CoreOS and Udica SELinux policies

Project Discussion
1

Greetings, I have a Fedora CoreOS server on baremetal, running a few privileged containers, for example one running lldpd.

I basically followed the doc which is all fine, running podman as root with the addition of --cap-add all and --net=host

I am revisiting this in the hope of reducing capabilities (--cap-add CAP_NET_RAW should be enough) and maybe also implementing some SELinux policies.

I checked Udica which generates policies that work just fine in a dev environment, however I am wondering how to deploy these in Fedora CoreOS.

Normally (on Fedora) one would run

semodule -i my_lldpd.cil /usr/share/udica/templates/base_container.cil

but it feels incorrect on CoreOS where things should be immutable.

Has anyone tried to use Udica generated policies (or SELinux policies in general) on CoreOS?

(also I see a related issue with 45 comments. I only read the last one (…) which brings a solution : building a rpm to install the policies. But it feels a bit overkill for my usecase).

Cheers!

2

The RPM route is probably the safest option for this use case. We’ve had improvements around SELinux tooling but I’m not sure how far we’ve got yet.

3

Thanks! I’ve ended up going this route and writing a small rpm that runs semodule -i in a %post section. Is bundled as well a nftables ruleset so that traffic can be marked as “internet” or “intranet” (or left unlabeled), which can be further allowed in the SELinux policy with
(allow process intranet_packet_t ( packet ( send recv )))

In the end the systemd service is written like this:

[Unit]
Description=MyApp
After=network-online.target
Wants=network-online.target

[Service]
TimeoutStartSec=0
ExecStartPre=-/bin/podman kill busybox1
ExecStartPre=-/bin/podman rm busybox1
ExecStartPre=nft -f /usr/share/mytest/secmark.nft
ExecStart=/bin/podman run --network=host --security-opt label=type:mytest.process --name busybox1 busybox nc -l -p 8080
Restart=always

[Install]
WantedBy=multi-user.target

internet_packet_t and intranet_packet_t are already part of Fedora selinux-policy.