mirror of
https://github.com/rancher/os.git
synced 2025-08-31 05:59:18 +00:00
Enable SELinux
This commit is contained in:
Josh Curl
parent
90c8de9c0a
commit
f28d463504
@ -2,7 +2,7 @@ FROM ubuntu:15.10
|
||||
|
||||
RUN apt-get update && \
|
||||
apt-get -y install locales sudo vim less curl wget git rsync build-essential syslinux isolinux xorriso \
|
||||
libblkid-dev libmount-dev libselinux1-dev cpio genisoimage qemu-kvm python-pip ca-certificates
|
||||
libblkid-dev libmount-dev libselinux1-dev cpio genisoimage qemu-kvm python-pip ca-certificates pkg-config
|
||||
|
||||
RUN locale-gen en_US.UTF-8
|
||||
ENV LANG en_US.UTF-8
|
||||
|
||||
5
Makefile
5
Makefile
@ -27,6 +27,9 @@ assets/docker:
|
||||
curl -L "$(DOCKER_BINARY_URL)" > $@
|
||||
chmod +x $@
|
||||
|
||||
assets/selinux/policy.29:
|
||||
mkdir -p $(dir $@)
|
||||
curl -L "$(SELINUX_POLICY_URL)" > $@
|
||||
|
||||
ifdef COMPILED_KERNEL_URL
|
||||
|
||||
@ -43,7 +46,7 @@ $(BUILD)/kernel/:
|
||||
curl -L "$(COMPILED_KERNEL_URL)" | tar -xzf - -C $@
|
||||
|
||||
|
||||
$(DIST)/artifacts/initrd: bin/ros assets/docker $(BUILD)/kernel/ $(BUILD)/images.tar
|
||||
$(DIST)/artifacts/initrd: bin/ros assets/docker assets/selinux/policy.29 $(BUILD)/kernel/ $(BUILD)/images.tar
|
||||
mkdir -p $(dir $@)
|
||||
ARCH=$(ARCH) DFS_IMAGE=$(DFS_IMAGE) DEV_BUILD=$(DEV_BUILD) ./scripts/mk-initrd.sh $@
|
||||
|
||||
|
||||
2
assets/selinux/config
Normal file
2
assets/selinux/config
Normal file
@ -0,0 +1,2 @@
|
||||
SELINUX=permissive
|
||||
SELINUXTYPE=ros
|
||||
1
assets/selinux/failsafe_context
Normal file
1
assets/selinux/failsafe_context
Normal file
@ -0,0 +1 @@
|
||||
system_r:kernel_t:s0
|
||||
3
assets/selinux/lxc_contexts
Normal file
3
assets/selinux/lxc_contexts
Normal file
@ -0,0 +1,3 @@
|
||||
process = "system_u:system_r:svirt_lxc_net_t:s0"
|
||||
content = "system_u:object_r:virt_var_lib_t:s0"
|
||||
file = "system_u:object_r:svirt_lxc_file_t:s0"
|
||||
1
assets/selinux/seusers
Normal file
1
assets/selinux/seusers
Normal file
@ -0,0 +1 @@
|
||||
__default__:system_u:s0-s0
|
||||
@ -1,3 +1,4 @@
|
||||
IMAGE_NAME=rancher/os
|
||||
VERSION=v0.4.4-dev
|
||||
DFS_IMAGE=rancher/docker:v1.10.1
|
||||
SELINUX_POLICY_URL=https://github.com/rancher/refpolicy/releases/download/v0.0.1/policy.29
|
||||
|
||||
@ -220,6 +220,10 @@ func RunInit() error {
|
||||
return config.LoadConfig()
|
||||
},
|
||||
loadModules,
|
||||
func(c *config.CloudConfig) (*config.CloudConfig, error) {
|
||||
return c, dockerlaunch.PrepareFs(&mountConfig)
|
||||
},
|
||||
initializeSelinux,
|
||||
sysInit,
|
||||
}
|
||||
|
||||
@ -236,5 +240,6 @@ func RunInit() error {
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
return pidOne()
|
||||
}
|
||||
|
||||
32
init/selinux.go
Normal file
32
init/selinux.go
Normal file
@ -0,0 +1,32 @@
|
||||
// +build linux
|
||||
|
||||
package init
|
||||
|
||||
import (
|
||||
log "github.com/Sirupsen/logrus"
|
||||
"github.com/rancher/os/config"
|
||||
"github.com/rancher/os/selinux"
|
||||
"io/ioutil"
|
||||
)
|
||||
|
||||
func initializeSelinux(c *config.CloudConfig) (*config.CloudConfig, error) {
|
||||
ret, _ := selinux.InitializeSelinux()
|
||||
|
||||
if ret != 0 {
|
||||
log.Debug("Unable to initialize SELinux")
|
||||
return c, nil
|
||||
}
|
||||
|
||||
// Set allow_execstack boolean to true
|
||||
if err := ioutil.WriteFile("/sys/fs/selinux/booleans/allow_execstack", []byte("1"), 0644); err != nil {
|
||||
log.Debug(err)
|
||||
return c, nil
|
||||
}
|
||||
|
||||
if err := ioutil.WriteFile("/sys/fs/selinux/commit_pending_bools", []byte("1"), 0644); err != nil {
|
||||
log.Debug(err)
|
||||
return c, nil
|
||||
}
|
||||
|
||||
return c, nil
|
||||
}
|
||||
@ -262,6 +262,7 @@ rancher:
|
||||
- /etc/resolv.conf:/etc/resolv.conf
|
||||
- /etc/rkt:/etc/rkt
|
||||
- /etc/ssl/certs/ca-certificates.crt:/etc/ssl/certs/ca-certificates.crt.rancher
|
||||
- /etc/selinux:/etc/selinux
|
||||
- /lib/firmware:/lib/firmware
|
||||
- /lib/modules:/lib/modules
|
||||
- /run:/run
|
||||
|
||||
@ -20,6 +20,7 @@ INITRD_DIR=${BUILD}/initrd
|
||||
rm -rf ${INITRD_DIR}/{usr,init}
|
||||
mkdir -p ${INITRD_DIR}/usr/{bin,share/ros}
|
||||
mkdir -p ${INITRD_DIR}/var/lib/system-docker
|
||||
mkdir -p ${INITRD_DIR}/usr/etc/selinux/ros/{policy,contexts}
|
||||
|
||||
if [ "$IS_ROOTFS" == "0" ]; then
|
||||
cp -rf ${BUILD}/kernel/lib ${INITRD_DIR}/usr/
|
||||
@ -34,6 +35,12 @@ ln -s usr/bin/ros ${INITRD_DIR}/init
|
||||
ln -s bin ${INITRD_DIR}/usr/sbin
|
||||
ln -s usr/sbin ${INITRD_DIR}/sbin
|
||||
|
||||
cp assets/selinux/config ${INITRD_DIR}/usr/etc/selinux/
|
||||
cp assets/selinux/policy.29 ${INITRD_DIR}/usr/etc/selinux/ros/policy/
|
||||
cp assets/selinux/seusers ${INITRD_DIR}/usr/etc/selinux/ros/
|
||||
cp assets/selinux/lxc_contexts ${INITRD_DIR}/usr/etc/selinux/ros/contexts/
|
||||
cp assets/selinux/failsafe_context ${INITRD_DIR}/usr/etc/selinux/ros/contexts/
|
||||
|
||||
DFS_ARCH=$(docker create ${DFS_ARCH_IMAGE})
|
||||
trap "docker rm -fv ${DFS_ARCH}" EXIT
|
||||
|
||||
|
||||
13
selinux/selinux.go
Normal file
13
selinux/selinux.go
Normal file
@ -0,0 +1,13 @@
|
||||
// +build linux
|
||||
|
||||
package selinux
|
||||
|
||||
// #cgo pkg-config: libselinux libsepol
|
||||
// #include <selinux/selinux.h>
|
||||
import "C"
|
||||
|
||||
func InitializeSelinux() (int, error) {
|
||||
enforce := C.int(0)
|
||||
ret, err := C.selinux_init_load_policy(&enforce)
|
||||
return int(ret), err
|
||||
}
|
||||
Loading…
Reference in New Issue
Block a user