rancher/os
1
0
Fork 1
mirror of https://github.com/rancher/os.git synced 2025-08-29 03:31:25 +00:00
Code Issues Releases Wiki Activity

Enable SELinux

Browse Source
This commit is contained in:
Josh Curl 2016-02-19 16:11:32 -08:00
parent 90c8de9c0a
commit f28d463504
12 changed files with 71 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Dockerfile.dapper
View File

@ -2,7 +2,7 @@ FROM ubuntu:15.10
RUN apt-get update && \ RUN apt-get update && \
apt-get -y install locales sudo vim less curl wget git rsync build-essential syslinux isolinux xorriso \ apt-get -y install locales sudo vim less curl wget git rsync build-essential syslinux isolinux xorriso \
libblkid-dev libmount-dev libselinux1-dev cpio genisoimage qemu-kvm python-pip ca-certificates libblkid-dev libmount-dev libselinux1-dev cpio genisoimage qemu-kvm python-pip ca-certificates pkg-config
RUN locale-gen en_US.UTF-8 RUN locale-gen en_US.UTF-8
ENV LANG en_US.UTF-8 ENV LANG en_US.UTF-8

5
Makefile
View File

@ -27,6 +27,9 @@ assets/docker:
curl -L "$(DOCKER_BINARY_URL)" > $@ curl -L "$(DOCKER_BINARY_URL)" > $@
chmod +x $@ chmod +x $@
assets/selinux/policy.29:
mkdir -p $(dir $@)
curl -L "$(SELINUX_POLICY_URL)" > $@
ifdef COMPILED_KERNEL_URL ifdef COMPILED_KERNEL_URL
@ -43,7 +46,7 @@ $(BUILD)/kernel/:
curl -L "$(COMPILED_KERNEL_URL)" | tar -xzf - -C $@ curl -L "$(COMPILED_KERNEL_URL)" | tar -xzf - -C $@
$(DIST)/artifacts/initrd: bin/ros assets/docker $(BUILD)/kernel/ $(BUILD)/images.tar $(DIST)/artifacts/initrd: bin/ros assets/docker assets/selinux/policy.29 $(BUILD)/kernel/ $(BUILD)/images.tar
mkdir -p $(dir $@) mkdir -p $(dir $@)
ARCH=$(ARCH) DFS_IMAGE=$(DFS_IMAGE) DEV_BUILD=$(DEV_BUILD) ./scripts/mk-initrd.sh $@ ARCH=$(ARCH) DFS_IMAGE=$(DFS_IMAGE) DEV_BUILD=$(DEV_BUILD) ./scripts/mk-initrd.sh $@

2
assets/selinux/config Normal file
View File

@ -0,0 +1,2 @@
SELINUX=permissive
SELINUXTYPE=ros

1
assets/selinux/failsafe_context Normal file
View File

@ -0,0 +1 @@
system_r:kernel_t:s0

3
assets/selinux/lxc_contexts Normal file
View File

@ -0,0 +1,3 @@
process = "system_u:system_r:svirt_lxc_net_t:s0"
content = "system_u:object_r:virt_var_lib_t:s0"
file = "system_u:object_r:svirt_lxc_file_t:s0"

1
assets/selinux/seusers Normal file
View File

@ -0,0 +1 @@
__default__:system_u:s0-s0

1
build.conf
View File

@ -1,3 +1,4 @@
IMAGE_NAME=rancher/os IMAGE_NAME=rancher/os
VERSION=v0.4.4-dev VERSION=v0.4.4-dev
DFS_IMAGE=rancher/docker:v1.10.1 DFS_IMAGE=rancher/docker:v1.10.1
SELINUX_POLICY_URL=https://github.com/rancher/refpolicy/releases/download/v0.0.1/policy.29

5
init/init.go
View File

@ -220,6 +220,10 @@ func RunInit() error {
return config.LoadConfig() return config.LoadConfig()
}, },
loadModules, loadModules,
func(c *config.CloudConfig) (*config.CloudConfig, error) {
return c, dockerlaunch.PrepareFs(&mountConfig)
},
initializeSelinux,
sysInit, sysInit,
} }
@ -236,5 +240,6 @@ func RunInit() error {
if err != nil { if err != nil {
return err return err
} }
return pidOne() return pidOne()
} }

32
init/selinux.go Normal file
View File

@ -0,0 +1,32 @@
// +build linux
package init
import (
log "github.com/Sirupsen/logrus"
"github.com/rancher/os/config"
"github.com/rancher/os/selinux"
"io/ioutil"
)
func initializeSelinux(c *config.CloudConfig) (*config.CloudConfig, error) {
ret, _ := selinux.InitializeSelinux()
if ret != 0 {
log.Debug("Unable to initialize SELinux")
return c, nil
}
// Set allow_execstack boolean to true
if err := ioutil.WriteFile("/sys/fs/selinux/booleans/allow_execstack", []byte("1"), 0644); err != nil {
log.Debug(err)
return c, nil
}
if err := ioutil.WriteFile("/sys/fs/selinux/commit_pending_bools", []byte("1"), 0644); err != nil {
log.Debug(err)
return c, nil
}
return c, nil
}

1
os-config.yml
View File

@ -262,6 +262,7 @@ rancher:
- /etc/resolv.conf:/etc/resolv.conf - /etc/resolv.conf:/etc/resolv.conf
- /etc/rkt:/etc/rkt - /etc/rkt:/etc/rkt
- /etc/ssl/certs/ca-certificates.crt:/etc/ssl/certs/ca-certificates.crt.rancher - /etc/ssl/certs/ca-certificates.crt:/etc/ssl/certs/ca-certificates.crt.rancher
- /etc/selinux:/etc/selinux
- /lib/firmware:/lib/firmware - /lib/firmware:/lib/firmware
- /lib/modules:/lib/modules - /lib/modules:/lib/modules
- /run:/run - /run:/run

7
scripts/mk-initrd.sh
View File

@ -20,6 +20,7 @@ INITRD_DIR=${BUILD}/initrd
rm -rf ${INITRD_DIR}/{usr,init} rm -rf ${INITRD_DIR}/{usr,init}
mkdir -p ${INITRD_DIR}/usr/{bin,share/ros} mkdir -p ${INITRD_DIR}/usr/{bin,share/ros}
mkdir -p ${INITRD_DIR}/var/lib/system-docker mkdir -p ${INITRD_DIR}/var/lib/system-docker
mkdir -p ${INITRD_DIR}/usr/etc/selinux/ros/{policy,contexts}
if [ "$IS_ROOTFS" == "0" ]; then if [ "$IS_ROOTFS" == "0" ]; then
cp -rf ${BUILD}/kernel/lib ${INITRD_DIR}/usr/ cp -rf ${BUILD}/kernel/lib ${INITRD_DIR}/usr/
@ -34,6 +35,12 @@ ln -s usr/bin/ros ${INITRD_DIR}/init
ln -s bin ${INITRD_DIR}/usr/sbin ln -s bin ${INITRD_DIR}/usr/sbin
ln -s usr/sbin ${INITRD_DIR}/sbin ln -s usr/sbin ${INITRD_DIR}/sbin
cp assets/selinux/config ${INITRD_DIR}/usr/etc/selinux/
cp assets/selinux/policy.29 ${INITRD_DIR}/usr/etc/selinux/ros/policy/
cp assets/selinux/seusers ${INITRD_DIR}/usr/etc/selinux/ros/
cp assets/selinux/lxc_contexts ${INITRD_DIR}/usr/etc/selinux/ros/contexts/
cp assets/selinux/failsafe_context ${INITRD_DIR}/usr/etc/selinux/ros/contexts/
DFS_ARCH=$(docker create ${DFS_ARCH_IMAGE}) DFS_ARCH=$(docker create ${DFS_ARCH_IMAGE})
trap "docker rm -fv ${DFS_ARCH}" EXIT trap "docker rm -fv ${DFS_ARCH}" EXIT

13
selinux/selinux.go Normal file
View File

@ -0,0 +1,13 @@
// +build linux
package selinux
// #cgo pkg-config: libselinux libsepol
// #include <selinux/selinux.h>
import "C"
func InitializeSelinux() (int, error) {
enforce := C.int(0)
ret, err := C.selinux_init_load_policy(&enforce)
return int(ret), err
}