Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SELinux settings get overwritten after reboot #2571

Open
JensVD opened this Issue Mar 26, 2019 · 2 comments

Comments

Projects
None yet
2 participants
@JensVD
Copy link

JensVD commented Mar 26, 2019

Issue Report

Bug

Container Linux Version

NAME="Container Linux by CoreOS"
ID=coreos
VERSION=2051.2.0
VERSION_ID=2051.2.0
BUILD_ID=2019-03-11-0556
PRETTY_NAME="Container Linux by CoreOS 2051.2.0 (Rhyolite)"
ANSI_COLOR="38;5;75"
HOME_URL="https://coreos.com/"
BUG_REPORT_URL="https://issues.coreos.com"
COREOS_BOARD="amd64-usr"

Environment

Swarm cluster of 2 - 10 instances running on VMWare

Expected Behavior

After executing all steps on 'https://coreos.com/os/docs/latest/selinux.html' and doing a reboot we expect that these changes are persistent. Meaning that the removed files aren't placed back in the '/etc/audit/rules.d/' directory.

Actual Behavior

All steps are followed, no issues. After reboot everything is back to it's default configuration; removed files are back in the '/etc/audit/rules.d/' directory.

Reproduction Steps

  1. Follow the steps on 'https://coreos.com/os/docs/latest/selinux.html'
  2. Reboot the CoreOS instance
  3. Check the files in the '/etc/audit/rules.d/' directory

Other Information

Did some research on my own and saw that these rules files are linked from the read-only filesystem '/usr/share'. I suppose this is what is done during boot (https://github.com/coreos/coreos-overlay/blob/master/sys-process/audit/files/audit-rules.tmpfiles) but there should be a way to overwrite this.

@dm0-

This comment has been minimized.

Copy link
Member

dm0- commented Mar 26, 2019

Run sudo ln -s /dev/null /etc/tmpfiles.d/audit-rules.conf to disable it.

@JensVD

This comment has been minimized.

Copy link
Author

JensVD commented Mar 27, 2019

This does indeed make it persistent, thank you!
Is this documented anywhere?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.