Re: [PATCH] selinux: allow labeling before policy is loaded

From: Jonathan Lebon <jlebon@redhat.com>
To: Jonathan Lebon <jlebon@redhat.com>,
	selinux@vger.kernel.org, Victor Kamensky <kamensky@cisco.com>
Subject: Re: [PATCH] selinux: allow labeling before policy is loaded
Date: Mon, 19 Aug 2019 17:11:57 -0400	[thread overview]
Message-ID: <CACpbjYqHPx8H=9zOC7cYJuxhyz8TV6af0xBkx+oQbSdda=kmkQ@mail.gmail.com> (raw)
In-Reply-To: <20190819200552.GB749746@brutus.lan>

On Mon, Aug 19, 2019 at 3:49 PM Dominick Grift <dac.override@gmail.com> wrote:
>
> > Going further, there are use cases for creating the entire root
> > filesystem on first boot from the initrd (e.g. Container Linux supports
> > this today[1], and we'd like to support it in Fedora CoreOS as well[2]).
> > One can imagine doing this in two ways: at the block device level (e.g.
> > laying down a disk image), or at the filesystem level. In the former,
> > labeling can simply be part of the image. But even in the latter
> > scenario, one still really wants to be able to set the right labels when
> > populating the new filesystem.
>
> Does `echo "/" > /run/systemd/relabel-extra.d/foo.relabel` not address this?
>
> https://github.com/fedora-selinux/selinux-policy/issues/270

If one has files on multiple partitions, using systemd for this would
require keeping all the filesystems mounted across the pivot,
something we're trying very hard to avoid because it makes the bootup
process (and potentially mount hierarchy) different between the first
and subsequent boots. See more discussions about this in:

https://github.com/systemd/systemd/pull/11903

But also, asking systemd to relabel the whole system on boot isn't...
ideal. In the filesystem provisioning case I mentioned, we would be
extracting files from an OSTree repo, which already has labeling
information.

>
> If that does not do what it should do then this functionality should probably be removed?

I think the functionality on its own can be useful for a subset of use
cases. E.g. dracut modules which need to write some files outside of
/run (since that one already gets relabeled automatically)?

On Mon, Aug 19, 2019 at 4:05 PM Dominick Grift <dac.override@gmail.com> wrote:
>
> > +     if (!selinux_state.initialized) {
> > +             /* If we haven't even been initialized, then we can't validate
> > +              * against a policy, so leave the label as invalid. It may
> > +              * resolve to a valid label on the next revalidation try if
> > +              * we've since initialized.
> > +              */
>
> If you cannot validate against a policy, then how do you know what labels to associate?

If only relabeling a few files, we can use the libselinux APIs
(`selabel_*`), fetching the file context policy from /sysroot. In the
"full filesystem reprovision" scenario, labeling information is
already part of the objects we're writing.

One might then ask, "why not just load the policy in the initrd
instead?". The answer is that this also comes with a host of issues,
and isn't very widely used in practice. See discussions about that in:

https://github.com/coreos/ignition/issues/635

Esp. this comment and onwards:

https://github.com/coreos/ignition/issues/635#issuecomment-497730774