BZ 1956836: overlay: Add rhcos-usrlocal-selinux-fixup.service

[cgwalters]

A fix is inbound for policy, but we really should fixup existing
systems in place.

[jlebon]

Hmm, I think we need this and also temporarily carry https://src.fedoraproject.org/rpms/selinux-policy/pull-request/24 until it makes it into RHEL8. Something like:

diff --git a/manifest.yaml b/manifest.yaml
index 4205ec4..30d74f9 100644
--- a/manifest.yaml
+++ b/manifest.yaml
@@ -163,6 +163,18 @@ postprocess:
      # NB: we don't use -f here so we break when this is no longer needed
      rm -v /etc/iscsi/initiatorname.iscsi

+  # Carry https://src.fedoraproject.org/rpms/selinux-policy/pull-request/24
+  # until it gets into RHEL8. Tracked at https://bugzilla.redhat.com/show_bug.cgi?id=1943381.
+  - |
+    #!/usr/bin/env bash
+    set -xeuo pipefail
+
+    f=/etc/selinux/targeted/contexts/files/file_contexts.subs_dist
+    if ! grep /var/usrlocal $f; then
+      echo "# https://src.fedoraproject.org/rpms/selinux-policy/pull-request/24" >> $f
+      echo "/var/usrlocal /usr/local" >> $f
+    fi
+
 etc-group-members:
   - wheel
   - sudo

?

This should also allow you to simplify the systemd service to just do restorecon -rv /var/usrlocal. Testing locally (after applying the change above live, not from a new compose):

[root@cosa-devsh ~]# echo foobar > /usr/local/sbin/foobar
[root@cosa-devsh ~]# chmod a+x /usr/local/sbin/foobar
[root@cosa-devsh ~]# restorecon -rv /var/usrlocal
Relabeled /var/usrlocal from system_u:object_r:var_t:s0 to system_u:object_r:usr_t:s0
Relabeled /var/usrlocal/etc from system_u:object_r:var_t:s0 to system_u:object_r:usr_t:s0
Relabeled /var/usrlocal/games from system_u:object_r:var_t:s0 to system_u:object_r:usr_t:s0
Relabeled /var/usrlocal/include from system_u:object_r:var_t:s0 to system_u:object_r:usr_t:s0
Relabeled /var/usrlocal/lib from system_u:object_r:var_t:s0 to system_u:object_r:lib_t:s0
Relabeled /var/usrlocal/man from system_u:object_r:var_t:s0 to system_u:object_r:usr_t:s0
Relabeled /var/usrlocal/sbin from system_u:object_r:var_t:s0 to system_u:object_r:bin_t:s0
Relabeled /var/usrlocal/sbin/foobar from unconfined_u:object_r:var_t:s0 to unconfined_u:object_r:bin_t:s0
Relabeled /var/usrlocal/share from system_u:object_r:var_t:s0 to system_u:object_r:usr_t:s0
Relabeled /var/usrlocal/src from system_u:object_r:var_t:s0 to system_u:object_r:usr_t:s0

[travier]

This should also allow you to simplify the systemd service to just do restorecon -rv /var/usrlocal. Testing locally (after applying the change above live, not from a new compose):

Relabeled /var/usrlocal/sbin/foobar from unconfined_u:object_r:var_t:s0 to unconfined_u:object_r:bin_t:s0

To fix the (SELinux) user part too with restorecon you need -F.

[cgwalters]

OK wow I had thought systemd-tmpfiles did nothing if the file exists, but it does seem to always reset the security context each boot, plus if e.g. I do chown bin:bin /usr/local/sbin && reboot then it gets reset back to root:root. Did you come across this before?

Mmmm. Locally changing policy feels riskier than just having this service run every time.

[cgwalters]

OK reworked to always restorecon /var/usrlocal/sbin, but still only do the recursive relabel once.

[cgwalters]

The unit test doesn't cover actually injecting binaries via Ignition right now, but I extensively tested this manually too.

[jlebon]

Minor comments, but LGTM generally!

[cgwalters]

Squashed the suggestions (thanks!) and updated Documentation=

[travier]

OK wow I had thought systemd-tmpfiles did nothing if the file exists, but it does seem to always reset the security context each boot, plus if e.g. I do chown bin:bin /usr/local/sbin && reboot then it gets reset back to root:root. Did you come across this before?

I had a similar issue earlier: coreos/ignition#1156

[travier]

Looks like a broken merge 🙂

[jlebon]

INFO[2021-05-19T16:25:48Z] error: Packages not found: audit, authselect, bash-completion, bind-utils, bsdtar, bzip2, chrony, cifs-utils, cloud-utils-growpart, compat-openssl10, conntrack-tools, coreutils, cryptsetup, cryptsetup-reencrypt, device-mapper-multipath, dhcp-client, dnsmasq, e2fsprogs, efibootmgr, git-core, glusterfs-fuse, gnupg2, grub2, grub2-efi-x64, gzip, hostname, iproute, iproute-tc, iptables, irqbalance, iscsi-initiator-utils, kernel, kernel-core, kernel-modules, kernel-modules-extra, kexec-tools, less, logrotate, lvm2, mdadm, microcode_ctl, nano, net-tools, nfs-utils, nftables, nmap-ncat, open-vm-tools, openssh-clients, openssh-server, passwd, perl-interpreter, qemu-guest-agent, rdma-core, rpm-ostree, rsync, selinux-policy-targeted, sg3_utils, shadow-utils, shim, socat, sssd, stalld, strace, subscription-manager-rhsm-certificates, sudo, systemd, systemd-journal-gateway, systemd-journal-remote, tar, teamd, tmux, tpm2-tools, vim-minimal, xfsprogs, xz

Hmm, something to do with the recent repo changes I suppose? /cc @travier

[jlebon]

/lgtm
for PR itself!

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: cgwalters, jlebon

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [cgwalters,jlebon]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-bot]

/retest

Please review the full test history for this PR and help us cut down flakes.

[openshift-bot]

/retest

Please review the full test history for this PR and help us cut down flakes.

[cgwalters]

/hold
until repos are fixed

[cgwalters]

/retest

[travier]

Blocked by openshift/release#18691 🙁

[travier]

Should be good to go now but maybe a full retest would be best

[miabbott]

/retest

[miabbott]

/unhold