diff --git a/Dockerfile.dapper b/Dockerfile.dapper index 3dc56203..757fb749 100644 --- a/Dockerfile.dapper +++ b/Dockerfile.dapper @@ -2,7 +2,7 @@ FROM ubuntu:15.10 RUN apt-get update && \ apt-get -y install locales sudo vim less curl wget git rsync build-essential syslinux isolinux xorriso \ - libblkid-dev libmount-dev libselinux1-dev cpio genisoimage qemu-kvm python-pip ca-certificates + libblkid-dev libmount-dev libselinux1-dev cpio genisoimage qemu-kvm python-pip ca-certificates pkg-config RUN locale-gen en_US.UTF-8 ENV LANG en_US.UTF-8 diff --git a/Makefile b/Makefile index 0964f695..cb2d0dde 100644 --- a/Makefile +++ b/Makefile @@ -27,6 +27,9 @@ assets/docker: curl -L "$(DOCKER_BINARY_URL)" > $@ chmod +x $@ +assets/selinux/policy.29: + mkdir -p $(dir $@) + curl -L "$(SELINUX_POLICY_URL)" > $@ ifdef COMPILED_KERNEL_URL @@ -43,7 +46,7 @@ $(BUILD)/kernel/: curl -L "$(COMPILED_KERNEL_URL)" | tar -xzf - -C $@ -$(DIST)/artifacts/initrd: bin/ros assets/docker $(BUILD)/kernel/ $(BUILD)/images.tar +$(DIST)/artifacts/initrd: bin/ros assets/docker assets/selinux/policy.29 $(BUILD)/kernel/ $(BUILD)/images.tar mkdir -p $(dir $@) ARCH=$(ARCH) DFS_IMAGE=$(DFS_IMAGE) DEV_BUILD=$(DEV_BUILD) ./scripts/mk-initrd.sh $@ diff --git a/assets/selinux/config b/assets/selinux/config new file mode 100644 index 00000000..35ea6f5e --- /dev/null +++ b/assets/selinux/config @@ -0,0 +1,2 @@ +SELINUX=permissive +SELINUXTYPE=ros diff --git a/assets/selinux/failsafe_context b/assets/selinux/failsafe_context new file mode 100644 index 00000000..b87dbdf0 --- /dev/null +++ b/assets/selinux/failsafe_context @@ -0,0 +1 @@ +system_r:kernel_t:s0 diff --git a/assets/selinux/lxc_contexts b/assets/selinux/lxc_contexts new file mode 100644 index 00000000..bf3fcc1a --- /dev/null +++ b/assets/selinux/lxc_contexts @@ -0,0 +1,3 @@ +process = "system_u:system_r:svirt_lxc_net_t:s0" +content = "system_u:object_r:virt_var_lib_t:s0" +file = "system_u:object_r:svirt_lxc_file_t:s0" diff --git a/assets/selinux/seusers b/assets/selinux/seusers new file mode 100644 index 00000000..1ca7c9ea --- /dev/null +++ b/assets/selinux/seusers @@ -0,0 +1 @@ +__default__:system_u:s0-s0 diff --git a/build.conf b/build.conf index c52b54c8..a95db5f8 100644 --- a/build.conf +++ b/build.conf @@ -1,3 +1,4 @@ IMAGE_NAME=rancher/os VERSION=v0.4.4-dev DFS_IMAGE=rancher/docker:v1.10.1 +SELINUX_POLICY_URL=https://github.com/rancher/refpolicy/releases/download/v0.0.1/policy.29 diff --git a/init/init.go b/init/init.go index ddc9b2ef..59cb5dfd 100644 --- a/init/init.go +++ b/init/init.go @@ -220,6 +220,10 @@ func RunInit() error { return config.LoadConfig() }, loadModules, + func(c *config.CloudConfig) (*config.CloudConfig, error) { + return c, dockerlaunch.PrepareFs(&mountConfig) + }, + initializeSelinux, sysInit, } @@ -236,5 +240,6 @@ func RunInit() error { if err != nil { return err } + return pidOne() } diff --git a/init/selinux.go b/init/selinux.go new file mode 100644 index 00000000..afdfc271 --- /dev/null +++ b/init/selinux.go @@ -0,0 +1,32 @@ +// +build linux + +package init + +import ( + log "github.com/Sirupsen/logrus" + "github.com/rancher/os/config" + "github.com/rancher/os/selinux" + "io/ioutil" +) + +func initializeSelinux(c *config.CloudConfig) (*config.CloudConfig, error) { + ret, _ := selinux.InitializeSelinux() + + if ret != 0 { + log.Debug("Unable to initialize SELinux") + return c, nil + } + + // Set allow_execstack boolean to true + if err := ioutil.WriteFile("/sys/fs/selinux/booleans/allow_execstack", []byte("1"), 0644); err != nil { + log.Debug(err) + return c, nil + } + + if err := ioutil.WriteFile("/sys/fs/selinux/commit_pending_bools", []byte("1"), 0644); err != nil { + log.Debug(err) + return c, nil + } + + return c, nil +} diff --git a/os-config.yml b/os-config.yml index 6f01af2e..886c77c2 100644 --- a/os-config.yml +++ b/os-config.yml @@ -262,6 +262,7 @@ rancher: - /etc/resolv.conf:/etc/resolv.conf - /etc/rkt:/etc/rkt - /etc/ssl/certs/ca-certificates.crt:/etc/ssl/certs/ca-certificates.crt.rancher + - /etc/selinux:/etc/selinux - /lib/firmware:/lib/firmware - /lib/modules:/lib/modules - /run:/run diff --git a/scripts/mk-initrd.sh b/scripts/mk-initrd.sh index ba52d5f4..fcc6fac9 100755 --- a/scripts/mk-initrd.sh +++ b/scripts/mk-initrd.sh @@ -20,6 +20,7 @@ INITRD_DIR=${BUILD}/initrd rm -rf ${INITRD_DIR}/{usr,init} mkdir -p ${INITRD_DIR}/usr/{bin,share/ros} mkdir -p ${INITRD_DIR}/var/lib/system-docker +mkdir -p ${INITRD_DIR}/usr/etc/selinux/ros/{policy,contexts} if [ "$IS_ROOTFS" == "0" ]; then cp -rf ${BUILD}/kernel/lib ${INITRD_DIR}/usr/ @@ -34,6 +35,12 @@ ln -s usr/bin/ros ${INITRD_DIR}/init ln -s bin ${INITRD_DIR}/usr/sbin ln -s usr/sbin ${INITRD_DIR}/sbin +cp assets/selinux/config ${INITRD_DIR}/usr/etc/selinux/ +cp assets/selinux/policy.29 ${INITRD_DIR}/usr/etc/selinux/ros/policy/ +cp assets/selinux/seusers ${INITRD_DIR}/usr/etc/selinux/ros/ +cp assets/selinux/lxc_contexts ${INITRD_DIR}/usr/etc/selinux/ros/contexts/ +cp assets/selinux/failsafe_context ${INITRD_DIR}/usr/etc/selinux/ros/contexts/ + DFS_ARCH=$(docker create ${DFS_ARCH_IMAGE}) trap "docker rm -fv ${DFS_ARCH}" EXIT diff --git a/selinux/selinux.go b/selinux/selinux.go new file mode 100644 index 00000000..5a1cb2e9 --- /dev/null +++ b/selinux/selinux.go @@ -0,0 +1,13 @@ +// +build linux + +package selinux + +// #cgo pkg-config: libselinux libsepol +// #include +import "C" + +func InitializeSelinux() (int, error) { + enforce := C.int(0) + ret, err := C.selinux_init_load_policy(&enforce) + return int(ret), err +}