Ensure SELinux relabelling can be disabled in configfile

Signed-off-by: David Cassany <dcassany@suse.com>
rancher · May 14, 2024 · b5baeee · b5baeee
1 parent 7686d12
commit b5baeee
Show file tree

Hide file tree

Showing 4 changed files with 42 additions and 11 deletions.
diff --git a/cmd/config/config.go b/cmd/config/config.go
@@ -253,7 +253,7 @@ func ReadInitSpec(r *types.RunConfig, flags *pflag.FlagSet) (*types.InitSpec, er
 }
 
 func ReadMountSpec(r *types.RunConfig, flags *pflag.FlagSet) (*types.MountSpec, error) {
-	mount := config.NewMountSpec()
+	mount := config.NewMountSpec(r.Config)
 
 	vp := viper.Sub("mount")
 	if vp == nil {

diff --git a/cmd/config/config_test.go b/cmd/config/config_test.go
@@ -513,34 +513,50 @@ var _ = Describe("Config", Label("config"), func() {
 				ghwTest.AddDisk(mainDisk)
 				ghwTest.CreateDevices()
 
+				// This will enable SELinux relabelling unless stated the contrary in config file
 				Expect(utils.MkdirAll(fs, "/sys/kernel/security", constants.DirPerm)).To(Succeed())
 				Expect(fs.WriteFile("/sys/kernel/security/lsm", []byte("selinux"), constants.FilePerm)).To(Succeed())
 			})
 
 			AfterEach(func() {
 				ghwTest.Clean()
 			})
-
 			It("inits a mount spec according to given configs", func() {
-				err := os.Setenv("ELEMENTAL_MOUNT_SYSROOT", "/newroot")
+				// Read a config disabling SELinuxRelabel
+				viper.Reset()
+				cfg, err = ReadConfigRun("fixtures/simple", nil, mounter)
+				Expect(err).Should(BeNil())
+
+				cfg.Fs = fs
+				cfg.Runner = runner
+				cfg.Logger = logger
+				cfg.Mounter = mounter
+				cfg.Syscall = syscall
+				cfg.Client = client
+				cfg.CloudInitRunner = cloudInit
+
+				_ = os.Setenv("ELEMENTAL_MOUNT_SYSROOT", "/newroot")
 				spec, err := ReadMountSpec(cfg, nil)
 				Expect(err).ShouldNot(HaveOccurred())
 				Expect(spec.Mode).To(Equal("active"))
 				Expect(spec.Sysroot).To(Equal("/newroot"))
+				Expect(spec.SelinuxRelabel).To(BeFalse())
 			})
 			It("picks kernel cmdline first then env-vars", func() {
-				err := os.Setenv("ELEMENTAL_MOUNT_IMAGE", "passive")
+				_ = os.Setenv("ELEMENTAL_MOUNT_IMAGE", "passive")
 				spec, err := ReadMountSpec(cfg, nil)
 				Expect(err).ShouldNot(HaveOccurred())
 				// Set by kernel cmdline
 				Expect(spec.Mode).To(Equal("active"))
+				Expect(spec.SelinuxRelabel).To(BeTrue())
 			})
 			It("picks kernel cmdline first then env-vars", func() {
-				err := os.Setenv("OVERLAY", "UUID=1234")
+				_ = os.Setenv("OVERLAY", "UUID=1234")
 				spec, err := ReadMountSpec(cfg, nil)
 				Expect(err).ShouldNot(HaveOccurred())
 				Expect(spec.Ephemeral.Type).To(Equal("tmpfs"))
 				Expect(spec.Ephemeral.Size).To(Equal("30%"))
+				Expect(spec.SelinuxRelabel).To(BeTrue())
 			})
 		})
 	})

diff --git a/cmd/config/fixtures/simple/config.yaml b/cmd/config/fixtures/simple/config.yaml
@@ -17,4 +17,7 @@ snapshotter:
   max-snaps: 7
   config:
     fs: xfs
-    size: 2000
+    size: 2000
+
+mount:
+  selinux-relabel: false
diff --git a/pkg/config/config.go b/pkg/config/config.go
@@ -33,8 +33,9 @@ import (
 )
 
 const (
-	partSuffix  = ".part"
-	mountSuffix = ".mount"
+	partSuffix     = ".part"
+	mountSuffix    = ".mount"
+	kernelSecurity = "/sys/kernel/security/lsm"
 )
 
 type GenericOptions func(a *types.Config) error
@@ -215,10 +216,21 @@ func NewInitSpec() *types.InitSpec {
 	}
 }
 
-func NewMountSpec() *types.MountSpec {
+func NewMountSpec(cfg types.Config) *types.MountSpec {
+	var selinuxRelabel bool
+
+	lsm, err := cfg.Fs.ReadFile(kernelSecurity)
+	if err != nil {
+		cfg.Logger.Warnf("error reading %s: %s", kernelSecurity, err.Error())
+	}
+	if strings.Contains(string(lsm), "selinux") {
+		selinuxRelabel = true
+	}
+
 	return &types.MountSpec{
-		Sysroot:    "/sysroot",
-		WriteFstab: true,
+		Sysroot:        "/sysroot",
+		WriteFstab:     true,
+		SelinuxRelabel: selinuxRelabel,
 		Volumes: []*types.VolumeMount{
 			{
 				Mountpoint: constants.OEMPath,