Allow kernel_t to manage and relabel all files #1893
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The calls to interfaces from other modules must be enclosed in optional_policy(), otherwise the usage of this interface may lead to build errors. Signed-off-by: Ondrej Mosnacek <[email protected]>
Extend the abitlity to manage all files also to character & block device files and also allow relabeling any file. This is required for early boot overlay mounts to fully work, but may be needed for other legitimate oprations as well. See also: ostreedev/ostree#3062 Signed-off-by: Ondrej Mosnacek <[email protected]>
WOnder93
force-pushed
the
more-early-boot-overlay-fixes
branch
from
aaa4049 to
2f17241
Compare
|
LGTM, but I still believe unconfined_domain(kernel_t) should be the default. |
|
Other file classes (lnk, sock, pipe) are not needed to be managed? |
These are already allowed via files_manage_all_files(kernel_t) in kernel.te. |
|
lgtm |
cgwalters
approved these changes
Oct 6, 2023
alexlarsson
added a commit
to alexlarsson/ostree
that referenced
this pull request
Oct 9, 2023
If the `prepare-root.conf` file contains: ``` [etc] transient=yes ``` Then during prepare-root, an overlayfs is mounted as /etc, with the upper dir being in /run. If composefs is used, the lower dir is `usr/etc` from the composefs image , or it is the deployed `$deploydir/usr/etc`. Note that for this to work with selinux, the commit must have been built with OSTREE_REPO_COMMIT_MODIFIER_FLAGS_USRETC_AS_ETC. Otherwise the lowerdir (/usr/etc) will have the wrong selinux contexts for the final location of the mount (/etc). We also set the transient-etc key in the ostree-booted file, pointing it to the directory that is used for the overlayfs. There are some additional work happening in ostree-remount, mostly related to selinux (as this needs to happen post selinux policy load): * Recent versions of selinux-poliy have issues with the overlayfs mount being kernel_t, and that is not allowed to manage files as needed. This is fixed in fedora-selinux/selinux-policy#1893 * Any /etc files created in the initramfs will not be labeled, because the selinux policy has not been loaded. In addition, the upper dir is on a tmpfs, and any manually set xattr-based selinux labels on those are reset during policy load. To work around this ostree-remount will relabel all files on /etc that have corresponding files in overlayfs upper dir. * During early boot, systemd mounts /run/machine-id on top of /etc/machine-id (as /etc is readonly). Later during boot, when etc is readwrite, systemd-machine-id-commit.service will remove the mount and update the real file under it with the right content. To ensure that this keeps working, we need to ensure that when we relabel /etc/machine-id we relabel the real (covered) file, not the temporary bind-mount. * ostree-remount no longer needs to remount /etc read-only in the transient-etc case. Signed-off-by: Alexander Larsson <[email protected]>
alexlarsson
added a commit
to alexlarsson/ostree
that referenced
this pull request
Oct 9, 2023
If the `prepare-root.conf` file contains: ``` [etc] transient=yes ``` Then during prepare-root, an overlayfs is mounted as /etc, with the upper dir being in /run. If composefs is used, the lower dir is `usr/etc` from the composefs image , or it is the deployed `$deploydir/usr/etc`. Note that for this to work with selinux, the commit must have been built with OSTREE_REPO_COMMIT_MODIFIER_FLAGS_USRETC_AS_ETC. Otherwise the lowerdir (/usr/etc) will have the wrong selinux contexts for the final location of the mount (/etc). We also set the transient-etc key in the ostree-booted file, pointing it to the directory that is used for the overlayfs. There are some additional work happening in ostree-remount, mostly related to selinux (as this needs to happen post selinux policy load): * Recent versions of selinux-poliy have issues with the overlayfs mount being kernel_t, and that is not allowed to manage files as needed. This is fixed in fedora-selinux/selinux-policy#1893 * Any /etc files created in the initramfs will not be labeled, because the selinux policy has not been loaded. In addition, the upper dir is on a tmpfs, and any manually set xattr-based selinux labels on those are reset during policy load. To work around this ostree-remount will relabel all files on /etc that have corresponding files in overlayfs upper dir. * During early boot, systemd mounts /run/machine-id on top of /etc/machine-id (as /etc is readonly). Later during boot, when etc is readwrite, systemd-machine-id-commit.service will remove the mount and update the real file under it with the right content. To ensure that this keeps working, we need to ensure that when we relabel /etc/machine-id we relabel the real (covered) file, not the temporary bind-mount. * ostree-remount no longer needs to remount /etc read-only in the transient-etc case. Signed-off-by: Alexander Larsson <[email protected]>
alexlarsson
added a commit
to alexlarsson/ostree
that referenced
this pull request
Oct 12, 2023
If the `prepare-root.conf` file contains: ``` [etc] transient=yes ``` Then during prepare-root, an overlayfs is mounted as /etc, with the upper dir being in /run. If composefs is used, the lower dir is `usr/etc` from the composefs image , or it is the deployed `$deploydir/usr/etc`. Note that for this to work with selinux, the commit must have been built with OSTREE_REPO_COMMIT_MODIFIER_FLAGS_USRETC_AS_ETC. Otherwise the lowerdir (/usr/etc) will have the wrong selinux contexts for the final location of the mount (/etc). We also set the transient-etc key in the ostree-booted file, pointing it to the directory that is used for the overlayfs. There are some additional work happening in ostree-remount, mostly related to selinux (as this needs to happen post selinux policy load): * Recent versions of selinux-poliy have issues with the overlayfs mount being kernel_t, and that is not allowed to manage files as needed. This is fixed in fedora-selinux/selinux-policy#1893 * Any /etc files created in the initramfs will not be labeled, because the selinux policy has not been loaded. In addition, the upper dir is on a tmpfs, and any manually set xattr-based selinux labels on those are reset during policy load. To work around this ostree-remount will relabel all files on /etc that have corresponding files in overlayfs upper dir. * During early boot, systemd mounts /run/machine-id on top of /etc/machine-id (as /etc is readonly). Later during boot, when etc is readwrite, systemd-machine-id-commit.service will remove the mount and update the real file under it with the right content. To ensure that this keeps working, we need to ensure that when we relabel /etc/machine-id we relabel the real (covered) file, not the temporary bind-mount. * ostree-remount no longer needs to remount /etc read-only in the transient-etc case. Signed-off-by: Alexander Larsson <[email protected]>
alexlarsson
added a commit
to alexlarsson/ostree
that referenced
this pull request
Oct 12, 2023
If the `prepare-root.conf` file contains: ``` [etc] transient=yes ``` Then during prepare-root, an overlayfs is mounted as /etc, with the upper dir being in /run. If composefs is used, the lower dir is `usr/etc` from the composefs image , or it is the deployed `$deploydir/usr/etc`. Note that for this to work with selinux, the commit must have been built with OSTREE_REPO_COMMIT_MODIFIER_FLAGS_USRETC_AS_ETC. Otherwise the lowerdir (/usr/etc) will have the wrong selinux contexts for the final location of the mount (/etc). We also set the transient-etc key in the ostree-booted file, pointing it to the directory that is used for the overlayfs. There are some additional work happening in ostree-remount, mostly related to selinux (as this needs to happen post selinux policy load): * Recent versions of selinux-poliy have issues with the overlayfs mount being kernel_t, and that is not allowed to manage files as needed. This is fixed in fedora-selinux/selinux-policy#1893 * Any /etc files created in the initramfs will not be labeled, because the selinux policy has not been loaded. In addition, the upper dir is on a tmpfs, and any manually set xattr-based selinux labels on those are reset during policy load. To work around this ostree-remount will relabel all files on /etc that have corresponding files in overlayfs upper dir. * During early boot, systemd mounts /run/machine-id on top of /etc/machine-id (as /etc is readonly). Later during boot, when etc is readwrite, systemd-machine-id-commit.service will remove the mount and update the real file under it with the right content. To ensure that this keeps working, we need to ensure that when we relabel /etc/machine-id we relabel the real (covered) file, not the temporary bind-mount. * ostree-remount no longer needs to remount /etc read-only in the transient-etc case. Signed-off-by: Alexander Larsson <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Extend the abitlity to manage all files also to character & block device files and also allow relabeling any file.
This is required for early boot overlay mounts to fully work, but may be needed for other legitimate oprations as well.
See also: ostreedev/ostree#3062