modifying sebooleans via Ignition

[gtema]

In some scenarios it would be nice to have possibility to modify selinux variables with the ignition file to eliminate need of doing system login just for that.
Scenario: deploy FCOS server with haproxy to load-balance postgres/galera/etc cluster
Currently I put haproxy.cfg into ignition, but due to the need for special ports I do need to execute setsebool -P haproxy_connect_any 1 on the host. If using haproxy in the container and not the system one, this selinux modification is the only thing requiring login.

So either specifying selinux stuff in the ignition, or possibility to execute script upon first boot would be very helpful.

[dustymabe]

Thanks @gtema for opening this issue. I actually am working through setting up a host now where I need to set the container_manage_cgroup seboolean so I'm about to go through the same thing.

[dustymabe]

I wish there was a way to modify sebooleans by using a configuration file but my searching doesn't seem to show any options to do that. Some options we have:

• open an RFE for a configuration file
• document how to use setsebool via a startup script in ignition
• add some sugar to fcct to do this easily for us

[jlebon]

Though note the major caveat with doing this permanently: coreos/rpm-ostree#27. For this reason, I think the current approach is modifying it at runtime via a systemd unit on each boot.

[dustymabe]

here is what I've got for now as part of an FCC config:

variant: fcos
version: 1.0.0
passwd:
  users:
    - name: core
      ssh_authorized_keys:
        - ssh-rsa AAAA...
systemd:
  units:
    - name: setsebool.service
      enabled: true
      contents: |
        # so we can run systemd in a container
        # https://developers.redhat.com/blog/2019/04/24/how-to-run-systemd-in-a-container/
        [Unit]
        Before=weechat.service
        After=network-online.target
        ConditionPathExists=!/var/lib/setsebool-ignition
        [Service]
        Type=oneshot
        ExecStart=setsebool -P container_manage_cgroup true
        ExecStartPost=touch /var/lib/setsebool-ignition
        RemainAfterExit=yes
        [Install]
        WantedBy=multi-user.target

[dustymabe]

and according to @jlebon from #368 (comment) running with -P is bad because it will cause us to not get future updates to the policy because it writes out a new binary:

$ sudo ostree admin config-diff | grep policy
M    selinux/targeted/policy/policy.31

so here's an update to just do it dynamically on every boot:

variant: fcos
version: 1.0.0
passwd:
  users:
    - name: core
      ssh_authorized_keys:
        - ssh-rsa AAAA...
systemd:
  units:
    - name: setsebool.service
      enabled: true
      contents: |
        # so we can run systemd in a container
        # https://developers.redhat.com/blog/2019/04/24/how-to-run-systemd-in-a-container/
        [Unit]
        Before=weechat.service
        After=network-online.target
        [Service]
        Type=oneshot 
        ExecStart=setsebool container_manage_cgroup true
        RemainAfterExit=yes
        [Install]
        WantedBy=multi-user.target

[lucab]

Just a FYI followup to @jlebon comment. I wrote https://github.com/overdrop/overdrop-sebool some time ago as a PoC for this case. Both solutions are subpar as they do not affect initramfs. The whole SELinux "binary blob in /etc" situation is quite tricky.

[jlebon]

I wrote https://github.com/overdrop/overdrop-sebool some time ago as a PoC for this case.

Ahh nice, I had forgotten about that. Yeah, @dustymabe and I were discussing this yesterday. We could pretty easily ship this functionality in FCOS. Though ideally, it'd be something that SELinux supports natively (though I guess that's somewhat part of the larger issue of making SELinux more compatible with OSTree overall -- e.g. the same issue occurs with anything else that would require rebuilding the policy, like file transition rules).

One thing we could do is expose FCC sugar which translates to a unit like Dusty's, while we work with the SELinux folks to close those gaps, and then eventually have that sugar pivot to targeting the SELinux dropins?

Both solutions are subpar as they do not affect initramfs

Actually, we don't currently bake the SELinux policy in the initramfs so this is OK. :) But yeah, the way it works, there's still going to be a window between loading the policy and the booleans actually being applied.

[jlebon]

One huge hack we could do to work around coreos/rpm-ostree#27 is to have a stamp file at e.g. /etc/selinux/.coreos-rebuild and rebuild the policy from the initrd on any boot if there is a new base policy update and the node has local customizations.

[jlebon]

I guess this isn't that different from rpm-ostree initramfs --enable. Both are binary blobs assembled from local input files that can be modified. We could have e.g. rpm-ostree selinux --enable-local-build which regenerates the policy at deploy time.

The advantage of this over just doing it automatically using a stamp file is that any errors happen before actually rebooting (and the cost of rebuilding itself is incurred upfront instead of at boot). And also, it should show up clearly in rpm-ostree status. Edit: Other advantages include: (1) OSTree commits are automatically relabeled with the rebuilt policy, and (2) it'd be trivial to rollback changes/revert back to the base policy just like with the initramfs.