Enable SELinux

joshwget · joshwget · commit f28d463504ed · 2016-02-19T16:11:32.000-08:00
diff --git a/Dockerfile.dapper b/Dockerfile.dapper
@@ -2,7 +2,7 @@ FROM ubuntu:15.10
 
 RUN apt-get update && \
     apt-get -y install locales sudo vim less curl wget git rsync build-essential syslinux isolinux xorriso \
-        libblkid-dev libmount-dev libselinux1-dev cpio genisoimage qemu-kvm python-pip ca-certificates
+        libblkid-dev libmount-dev libselinux1-dev cpio genisoimage qemu-kvm python-pip ca-certificates pkg-config
 
 RUN locale-gen en_US.UTF-8
 ENV LANG en_US.UTF-8
diff --git a/Makefile b/Makefile
@@ -27,6 +27,9 @@ assets/docker:
 	curl -L "$(DOCKER_BINARY_URL)" > $@
 	chmod +x $@
 
+assets/selinux/policy.29:
+	mkdir -p $(dir $@)
+	curl -L "$(SELINUX_POLICY_URL)" > $@
 
 ifdef COMPILED_KERNEL_URL
 
@@ -43,7 +46,7 @@ $(BUILD)/kernel/:
 	curl -L "$(COMPILED_KERNEL_URL)" | tar -xzf - -C $@
 
 
-$(DIST)/artifacts/initrd: bin/ros assets/docker $(BUILD)/kernel/ $(BUILD)/images.tar
+$(DIST)/artifacts/initrd: bin/ros assets/docker assets/selinux/policy.29 $(BUILD)/kernel/ $(BUILD)/images.tar
 	mkdir -p $(dir $@)
 	ARCH=$(ARCH) DFS_IMAGE=$(DFS_IMAGE) DEV_BUILD=$(DEV_BUILD) ./scripts/mk-initrd.sh $@
 
diff --git a/assets/selinux/config b/assets/selinux/config
@@ -0,0 +1,2 @@
+SELINUX=permissive
+SELINUXTYPE=ros
diff --git a/assets/selinux/failsafe_context b/assets/selinux/failsafe_context
@@ -0,0 +1 @@
+system_r:kernel_t:s0
diff --git a/assets/selinux/lxc_contexts b/assets/selinux/lxc_contexts
@@ -0,0 +1,3 @@
+process = "system_u:system_r:svirt_lxc_net_t:s0"
+content = "system_u:object_r:virt_var_lib_t:s0"
+file = "system_u:object_r:svirt_lxc_file_t:s0"
diff --git a/assets/selinux/seusers b/assets/selinux/seusers
@@ -0,0 +1 @@
+__default__:system_u:s0-s0
diff --git a/build.conf b/build.conf
@@ -1,3 +1,4 @@
 IMAGE_NAME=rancher/os
 VERSION=v0.4.4-dev
 DFS_IMAGE=rancher/docker:v1.10.1
+SELINUX_POLICY_URL=https://github.com/rancher/refpolicy/releases/download/v0.0.1/policy.29
diff --git a/init/init.go b/init/init.go
@@ -220,6 +220,10 @@ func RunInit() error {
 			return config.LoadConfig()
 		},
 		loadModules,
+		func(c *config.CloudConfig) (*config.CloudConfig, error) {
+			return c, dockerlaunch.PrepareFs(&mountConfig)
+		},
+		initializeSelinux,
 		sysInit,
 	}
 
@@ -236,5 +240,6 @@ func RunInit() error {
 	if err != nil {
 		return err
 	}
+
 	return pidOne()
 }
diff --git a/init/selinux.go b/init/selinux.go
@@ -0,0 +1,32 @@
+// +build linux
+
+package init
+
+import (
+	log "github.com/Sirupsen/logrus"
+	"github.com/rancher/os/config"
+	"github.com/rancher/os/selinux"
+	"io/ioutil"
+)
+
+func initializeSelinux(c *config.CloudConfig) (*config.CloudConfig, error) {
+	ret, _ := selinux.InitializeSelinux()
+
+	if ret != 0 {
+		log.Debug("Unable to initialize SELinux")
+		return c, nil
+	}
+
+	// Set allow_execstack boolean to true
+	if err := ioutil.WriteFile("/sys/fs/selinux/booleans/allow_execstack", []byte("1"), 0644); err != nil {
+		log.Debug(err)
+		return c, nil
+	}
+
+	if err := ioutil.WriteFile("/sys/fs/selinux/commit_pending_bools", []byte("1"), 0644); err != nil {
+		log.Debug(err)
+		return c, nil
+	}
+
+	return c, nil
+}
diff --git a/os-config.yml b/os-config.yml
@@ -262,6 +262,7 @@ rancher:
       - /etc/resolv.conf:/etc/resolv.conf
       - /etc/rkt:/etc/rkt
       - /etc/ssl/certs/ca-certificates.crt:/etc/ssl/certs/ca-certificates.crt.rancher
+      - /etc/selinux:/etc/selinux
       - /lib/firmware:/lib/firmware
       - /lib/modules:/lib/modules
       - /run:/run
diff --git a/scripts/mk-initrd.sh b/scripts/mk-initrd.sh
@@ -20,6 +20,7 @@ INITRD_DIR=${BUILD}/initrd
 rm -rf ${INITRD_DIR}/{usr,init}
 mkdir -p ${INITRD_DIR}/usr/{bin,share/ros}
 mkdir -p ${INITRD_DIR}/var/lib/system-docker
+mkdir -p ${INITRD_DIR}/usr/etc/selinux/ros/{policy,contexts}
 
 if [ "$IS_ROOTFS" == "0" ]; then
   cp -rf ${BUILD}/kernel/lib ${INITRD_DIR}/usr/
@@ -34,6 +35,12 @@ ln -s usr/bin/ros          ${INITRD_DIR}/init
 ln -s bin                  ${INITRD_DIR}/usr/sbin
 ln -s usr/sbin             ${INITRD_DIR}/sbin
 
+cp assets/selinux/config            ${INITRD_DIR}/usr/etc/selinux/
+cp assets/selinux/policy.29         ${INITRD_DIR}/usr/etc/selinux/ros/policy/
+cp assets/selinux/seusers           ${INITRD_DIR}/usr/etc/selinux/ros/
+cp assets/selinux/lxc_contexts      ${INITRD_DIR}/usr/etc/selinux/ros/contexts/
+cp assets/selinux/failsafe_context  ${INITRD_DIR}/usr/etc/selinux/ros/contexts/
+
 DFS_ARCH=$(docker create ${DFS_ARCH_IMAGE})
 trap "docker rm -fv ${DFS_ARCH}" EXIT
 
diff --git a/selinux/selinux.go b/selinux/selinux.go
@@ -0,0 +1,13 @@
+// +build linux
+
+package selinux
+
+// #cgo pkg-config: libselinux libsepol
+// #include <selinux/selinux.h>
+import "C"
+
+func InitializeSelinux() (int, error) {
+	enforce := C.int(0)
+	ret, err := C.selinux_init_load_policy(&enforce)
+	return int(ret), err
+}

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+SELINUX=permissive`
	`2`	`+SELINUXTYPE=ros`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+process = "system_u:system_r:svirt_lxc_net_t:s0"`
	`2`	`+content = "system_u:object_r:virt_var_lib_t:s0"`
	`3`	`+file = "system_u:object_r:svirt_lxc_file_t:s0"`
Original file line number	Diff line number	Diff line change
`@@ -220,6 +220,10 @@ func RunInit() error {`
`220`	`220`	`return config.LoadConfig()`
`221`	`221`	`},`
`222`	`222`	`loadModules,`
	`223`	`+ func(c config.CloudConfig) (config.CloudConfig, error) {`
	`224`	`+ return c, dockerlaunch.PrepareFs(&mountConfig)`
	`225`	`+ },`
	`226`	`+ initializeSelinux,`
`223`	`227`	`sysInit,`
`224`	`228`	`}`
`225`	`229`
`@@ -236,5 +240,6 @@ func RunInit() error {`
`236`	`240`	`if err != nil {`
`237`	`241`	`return err`
`238`	`242`	`}`
	`243`	`+`
`239`	`244`	`return pidOne()`
`240`	`245`	`}`