particle-os/debian-forge
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
debian-forge/selinux
History
Christian Kellner 03411015a2 docs: document osbuild and selinux integration 
Add a first outline of the integration points of osbuild and
selinux, from two perspectives: how osbuild interacts with
the host and how osbuild labels the target artefact and the
resulting peculiarties.
2021-10-01 11:02:32 +02:00
..
osbuild.fc osbuild: add custom selinux policy 2020-06-10 01:35:05 +02:00
osbuild.if selinux: allow nnp and nosuid transitions 2020-08-10 14:05:24 +02:00
osbuild.te selinux: allow nnp and nosuid transitions 2020-08-10 14:05:24 +02:00
osbuild_selinux.8 osbuild: add custom selinux policy 2020-06-10 01:35:05 +02:00
README.md docs: document osbuild and selinux integration 2021-10-01 11:02:32 +02:00

README.md

SELiunx and osbuild

SELinux labels for files are store as extended attributes under the security.selinux prefix.

File system tree labelling

All stages, including the org.osbuild.rpm stage are run inside a container which will indicate to all tools, including rpm scriptles that SELinux is disabled.

Labels are manually applied to the file system tree via a specialised org.osbuild.selinux stage. This stage should therefore be at the very end of the pipeline that is building the tree so that all files are properly labelled.

Container peculiarities and policy differences

SELinux is not namespaced which means there is only one global policy inside the Linux kernel. Since the kernel is shared by all containers, the policy that is loaded in the kernel applies to all containers as well.

Labels are verified against the active policy in the kernel when writing (setxattr) but also when reading them (getxattr) as long as selinux is activated for the kernel (i.e. on the host).

To read or write labels that are not included in the currently active policy, the CAP_MAC_ADMIN capability(7) is needed. If a process does not have this policy the following will happen when trying to write or read the label:

When trying to write a label that is unknown to the currently active policy, the kernel will reject it and the call to setxattr will fail with EINVAL resulting in "Invalid argument" errors from the corresponding tooling.

When trying to read a label that is unknown to the currently active policy, the kernel will "pretend" the file is not labelled and return system_u:object_r:unlabeled_t:s0 as label. Thus a file with an unknown label (unknown to the host kernel) is indistinguishable from an unlabelled file.

In RHEL and Fedora's SELinux policy, only very few programs can gain or retain theCAP_MAC_ADMIN capability, even if the current user is unconfined or sysadm. Normal tools like cp, ls, stat, or tar do not have this capability meaning that inspecting the labels for files and folders will result in unlabeled_t for unknown (to the host) labels.

Custom OSBuild SElinux Policy

On RHEL and Fedora, the SELinux policy has a few contexts that allow CAP_MAC_ADMIN, most notably install_t and setfiles_mac. The latter is a policy for the setfiles binary, which is used by theorg.osbuild.selinux stage to label files. But to be able to transition into setfiles_mac, the calling program must have a special transition rule allowing this. Therefore osbuild uses a custom policy with specialised labels for osbuild executables such as stages, runners and the main binary: osbuild_t. Then a domain transition rule is enabled that allows setfiles to transition to setfiles_mac from osbuild. From selinux/osbuild.te:

# execute setfiles in the setfiles_mac domain
# when in the osbuild_t domain
seutil_domtrans_setfiles_mac(osbuild_t)