Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SELinux Challenges #727

Closed
m2Giles opened this issue Dec 13, 2023 · 7 comments
Closed

SELinux Challenges #727

m2Giles opened this issue Dec 13, 2023 · 7 comments

Comments

@m2Giles
Copy link
Member

m2Giles commented Dec 13, 2023

Describe the bug

SELinux is installed and in enforcing mode by default. This is a good thing. However, due to the nature of OCI packaging, the build process labels binaries incorrectly. See ostreedev/ostree-rs-ext#510

Beyond things being labeled incorrectly, some software that is shipped with the -dx image does not work with SELinux in enforcing mode like Incus. Systemd-homed is also broken. Those are upstream issues and not in the purview of this project. However, I think we should make mention of things that SELinux currently breaks. Waydroid mentions this, but it seems to be missing in other places.

What did you expect to happen?

Documentation of SELinux limitations with bluefin. I.E. in certain work cases consider SELinux in permissive mode. Additionally, identify workarounds for single binaries having the wrong context. -dx mode is aimed at developers who are used to working around issues; however, we should be a bit more forthcoming about said issues that they can encounter.

Output of rpm-ostree status

No response

Extra information or context

No response
@castrojo
Copy link
Member

If you can post a doc snippet here that'd be useful: https://universal-blue.discourse.group/c/bluefin/6

Then I'll make it a wiki and tag it appropriately so it shows up in the documentation section. Are there any other things that we know of that don't work right?

@castrojo
Copy link
Member

cc @bketelsen for the incus issues.

@bketelsen
Copy link
Member

confirmed. I set SELinux to permissive to run incus.

@m2Giles
Copy link
Member Author

m2Giles commented Dec 14, 2023

Right now things that have rough edges:

  1. swtpm
  2. incus
  3. lxd (this should work though)
  4. docker/Podman - SELinux may label created containers wrong if you start trying to use them as system containers.
  5. Waydroid -- I think this was already removed from Bluefin images but remains in Bazzite

When going down custom image route:

  1. greetd (I think this was documented at some point)
  2. Anything being shipped with a binary policy.

I have some time tomorrow and I'll draft something up. I'm sure there are more. In the linked issue and on discord I put a workaround for swtpm in that could possibly work for some of the other ones (but most definitely not incus).

@m2Giles
Copy link
Member Author

m2Giles commented Dec 31, 2023
edited
Loading

I added the swtpm workaround method to the discourse.

https://universal-blue.discourse.group/t/selinux-workarounds-for-binaries-with-the-wrong-label/342

For the others,
lxd: Can Work, just needs files in the correct location. Unsure why SELinux throws a warning over that but guessing something gets mangled. This has been fixed in the COPR: ganto/copr-lxc4@2c939d4
However, LXD 5.19 removed some of the files used to workaround SELinux preventing socket creation in /var/lib/lxd. You can manually fix this by changing the lxd.socket file to create the socket in /run/ and setting the environment variable LXD_SOCKET to that corrected location.

Incus: Has no policies, needs someone to work with upstream to develop them.

docker/Podman: This is nothing different from workstation.

Waydroid/Greetd: The workaround for swtpm could possibly work for these. But hasn't been tested yet.

@m2Giles
Copy link
Member Author

m2Giles commented Jan 3, 2024
edited
Loading

Using the following set of file contexts, I am able to run incus in enforcing mode.

/usr/s?bin/incus  --      gen_context(system_u:object_r:container_runtime_exec_t:s0)
/usr/s?bin/incus-.*  --      gen_context(system_u:object_r:container_runtime_exec_t:s0)
/usr/lib/incus/.*  --      gen_context(system_u:object_r:container_runtime_exec_t:s0)
/usr/lib/systemd/system/incus.* --	gen_context(system_u:object_r:container_unit_file_t:s0)
/var/lib/incus(/.*)?      gen_context(system_u:object_r:container_var_lib_t:s0)
/var/log/incus(/.*)?      gen_context(system_u:object_r:container_log_t:s0)

This appears to work for containers and VMs.

You will have to use the same socket workarounds as LXD.

@m2Giles
Copy link
Member Author

m2Giles commented Jan 17, 2024

Documentation on discourse updated. I guess the workaround can be expanded to anything that needs to have additional capabilities as seen in Bazzites sunshine workaround.

Incus now has policies (workaround needed but documented). LXD has workaround documented upstream as well.

We probably still need an actual beginners guide to SELinux, but linking to something from fedora could possibly be sufficient.

@m2Giles m2Giles closed this as completed Jan 17, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@bketelsen @castrojo @m2Giles