USHIFT-1050: Set textrel_shlib_t SELinux context on hadolint static executable

[ggiguash]

• Set textrel_shlib_t SELinux context to prevent hadolint crash.
• Optimize the script to explicitly declare tmp variable in the global scope and rename it to WORK_DIR

Closes USHIFT-1050

Context
hadolint executable is statically linked and it causes the following errors on some systems when SELinux is enabled.

Apr 11 06:30:57 microshift-dev-rhel92 setroubleshoot[32487]: SELinux is preventing /home/microshift/microshift/hadolint-Linux-x86_64 from execmod access on the file /home/microshift/microshift/_output/bin/hadolint.#012#012***** Plugin allow_execmod (53.1 confidence) suggests ****************#12#012If this issue occurred during normal system operation.#012Then this alert could be a serious issue and your system could be compromised. Setroubleshoot examined '/home/microshift/microshift/_output/bin/hadolint' to make sure it was built correctly, but can not determine if this application has been compromised.#012Do#012contact your security administrator and report this issue#012#012 Plugin catchall_boolean (42.6 confidence) suggests *************#12#012If you want to allow all unconfined executables to use libraries requiring text relocation that are not labeled textrel_shlib_t#012Then you must tell SELinux about this by enabling the 'selinuxuser_execmod' boolean.#12#012Do#012setsebool -P selinuxuser_execmod 1#012#012 Plugin catchall (5.76 confidence) suggests **************************#12#012If you believe that hadolint-Linux-x86_64 should be allowed execmod access on the hadolint file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#12# ausearch -c 'hadolint-Linux-' --raw | audit2allow -M my-hadolintLinux#012# semodule -X 300 -i my-hadolintLinux.pp#012

[openshift-ci-robot]

@ggiguash: This pull request references USHIFT-1050 which is a valid jira issue.

Details

In response to this:

• Set textrel_shlib_t SELinux context to prevent hadolint crash.
• Optimize the script to explicitly declare tmp variable in the global scope and rename it to WORK_DIR

Closes USHIFT-1050

Context
hadolint executable is statically linked and it causes the following errors on some systems when SELinux is enabled.

Apr 11 06:30:57 microshift-dev-rhel92 setroubleshoot[32487]: SELinux is preventing /home/microshift/microshift/hadolint-Linux-x86_64 from execmod access on the file /home/microshift/microshift/_output/bin/hadolint.#012#012***** Plugin allow_execmod (53.1 confidence) suggests ****************#12#012If this issue occurred during normal system operation.#012Then this alert could be a serious issue and your system could be compromised. Setroubleshoot examined '/home/microshift/microshift/_output/bin/hadolint' to make sure it was built correctly, but can not determine if this application has been compromised.#012Do#012contact your security administrator and report this issue#012#012 Plugin catchall_boolean (42.6 confidence) suggests *************#12#012If you want to allow all unconfined executables to use libraries requiring text relocation that are not labeled textrel_shlib_t#012Then you must tell SELinux about this by enabling the 'selinuxuser_execmod' boolean.#12#012Do#012setsebool -P selinuxuser_execmod 1#012#012 Plugin catchall (5.76 confidence) suggests **************************#12#012If you believe that hadolint-Linux-x86_64 should be allowed execmod access on the hadolint file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#12# ausearch -c 'hadolint-Linux-' --raw | audit2allow -M my-hadolintLinux#012# semodule -X 300 -i my-hadolintLinux.pp#012

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[openshift-ci-robot]

@ggiguash: This pull request references USHIFT-1050 which is a valid jira issue.

Details

In response to this:

• Set textrel_shlib_t SELinux context to prevent hadolint crash.
• Optimize the script to explicitly declare tmp variable in the global scope and rename it to WORK_DIR

Closes USHIFT-1050

Context
hadolint executable is statically linked and it causes the following errors on some systems when SELinux is enabled.

Apr 11 06:30:57 microshift-dev-rhel92 setroubleshoot[32487]: SELinux is preventing /home/microshift/microshift/hadolint-Linux-x86_64 from execmod access on the file /home/microshift/microshift/_output/bin/hadolint.#012#012***** Plugin allow_execmod (53.1 confidence) suggests ****************#12#012If this issue occurred during normal system operation.#012Then this alert could be a serious issue and your system could be compromised. Setroubleshoot examined '/home/microshift/microshift/_output/bin/hadolint' to make sure it was built correctly, but can not determine if this application has been compromised.#012Do#012contact your security administrator and report this issue#012#012 Plugin catchall_boolean (42.6 confidence) suggests *************#12#012If you want to allow all unconfined executables to use libraries requiring text relocation that are not labeled textrel_shlib_t#012Then you must tell SELinux about this by enabling the 'selinuxuser_execmod' boolean.#12#012Do#012setsebool -P selinuxuser_execmod 1#012#012 Plugin catchall (5.76 confidence) suggests **************************#12#012If you believe that hadolint-Linux-x86_64 should be allowed execmod access on the hadolint file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#12# ausearch -c 'hadolint-Linux-' --raw | audit2allow -M my-hadolintLinux#012# semodule -X 300 -i my-hadolintLinux.pp#012

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[ggiguash]

/cc @chiragkyal
/cc @pmtk
/cc @dhellmann

[chiragkyal]

It's LGTM for me. Let's have someone more to review.

[dhellmann]

Why do we only need to do this for hadolint?

[ggiguash]

Because, it's the "only" statically linked binary we have and loader / SELinux treat it differently.

[dhellmann]

/lgtm

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: dhellmann, ggiguash

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [dhellmann,ggiguash]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

@ggiguash: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.