Skip to content

Comments

platform: enable enforcing mode SELinux earlier#252

Merged
tormath1 merged 3 commits intoflatcar-masterfrom
tormath1/selinux
Nov 18, 2021
Merged

platform: enable enforcing mode SELinux earlier#252
tormath1 merged 3 commits intoflatcar-masterfrom
tormath1/selinux

Conversation

@tormath1
Copy link
Contributor

@tormath1 tormath1 commented Nov 18, 2021

In this PR, we enable SELinux in enforcing mode earlier in the boot. Previously, it was done once the instance booted by running sudo setenforce 1.

By enabling and running all the tests with enforcing mode set as soon as possible during the boot, we'll be able to catch early denial from SElinux (like this one: flatcar-archive/coreos-overlay#1426) which can prevent Flatcar to behave correctly.

How to use

$ ./build kola
$ sudo ./bin/kola spawn --qemu-image ./flatcar_production_qemu_image.img
[bound] core@localhost ~ $ getenforce
Enforcing
[bound] core@localhost ~ $ sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             mcs
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Memory protection checking:     actual (secure)
Max kernel policy version:      33

Testing done

⚠️ this needs to be merged after flatcar-archive/coreos-overlay#1426 otherwise all tests using Docker runtime will fail with:

$ sudo ./bin/kola run --qemu-image ./flatcar_production_qemu_image.img docker.base
=== RUN   docker.base
=== RUN   docker.base/docker-info
=== RUN   docker.base/resources
=== RUN   docker.base/networks-reliably
=== RUN   docker.base/user-no-caps
--- FAIL: docker.base (20.79s)
    --- FAIL: docker.base/docker-info (0.13s)
            docker.go:573: could not get dockerinfo: Process exited with status 7
    --- FAIL: docker.base/resources (0.58s)
            cluster.go:117: The program docker is managed by torcx, which did not run.
...

with the patch proposed in flatcar-archive/coreos-overlay#1426; it works fine:

$ sudo ./bin/kola run --qemu-image ./build/images/amd64-usr/developer-latest/flatcar_production_qemu_image.img docker.base
=== RUN   docker.base
=== RUN   docker.base/docker-info
=== RUN   docker.base/resources
=== RUN   docker.base/networks-reliably
=== RUN   docker.base/user-no-caps
--- PASS: docker.base (188.63s)
    --- PASS: docker.base/docker-info (1.28s)
    --- PASS: docker.base/resources (6.84s)
            cluster.go:117: WARNING: Your kernel does not support OomKillDisable. OomKillDisable discarded.
            cluster.go:117: WARNING: Specifying a kernel memory limit is deprecated and will be removed in a future release.
            cluster.go:117: WARNING: Your kernel does not support kernel memory limit capabilities or the cgroup is not mounted. Limitation discarded.
            cluster.go:117: WARNING: Your kernel does not support memory swappiness capabilities or the cgroup is not mounted. Memory swappiness discarded.
    --- PASS: docker.base/networks-reliably (157.16s)
    --- PASS: docker.base/user-no-caps (1.07s)

@tormath1
plaform: remove EnableSelinux method
42c4b5f 
this method can be removed in order to prepare new SELinux
implementation logic.

Signed-off-by: Mathieu Tortuyaux <mtortuyaux@microsoft.com>
@tormath1
plaform/cluster: add config to set enforcing mode
a66fc1e 
with this Container Linux Configuration - we allow the system to set
SELinux in enforcing mode as soon as possible in the boot process.

It relies on the existing Kola flag: `NoEnableSelinux` - current logic
will be preserved.

Signed-off-by: Mathieu Tortuyaux <mtortuyaux@microsoft.com>
@tormath1
changelog: add entry
5aacaf9 
Signed-off-by: Mathieu Tortuyaux <mtortuyaux@microsoft.com>
@tormath1 tormath1 marked this pull request as ready for review November 18, 2021 14:39
@tormath1 tormath1 requested a review from a team November 18, 2021 14:39
@tormath1 tormath1 mentioned this pull request Nov 18, 2021
Merged
@tormath1 tormath1 merged commit d65a78b into flatcar-master Nov 18, 2021
@tormath1 tormath1 deleted the tormath1/selinux branch November 18, 2021 16:03
tormath1 added a commit that referenced this pull request Nov 22, 2021
@tormath1
Revert "Merge pull request #252 from flatcar-linux/tormath1/selinux"
845b754 
This reverts commit d65a78b, reversing
changes made to 804c249.
@tormath1 tormath1 mentioned this pull request Nov 22, 2021
Merged
@tormath1 tormath1 mentioned this pull request Sep 22, 2023
Open
6 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@pothos pothos pothos approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@tormath1 @pothos