forked from microsoft/azurelinux
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Enable selinux for liveos iso flow (microsoft#11198)
- Loading branch information
Showing
6 changed files
with
310 additions
and
3 deletions.
There are no files selected for viewing
38 changes: 38 additions & 0 deletions
38
SPECS/dracut/0016-Handle-SELinux-configuration-for-overlayfs-folders.patch
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,38 @@ | ||
| From 6fe401628d5671cf2f7683e4e0a04b9dcefb0180 Mon Sep 17 00:00:00 2001 | ||
| From: George Mileka <[email protected]> | ||
| Date: Mon, 25 Nov 2024 16:27:41 -0800 | ||
| Subject: [PATCH] Handle SELinux configuration for overlayfs folders. | ||
|
|
||
| When SELinux is enabled, the root folder '/' is expected to be marked | ||
| 'root_t' - otherwise, SELinux will deny access calls. | ||
|
|
||
| When an overlay is created for the root folder, it is created using | ||
| the lower and upper folders. The upper folder is created on tmpfs, | ||
| and subsequently getted the 'tmpfs_t' assigned by inheritence. | ||
| When the root overlay is created, it inherits the 'tmpfs_t'. | ||
|
|
||
| Now, we have a conflict between what SELinux expects ('root_t') and | ||
| what we ended-up with ('tmpfs_t') leading to denials and failing to | ||
| complete the boot successfully. | ||
|
|
||
| This patch injects a script ('azl-configure-sellinux.sh') that will | ||
| run after Dracut's SELinux module runs, and assigns the right SELinux | ||
| types (i.e. 'root_t') to the overlay folders. That way, when pivoting | ||
| takes place, the visible root folder has the right SELinux labeling. | ||
| --- | ||
| modules.d/90overlayfs/module-setup.sh | 1 + | ||
| 1 file changed, 1 insertion(+) | ||
|
|
||
| diff --git a/modules.d/90overlayfs/module-setup.sh b/modules.d/90overlayfs/module-setup.sh | ||
| index dae20093..919df4f5 100755 | ||
| --- a/modules.d/90overlayfs/module-setup.sh | ||
| +++ b/modules.d/90overlayfs/module-setup.sh | ||
| @@ -17,4 +17,5 @@ install() { | ||
| inst_hook pre-mount 01 "$moddir/prepare-overlayfs.sh" | ||
| inst_hook mount 01 "$moddir/mount-overlayfs.sh" # overlay on top of block device | ||
| inst_hook pre-pivot 10 "$moddir/mount-overlayfs.sh" # overlay on top of network device (e.g. nfs) | ||
| + inst_hook pre-pivot 70 "$moddir/azl-configure-selinux.sh" | ||
| } | ||
| -- | ||
| 2.34.1 | ||
|
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,34 @@ | ||
| #!/bin/sh | ||
| type getarg > /dev/null 2>&1 || . /lib/dracut-lib.sh | ||
|
|
||
| # If SELinux is disabled exit now | ||
| getarg "selinux=0" > /dev/null && return 0 | ||
|
|
||
| SELINUX="enforcing" | ||
| # shellcheck disable=SC1090 | ||
| [ -e "$NEWROOT/etc/selinux/config" ] && . "$NEWROOT/etc/selinux/config" | ||
| [ "$SELINUX" == "disabled" ] && return 0 | ||
|
|
||
| getargbool 0 rd.live.overlay.overlayfs && overlayfs="yes" | ||
|
|
||
| if [ -n "$overlayfs" ]; then | ||
|
|
||
| # Get the current root folder context | ||
| rootDirContext=$($NEWROOT/usr/sbin/matchpathcon -f $NEWROOT/etc/selinux/targeted/contexts/files/file_contexts -m dir /) | ||
|
|
||
| # Parse the context to extract the root folder '/' context type. | ||
| # The line should be on the form: "/ system_u:object_r:root_t:s0" | ||
|
|
||
| # Split folder and context | ||
| IFS='\t' read -r _ selinuxContext <<< "$rootDirContext" | ||
| echo "root folder context: ($selinuxContext)" | ||
|
|
||
| # Split context and extract its type | ||
| IFS=':' read -r _ _ contextType _ <<< "$selinuxContext" | ||
| echo "root folder label : ($contextType)" | ||
|
|
||
| # Set the type on the target folders | ||
| [ -e /sysroot ] && chcon -t $contextType /sysroot | ||
| [ -e /run/overlayfs ] && chcon -t $contextType /run/overlayfs | ||
| [ -e /run/ovlwork ] && chcon -t $contextType /run/ovlwork | ||
| fi |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -4,7 +4,7 @@ | |
| Summary: dracut to create initramfs | ||
| Name: dracut | ||
| Version: 102 | ||
| Release: 7%{?dist} | ||
| Release: 8%{?dist} | ||
| # The entire source code is GPLv2+ | ||
| # except install/* which is LGPLv2+ | ||
| License: GPLv2+ AND LGPLv2+ | ||
|
|
@@ -30,6 +30,7 @@ Source11: 50-noxattr.conf | |
| # code reviews given that they are new to Dracut. | ||
| Source12: 90livenet/azl-liveos-artifacts-download.service | ||
| Source13: 90livenet/azl-liveos-artifacts-download.sh | ||
| Source14: 90overlayfs/azl-configure-selinux.sh | ||
|
|
||
| # allow-liveos-overlay-no-user-confirmation-prompt.patch has been introduced by | ||
| # the Azure Linux team to allow skipping the user confirmation prompt during | ||
|
|
@@ -53,6 +54,7 @@ Patch: 0012-fix-dracut-functions-avoid-awk-in-get_maj_min.patch | |
| Patch: 0013-revert-fix-crypt-unlock-encrypted-devices-by-default.patch | ||
| Patch: 0014-fix-systemd-pcrphase-in-hostonly-mode-do-not-try-to-include-systemd-pcrphase.patch | ||
| Patch: 0015-fix-systemd-pcrphase-make-tpm2-tss-an-optional-dependency.patch | ||
| Patch: 0016-Handle-SELinux-configuration-for-overlayfs-folders.patch | ||
|
|
||
| BuildRequires: bash | ||
| BuildRequires: kmod-devel | ||
|
|
@@ -205,6 +207,8 @@ install -m 0644 %{SOURCE11} %{buildroot}%{_sysconfdir}/dracut.conf.d/50-noxattr. | |
| install -m 0644 %{SOURCE12} %{buildroot}%{dracutlibdir}/modules.d/90livenet/azl-liveos-artifacts-download.service | ||
| install -m 0755 %{SOURCE13} %{buildroot}%{dracutlibdir}/modules.d/90livenet/azl-liveos-artifacts-download.sh | ||
|
|
||
| install -m 0755 %{SOURCE14} %{buildroot}%{dracutlibdir}/modules.d/90overlayfs/azl-configure-selinux.sh | ||
|
|
||
| mkdir -p %{buildroot}%{dracutlibdir}/modules.d/20overlayfs/ | ||
| install -p -m 0755 %{SOURCE4} %{buildroot}%{dracutlibdir}/modules.d/20overlayfs/ | ||
| install -p -m 0755 %{SOURCE5} %{buildroot}%{dracutlibdir}/modules.d/20overlayfs/ | ||
|
|
@@ -310,6 +314,9 @@ ln -srv %{buildroot}%{_bindir}/%{name} %{buildroot}%{_sbindir}/%{name} | |
| %dir %{_sharedstatedir}/%{name}/overlay | ||
|
|
||
| %changelog | ||
| * Mon Dec 09 2024 George Mileka <[email protected]> - 102-8 | ||
| - Augment overlayfs with selinux handling. | ||
|
|
||
| * Thu Oct 31 2024 George Mileka <[email protected]> - 102-7 | ||
| - Augment livenet module with a download daemon. | ||
|
|
||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,223 @@ | ||
| From 43b44054474cf139ee11afa386f0d4e5b2204a07 Mon Sep 17 00:00:00 2001 | ||
| From: George Mileka <[email protected]> | ||
| Date: Fri, 6 Dec 2024 14:21:18 -0800 | ||
| Subject: [PATCH] Enable LiveOS ISO Flow | ||
|
|
||
| In the LiveOS ISO flow, when selinux is enabled, initrd loads the | ||
| default selinux policy from the rootfs, then transitions to the | ||
| the rootfs where the final OS processes are started. | ||
|
|
||
| The problem is that selinux denies many of these processes access | ||
| to a number of resources (mostly file descriptors, but here is also | ||
| access to the boot media, and other resources). | ||
|
|
||
| This patch allows these failing processes access to the resources | ||
| they need. | ||
| --- | ||
| policy/modules/admin/usermanage.te | 2 ++ | ||
| policy/modules/apps/loadkeys.te | 2 ++ | ||
| policy/modules/kernel/devices.if | 18 ++++++++++++++++++ | ||
| policy/modules/kernel/kernel.if | 19 +++++++++++++++++++ | ||
| policy/modules/kernel/kernel.te | 1 + | ||
| policy/modules/system/authlogin.te | 1 + | ||
| policy/modules/system/getty.te | 2 ++ | ||
| policy/modules/system/init.te | 7 +++++++ | ||
| policy/modules/system/locallogin.te | 1 + | ||
| policy/modules/system/selinuxutil.te | 2 ++ | ||
| policy/modules/system/udev.te | 2 ++ | ||
| 11 files changed, 57 insertions(+) | ||
|
|
||
| diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te | ||
| index 57a9848bc..ef24fb85b 100644 | ||
| --- a/policy/modules/admin/usermanage.te | ||
| +++ b/policy/modules/admin/usermanage.te | ||
| @@ -317,6 +317,7 @@ allow passwd_t self:shm create_shm_perms; | ||
| allow passwd_t self:sem create_sem_perms; | ||
| allow passwd_t self:msgq create_msgq_perms; | ||
| allow passwd_t self:msg { send receive }; | ||
| +allow passwd_t kernel_t:fd use; | ||
|
|
||
| allow passwd_t crack_db_t:dir list_dir_perms; | ||
| read_lnk_files_pattern(passwd_t, crack_db_t, crack_db_t) | ||
| @@ -492,6 +493,7 @@ allow useradd_t self:unix_dgram_socket create_socket_perms; | ||
| allow useradd_t self:unix_stream_socket create_stream_socket_perms; | ||
| allow useradd_t self:unix_dgram_socket sendto; | ||
| allow useradd_t self:unix_stream_socket connectto; | ||
| +allow useradd_t kernel_t:fd use; | ||
|
|
||
| # for getting the number of groups | ||
| kernel_read_kernel_sysctls(useradd_t) | ||
| diff --git a/policy/modules/apps/loadkeys.te b/policy/modules/apps/loadkeys.te | ||
| index 2263e9dba..61d098341 100644 | ||
| --- a/policy/modules/apps/loadkeys.te | ||
| +++ b/policy/modules/apps/loadkeys.te | ||
| @@ -21,6 +21,8 @@ allow loadkeys_t self:capability { dac_override dac_read_search setuid sys_tty_c | ||
| allow loadkeys_t self:fifo_file rw_fifo_file_perms; | ||
| allow loadkeys_t self:unix_stream_socket { connect create }; | ||
|
|
||
| +kernel_getattr_unlabeled_dirs(loadkeys_t) | ||
| +kernel_use_fds(loadkeys_t) | ||
| kernel_read_system_state(loadkeys_t) | ||
|
|
||
| init_use_fds(loadkeys_t) | ||
| diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if | ||
| index 35e14a021..13026d7a0 100644 | ||
| --- a/policy/modules/kernel/devices.if | ||
| +++ b/policy/modules/kernel/devices.if | ||
| @@ -2206,6 +2206,24 @@ interface(`dev_setattr_input_dev',` | ||
| allow $1 event_device_t:chr_file setattr; | ||
| ') | ||
|
|
||
| +######################################## | ||
| +## <summary> | ||
| +## Get the attributes of the event devices. | ||
| +## </summary> | ||
| +## <param name="domain"> | ||
| +## <summary> | ||
| +## Domain allowed access. | ||
| +## </summary> | ||
| +## </param> | ||
| +# | ||
| +interface(`dev_read_input_dev',` | ||
| + gen_require(` | ||
| + type event_device_t; | ||
| + ') | ||
| + | ||
| + allow $1 event_device_t:chr_file read_chr_file_perms; | ||
| +') | ||
| + | ||
| ######################################## | ||
| ## <summary> | ||
| ## Read input event devices (/dev/input). | ||
| diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if | ||
| index 1d696a07c..90583facf 100644 | ||
| --- a/policy/modules/kernel/kernel.if | ||
| +++ b/policy/modules/kernel/kernel.if | ||
| @@ -330,6 +330,25 @@ interface(`kernel_stream_connect',` | ||
| allow $1 kernel_t:unix_stream_socket connectto; | ||
| ') | ||
|
|
||
| +######################################## | ||
| +## <summary> | ||
| +## Connect to kernel using a unix | ||
| +## domain stream socket. | ||
| +## </summary> | ||
| +## <param name="domain"> | ||
| +## <summary> | ||
| +## Domain allowed access. | ||
| +## </summary> | ||
| +## </param> | ||
| +# | ||
| +interface(`kernel_stream_read_write',` | ||
| + gen_require(` | ||
| + type kernel_t; | ||
| + ') | ||
| + | ||
| + allow $1 kernel_t:unix_stream_socket { rw_socket_perms }; | ||
| +') | ||
| + | ||
| ######################################## | ||
| ## <summary> | ||
| ## Getattr on kernel unix datagram sockets. | ||
| diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te | ||
| index ea08036b6..59c1afeaf 100644 | ||
| --- a/policy/modules/kernel/kernel.te | ||
| +++ b/policy/modules/kernel/kernel.te | ||
| @@ -238,6 +238,7 @@ sid tcp_socket gen_context(system_u:object_r:unlabeled_t,mls_systemhigh) | ||
| # | ||
|
|
||
| allow kernel_t self:capability { chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap }; | ||
| +allow kernel_t self:capability2 checkpoint_restore; | ||
| allow kernel_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr noatsecure siginh rlimitinh dyntransition setkeycreate setsockcreate getrlimit }; | ||
| allow kernel_t self:shm create_shm_perms; | ||
| allow kernel_t self:sem create_sem_perms; | ||
| diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te | ||
| index 9dfef7a0c..791be68c2 100644 | ||
| --- a/policy/modules/system/authlogin.te | ||
| +++ b/policy/modules/system/authlogin.te | ||
| @@ -116,6 +116,7 @@ allow chkpwd_t self:process { getattr signal }; | ||
| dontaudit chkpwd_t self:process getcap; | ||
|
|
||
| allow chkpwd_t shadow_t:file read_file_perms; | ||
| +allow chkpwd_t kernel_t:fd use; | ||
| files_list_etc(chkpwd_t) | ||
|
|
||
| kernel_dontaudit_search_kernel_sysctl(chkpwd_t) | ||
| diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te | ||
| index a900226bf..360f7c67f 100644 | ||
| --- a/policy/modules/system/getty.te | ||
| +++ b/policy/modules/system/getty.te | ||
| @@ -37,6 +37,8 @@ dontaudit getty_t self:capability sys_tty_config; | ||
| allow getty_t self:capability2 checkpoint_restore; | ||
| allow getty_t self:process { getpgid getsession setpgid signal_perms }; | ||
| allow getty_t self:fifo_file rw_fifo_file_perms; | ||
| +allow getty_t kernel_t:fd use; | ||
| +allow getty_t tmpfs_t:dir search; | ||
|
|
||
| read_files_pattern(getty_t, getty_conf_t, getty_conf_t) | ||
| read_lnk_files_pattern(getty_t, getty_conf_t, getty_conf_t) | ||
| diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te | ||
| index 9ec685c74..a1d90762b 100644 | ||
| --- a/policy/modules/system/init.te | ||
| +++ b/policy/modules/system/init.te | ||
| @@ -1542,12 +1542,19 @@ optional_policy(` | ||
| zebra_read_config(initrc_t) | ||
| ') | ||
|
|
||
| +######################################## | ||
| +# | ||
| +# Rules applied to all system processes | ||
| +# | ||
| +kernel_use_fds(systemprocess) | ||
| + | ||
| ######################################## | ||
| # | ||
| # Rules applied to all daemons | ||
| # | ||
|
|
||
| domain_dontaudit_use_interactive_fds(daemon) | ||
| +kernel_use_fds(daemon) | ||
|
|
||
| # daemons started from init will | ||
| # inherit fds from init for the console | ||
| diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te | ||
| index 8330be8a9..9f2f160a4 100644 | ||
| --- a/policy/modules/system/locallogin.te | ||
| +++ b/policy/modules/system/locallogin.te | ||
| @@ -47,6 +47,7 @@ allow local_login_t self:sem create_sem_perms; | ||
| allow local_login_t self:msgq create_msgq_perms; | ||
| allow local_login_t self:msg { send receive }; | ||
| allow local_login_t self:key { search write link }; | ||
| +allow local_login_t kernel_t:fd use; | ||
|
|
||
| allow local_login_t local_login_lock_t:file manage_file_perms; | ||
| files_lock_filetrans(local_login_t, local_login_lock_t, file) | ||
| diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te | ||
| index 8e521e583..c7fb76550 100644 | ||
| --- a/policy/modules/system/selinuxutil.te | ||
| +++ b/policy/modules/system/selinuxutil.te | ||
| @@ -119,6 +119,8 @@ type setfiles_t alias restorecon_t, can_relabelto_binary_policy; | ||
| type setfiles_exec_t alias restorecon_exec_t; | ||
| init_system_domain(setfiles_t, setfiles_exec_t) | ||
| domain_obj_id_change_exemption(setfiles_t) | ||
| +dev_read_input_dev(setfiles_t) | ||
| +kernel_stream_read_write(setfiles_t) | ||
|
|
||
| ######################################## | ||
| # | ||
| diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te | ||
| index 8af0d90e0..a7bb89658 100644 | ||
| --- a/policy/modules/system/udev.te | ||
| +++ b/policy/modules/system/udev.te | ||
| @@ -57,6 +57,8 @@ allow udev_t self:rawip_socket create_socket_perms; | ||
| # rdma_rename | ||
| allow udev_t self:netlink_rdma_socket create_socket_perms; | ||
|
|
||
| +fs_getattr_iso9660_files(udev_t) | ||
| + | ||
| ifdef(`init_systemd',` | ||
| # systemd-vconsole-setup will be called by udev during virtual terminal initialization | ||
| allow udev_t self:capability sys_tty_config; | ||
| -- | ||
| 2.34.1 | ||
|
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -9,7 +9,7 @@ | |
| Summary: SELinux policy | ||
| Name: selinux-policy | ||
| Version: %{refpolicy_major}.%{refpolicy_minor} | ||
| Release: 8%{?dist} | ||
| Release: 9%{?dist} | ||
| License: GPLv2 | ||
| Vendor: Microsoft Corporation | ||
| Distribution: Azure Linux | ||
|
|
@@ -56,6 +56,7 @@ Patch34: 0034-systemd-Fix-dac_override-use-in-systemd-machine-id-s.patch | |
| Patch35: 0035-rpm-Run-systemd-sysctl-from-post.patch | ||
| Patch36: 0036-fstools-Add-additional-perms-for-cloud-utils-growpar.patch | ||
| Patch37: 0037-docker-Fix-dockerc-typo-in-container_engine_executab.patch | ||
| Patch38: 0038-enable-liveos-iso-flow.patch | ||
| BuildRequires: bzip2 | ||
| BuildRequires: checkpolicy >= %{CHECKPOLICYVER} | ||
| BuildRequires: m4 | ||
|
|
@@ -327,11 +328,14 @@ exit 0 | |
| selinuxenabled && semodule -nB | ||
| exit 0 | ||
| %changelog | ||
| * Wed Nov 20 2024 George Mileka <[email protected]> - 2.20240226-9 | ||
| - Enable SELinux for LiveOS ISO. | ||
|
|
||
| * Wed Sep 11 2024 Chris PeBenito <[email protected]> - 2.20240226-8 | ||
| - Add additional required permissions for cloud-utils-growpart. | ||
| - Cherry-pick upstream fix for typo in docker module. | ||
|
|
||
| * Mon Aug 13 2024 Chris PeBenito <[email protected]> - 2.20240226-7 | ||
| * Tue Aug 13 2024 Chris PeBenito <[email protected]> - 2.20240226-7 | ||
| - Change policy composition so the base module only consits of policy modules | ||
| that must be in the base. This will allow dowstream users to disable or | ||
| override the individual policy modules. | ||
|
|
||