Skip to content

Commit

Permalink
Update SELinux docs (#2075)
Browse files Browse the repository at this point in the history
  • Loading branch information
@frelon
frelon committed May 10, 2024
1 parent 6c301f2 commit 3fd2046
Showing 1 changed file with 1 addition and 5 deletions.
6 changes: 1 addition & 5 deletions docs/content/en/docs/Customizing/selinux_support.md
View file
Expand Up @@ -15,11 +15,7 @@ Elemental includes basic support for SELinux. From an elemental perspective SELi
* the installed system includes the targeted files context (`/etc/selinux/targeted/contexts/files/file_contexts` file)
* the binary for `targeted` policy is also present (`/etc/selinux/targeted/policy/policy.*` file)

In an Elemental workflow SElinux context labels should be applied at install/upgrade time for the readonly areas, but this is not enough as it doesn't cover the ephemeral filesystems (overlayfs on top of tmpfs), which are usually sensitive paths like `/etc/`, `/var`, `/srv`, etc. In order to properly apply file contexts over the ephemeral paths the relabelling has to happen at boot time once those overlayfs are created. The appropriate stage for that is in initrd before switching root. In fact, it can be done as a cloud-init step as part of the `initramfs` stage, using the packaged `10_selinux.yaml` with:

{{<githubembed repo="rancher/elemental-toolkit" file="pkg/features/embedded/cloud-config-defaults/system/oem/10_selinux.yaml" lang="yaml">}}

Note it is required to load the policy in advance to be capable to apply the `restorecon` command. The `restorecon` command should be applied to all ephemeral paths and, depending on the specific use case, to the persistent paths too. Note that without restoring context on the ephemeral `/etc` it is unlikely the system is capable of properly booting, hence this is a very important step if SELinux is intended to used.
In an Elemental workflow SElinux context labels should be applied at install/upgrade time for the readonly areas, but this is not enough as it doesn't cover the ephemeral filesystems (overlayfs on top of tmpfs), which are usually sensitive paths like `/etc/`, `/var`, `/srv`, etc. In order to properly apply file contexts over the ephemeral paths the relabelling has to happen at boot time once those overlayfs are created. During boot the `elemental mount` command will try to relabel the files in ephemeral and persistent storage if it can find the correct policy and setfiles utility in the mounted system.

## Using custom SELinux modules

Expand Down

0 comments on commit 3fd2046

Please sign in to comment.