Installing SELinux Policies - What is the best way?

I’m new to SELinux and it has caused some friction with the migration from CL.

What is the best way of injecting new SELinux policies into a FCOS VM?

Right now I’m declaring the policy changes in CIL format as additional files in FCCT and executing a post-boot/provisioning command to install with sudo semodule but is there a better way?

To expand on above I have found myself having to make SELinux policy changes to allow access to the docker socket so that I can run cadvisor, a prometheus exporter, providing it the ability to give me insight into running containers.

This has involved a bit of ignition such as below and then the execution post-boot of:
sudo semodule -i /etc/acme-corp/dockersock.cil

If anyone has a better way to get cadvisor running properly I’d be much obliged.

storage:
  files:
    # SELinux policies written in cil format can simpy be installed with
    # semodule command.  We do this as part of post-boot processes.  Is there
    # an easier way?
    - path: /etc/acme-corp/dockersock.cil
      mode: 0644
      contents:
        inline: |
          (typeattributeset cil_gen_require docker_var_run_t)
          (typeattributeset cil_gen_require docker_t)
          (typeattributeset cil_gen_require svirt_lxc_net_t)
          (allow svirt_lxc_net_t docker_t (unix_stream_socket (connectto)))
          (allow svirt_lxc_net_t docker_var_run_t (sock_file (write)))

Above is very wide scope. Here an explain on how to target policies to specific containers.

Persistently amending SELinux policies like this is to be avoided because FCOS upgrades that update the SELinux policies can result in various failure modes.

In terms of running processes that need to access the docker socket such as cadvisor it is probably preferable to run a privileged container instead of modifying the policies on the docker socket itself. If possible running the privileged container outside of docker, e.g. via podman.

The best way to do modifications like this right now unfortunately is to bundle it inside an RPM scriptlet and pkglayer that RPM. That way rpm-ostree will automatically rebuild the policy on every update.

We need to work with the SELinux team to improve the UX on this (that’s https://github.com/coreos/fedora-coreos-tracker/issues/701).

1 Like

That path is exercised in our CI. Here’s how it does it: https://github.com/coreos/rpm-ostree/blob/baf395e9edb0aa0788803de80f7411a0a619a04f/tests/common/libtest.sh#L274-L313