widen access to filesystem relabel in SELinux policy #2738
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Use "local_t" rather than "any_t" as the default context for xattr based filesystems. "unlabeled_t" has been an alias for "local_t" since 7534d22, so this usage is consistent with other policy rules that expect this as the default label. The "cni_exec_t" type was previously covered by the rule allowing it to be associated with ephemeral "any_t" filesystems. With the default context change, it now needs to be included in the rule for "local_t" filesystem assocations. Signed-off-by: Ben Cressey <bcressey@amazon.com>
Filesystem relabel permissions were previously part of the systems management permission set, a collection of permissions reserved for the host. Shift the permissions into a new permission set in preparation for widening the rules around access, and grant the permissions to all trusted subjects to match the prior policy. Signed-off-by: Ben Cressey <bcressey@amazon.com>
The "relabelfrom" and "relabelto" permissions for filesystems are only used by the SELinux LSM hook for sb_set_mnt_opts() to determine if the provided "*context=" mount options are allowed by the policy. This allows containers to mount filesystems using context options, but only when "local_t" is both the old and new label. This will be true for the xattr-based filesystems - ext4, xfs, overlayfs - because of policy defaults, but not otherwise. The SELinux implementation in the kernel prevents these options from being changed while the filesystem is active, either by remounting it or by mounting it again elsewhere. This means that containers cannot leverage these permissions to interfere with other mounts on the system; they can only affect newly-mounted filesystems. The intended use case is to allow containers such as CSI drivers to "opt out" certain mounts from the filesystem-wide relabel performed by `containerd` to apply MCS-based isolation. That relabel can be very costly, if the filesystem has a large number of files. It may also be blocked by the SELinux policy, in the case of an overlayfs mounted by a container, since the mounter's credentials do not permit files to be relabeled. Signed-off-by: Ben Cressey <bcressey@amazon.com>
markusboehme
approved these changes
Jan 18, 2023
stmcginnis
approved these changes
Jan 18, 2023
foersleo
approved these changes
Jan 18, 2023
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Issue number:
#2556, #2656
Description of changes:
Adjust the default label for filesystems using extended attributes to store SELinux labels from
any_ttolocal_t, partly for consistency with the rest of the policy, and partly because I'm more comfortable allowing a "no-op" relabel fromlocal_ttolocal_tthan allowing an actual label change.Split out filesystem relabel permissions into a separate permission set, so they can be granted independently from the systems management permissions.
Add a rule to allow containers to use filesystem mount options to "relabel" from
local_ttolocal_t. A filesystem relabeled with thecontext=option won't be subsequently relabeled bycontainerd.This can be useful in cases like #2556, where relabeling files isn't permitted by the SELinux policy, and in cases like #2656, where relabeling files may take an excessively long time.
Testing done:
Verified that
aws-k8s-1.24andaws-ecs-1can boot and run containers with no AVC denials.Confirmed that the EBS CSI driver could create
ext4andxfsvolumes where the context is specified as a mount option in the storage class, like this:Verified that other context options, such as
context=system_u:object_r:any_t:s0, are blocked by the SELinux policy.Terms of contribution:
By submitting this pull request, I agree that this contribution is dual-licensed under the terms of both the Apache License, version 2.0, and the MIT license.