFileSpecExtension]
 //
 //gotagsrewrite:gen
 type EtcFileSpecSpec struct {
-	Contents []byte      `yaml:"contents" protobuf:"1"`
-	Mode     fs.FileMode `yaml:"mode" protobuf:"2"`
+	Contents     []byte      `yaml:"contents" protobuf:"1"`
+	Mode         fs.FileMode `yaml:"mode" protobuf:"2"`
+	SelinuxLabel string      `yaml:"selinux_label" protobuf:"3"`
 }
 
 // NewEtcFileSpec initializes a EtcFileSpec resource.

diff --git a/website/content/v1.9/reference/api.md b/website/content/v1.9/reference/api.md
@@ -2171,6 +2171,7 @@ EtcFileSpecSpec describes status of rendered secrets.
 | ----- | ---- | ----- | ----------- |
 | contents | [bytes](#bytes) |  |  |
 | mode | [uint32](#uint32) |  |  |
+| selinux_label | [string](#string) |  |  |