-
Notifications
You must be signed in to change notification settings - Fork 60
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
modifying sebooleans via Ignition #368
Comments
Thanks @gtema for opening this issue. I actually am working through setting up a host now where I need to set the |
I wish there was a way to modify sebooleans by using a configuration file but my searching doesn't seem to show any options to do that. Some options we have:
|
Though note the major caveat with doing this permanently: coreos/rpm-ostree#27. For this reason, I think the current approach is modifying it at runtime via a systemd unit on each boot. |
here is what I've got for now as part of an FCC config:
|
and according to @jlebon from #368 (comment) running with
so here's an update to just do it dynamically on every boot:
|
Just a FYI followup to @jlebon comment. I wrote https://github.com/overdrop/overdrop-sebool some time ago as a PoC for this case. Both solutions are subpar as they do not affect initramfs. The whole SELinux "binary blob in /etc" situation is quite tricky. |
Ahh nice, I had forgotten about that. Yeah, @dustymabe and I were discussing this yesterday. We could pretty easily ship this functionality in FCOS. Though ideally, it'd be something that SELinux supports natively (though I guess that's somewhat part of the larger issue of making SELinux more compatible with OSTree overall -- e.g. the same issue occurs with anything else that would require rebuilding the policy, like file transition rules). One thing we could do is expose FCC sugar which translates to a unit like Dusty's, while we work with the SELinux folks to close those gaps, and then eventually have that sugar pivot to targeting the SELinux dropins?
Actually, we don't currently bake the SELinux policy in the initramfs so this is OK. :) But yeah, the way it works, there's still going to be a window between loading the policy and the booleans actually being applied. |
One huge hack we could do to work around coreos/rpm-ostree#27 is to have a stamp file at e.g. |
I guess this isn't that different from The advantage of this over just doing it automatically using a stamp file is that any errors happen before actually rebooting (and the cost of rebuilding itself is incurred upfront instead of at boot). And also, it should show up clearly in |
In some scenarios it would be nice to have possibility to modify selinux variables with the ignition file to eliminate need of doing system login just for that.
Scenario: deploy FCOS server with haproxy to load-balance postgres/galera/etc cluster
Currently I put haproxy.cfg into ignition, but due to the need for special ports I do need to execute
setsebool -P haproxy_connect_any 1
on the host. If using haproxy in the container and not the system one, this selinux modification is the only thing requiring login.So either specifying selinux stuff in the ignition, or possibility to execute script upon first boot would be very helpful.
The text was updated successfully, but these errors were encountered: