Skip to content
This repository has been archived by the owner on May 30, 2023. It is now read-only.

sec-policy/selinux-base-policy: add capability to unlabeled_t #1426

Merged
merged 1 commit into from
Nov 18, 2021
Merged

sec-policy/selinux-base-policy: add capability to unlabeled_t #1426

merged 1 commit into from
Nov 18, 2021

Conversation

tormath1
Copy link
Contributor

@tormath1 tormath1 commented Nov 17, 2021
edited
Loading

with this patch, we allow unlabeled_t to associate to tmpfs
filesystem.
It aims to solve the AVC we have with torcx with the
torcx-generator:

Nov 15 09:45:43 localhost audit[688]: AVC avc: denied { associate } for pid=688 comm="torcx-generator" name="docker" dev="tmpfs" ino=2 scontext=system_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=filesystem permissive=0

It has been not been caught earlier because it occurs
when the system boots with SELinux in enforcing mode.

This denial was preventing torcx to finish correctly its setup and so
Docker was not able to start.

Signed-off-by: Mathieu Tortuyaux mtortuyaux@microsoft.com

It has been reported in flatcar/Flatcar#544

CI 🔵 : http://jenkins.infra.kinvolk.io:8080/job/os/job/manifest/4177/cldsv/

Tested on built image with SELinux enabled early in the boot:

$ sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             mcs
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Memory protection checking:     actual (secure)
Max kernel policy version:      33
$ docker ps
CONTAINER ID   IMAGE     COMMAND   CREATED   STATUS    PORTS     NAMES
$ journalctl _TRANSPORT=audit | grep -i torcx

While on current stable with the same config:

$ sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             mcs
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Memory protection checking:     actual (secure)
Max kernel policy version:      33
$ journalctl _TRANSPORT=audit | grep -i torcx
Nov 18 09:30:32 localhost audit[687]: AVC avc:  denied  { associate } for  pid=687 comm="torcx-generator" name="docker" dev="tmpfs" ino=2 scontext=system_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=filesystem permissive=0
$ docker ps
The program docker is managed by torcx, which did not run.

NOTE: Mantle logic is now implemented in order to enable SELinux in enforcing as soon as possible: flatcar/mantle#252

@tormath1 tormath1 self-assigned this Nov 17, 2021
@tormath1 tormath1 mentioned this pull request Nov 17, 2021
Open
@tormath1 tormath1 marked this pull request as ready for review November 18, 2021 09:32
@tormath1 tormath1 requested a review from a team November 18, 2021 09:32
@tormath1 tormath1 mentioned this pull request Nov 18, 2021
Merged
pothos
pothos reviewed Nov 18, 2021
View reviewed changes
sec-policy/selinux-base-policy/selinux-base-policy-2.20200818-r2.ebuild
@@ -39,6 +39,7 @@ PATCHES=(
"${FILESDIR}/init.patch"
"${FILESDIR}/locallogin.patch"
"${FILESDIR}/logging.patch"
"${FILESDIR}/unlabeled.patch"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe we can annotate here that this was for torcx and it could be dropped in the future

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good idea and let's add a reference in: flatcar/Flatcar#443

@tormath1
sec-policy/selinux-base-policy: add capability to unlabeled_t
9380a02 
with this patch, we allow `unlabeled_t` to associate to tmpfs
filesystem.
It aims to solve the AVC we have with `torcx` with the
`torcx-generator`:
```
Nov 15 09:45:43 localhost audit[688]: AVC avc: denied { associate } for pid=688 comm="torcx-generator" name="docker" dev="tmpfs" ino=2 scontext=system_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=filesystem permissive=0
```

It has been not been caught earlier because it occurs
when the system boots with `SELinux` in `enforcing` mode.

This denial was preventing torcx to finish correctly its setup and so
Docker was not able to start.

Signed-off-by: Mathieu Tortuyaux <mtortuyaux@microsoft.com>
@tormath1 tormath1 merged commit bf3a96a into main Nov 18, 2021
@tormath1 tormath1 deleted the tormath1/selinux branch November 18, 2021 15:57
@tormath1
Copy link
Contributor Author

cherry-picked to:

  • flatcar-3046
  • flatcar-3033
  • flatcar-2983

@tormath1 tormath1 mentioned this pull request Nov 22, 2021
Closed
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@pothos pothos pothos approved these changes

Assignees

@tormath1 tormath1

Labels
alpha beta main stable
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@tormath1 @pothos