Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: machined: initial SELinux bring-up #9617

Merged
merged 1 commit into from
Nov 4, 2024

Conversation

dsseng
Copy link
Member

@dsseng dsseng commented Oct 31, 2024

Part of: #9127

Label executables and processes, build, load and manage SELinux policy, enable audit support.

Labeling filesystems, devices and runtime files will be done in further changes, see the full PR.

TODO: label static pods

Signed-off-by: Dmitry Sharshakov [email protected]

Copy link
Member Author

@dsseng dsseng left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There is some potential to further reduce the amount of CIL code for the initial bring-up. I might try to do so. Also please take notes if anything from here needs to be moved into further commits from #9127

@dsseng dsseng requested a review from smira October 31, 2024 15:46
@dsseng dsseng self-assigned this Oct 31, 2024
@dsseng
Copy link
Member Author

dsseng commented Oct 31, 2024

; audit(1730388431.799:429):
;  scontext="system_u:system_r:sys_containerd_t:s0" tcontext="system_u:object_r:init_exec_t:s0"
;  class="file" perms="execute"
;  comm="runc:[2:INIT]" exe="" path=""
;  message="[    4.376219] audit: type=1400 audit(1730388431.799:429): avc:
;   denied  { execute } for  pid=1948 comm="runc:[2:INIT]" name="dashboard"
;   dev="loop0" ino=503 scontext=system_u:system_r:sys_containerd_t:s0
;   tcontext=system_u:object_r:init_exec_t:s0 tclass=file permissive=1 "

selinux/services/udev.cil Outdated Show resolved Hide resolved
Dockerfile Outdated Show resolved Hide resolved
Dockerfile Outdated Show resolved Hide resolved
Dockerfile Outdated Show resolved Hide resolved
.gitignore Outdated Show resolved Hide resolved
@smira
Copy link
Member

smira commented Oct 31, 2024

selinux/services/udev.cil Outdated Show resolved Hide resolved
selinux/services/selinux.cil Outdated Show resolved Hide resolved
selinux/services/machined.cil Outdated Show resolved Hide resolved
@dsseng dsseng force-pushed the selinux-processes branch 2 times, most recently from 55e22ec to 8b09bdb Compare November 2, 2024 20:24
internal/pkg/install/install.go Show resolved Hide resolved
internal/pkg/mount/switchroot/switchroot.go Show resolved Hide resolved
internal/pkg/selinux/selinux.go Outdated Show resolved Hide resolved
pkg/machinery/constants/constants.go Show resolved Hide resolved
pkg/provision/providers/qemu/node.go Outdated Show resolved Hide resolved
selinux/services/machined.cil Outdated Show resolved Hide resolved
selinux/services/selinux.cil Outdated Show resolved Hide resolved
selinux/services/system-containerd.cil Outdated Show resolved Hide resolved
selinux/services/system-containerd.cil Outdated Show resolved Hide resolved
selinux/services/cri.cil Outdated Show resolved Hide resolved
pkg/imager/imager.go Outdated Show resolved Hide resolved
@dsseng dsseng mentioned this pull request Nov 4, 2024
4 tasks
@dsseng dsseng force-pushed the selinux-processes branch 2 times, most recently from 4f5b33c to d3bc578 Compare November 4, 2024 15:43
Part of: siderolabs#9127

Label executables and processes, build, load and manage SELinux policy, enable audit support.

Labeling filesystems, devices and runtime files will be done in further changes, see the full PR.

Signed-off-by: Dmitry Sharshakov <[email protected]>
@dsseng
Copy link
Member Author

dsseng commented Nov 4, 2024

/m

@talos-bot talos-bot merged commit 960a040 into siderolabs:main Nov 4, 2024
50 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants