Any way to get selinux enabled in a provisioned node?

[Ryan Snyder]

Hi, 

I am trying to enable selinux for a couple nodes I am working on for testing purposes. I've created a chroot of CentOS 8 with selinux packages and selinux enabled in /etc/selinux/config and I've also tried using the selinux boot option with warewulf. The one issue I am having is having to relabel the filesystem when I boot the node for selinux to work and the node having to reboot in order to make these changes to the filesystem (selinux-autorelabel). This of course doesn't help me when I am doing stateless provisioning. Was wondering if there is a well known work around for this. Will I have to provision to the local disk instead? 

Thanks,

Ryan

[Jason Stover]

I have never ran a system with SELinux enabled... but can you throw in
a init.d/systemd script that does the relabeling on boot early in the
process?

Is that something that's feasible?

The docs (perldoc Warewulf::Provision) show you need a file at:
/etc/selinux/targeted/policy/policy.24 ... Does that exist in the
VNFS?

-J

> --
> You received this message because you are subscribed to the Google Groups "Warewulf" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to warewulf+u...@lbl.gov.
> To view this discussion on the web visit https://groups.google.com/a/lbl.gov/d/msgid/warewulf/f91e4bbb-f203-405a-b781-f46a9521784en%40lbl.gov.

[Ryan Snyder]

Hi,

Thanks for getting back. I did check for the policy file in the directory you cited, but have policy.31 instead of policy.24 not that I know if it makes a difference. I would try the first thing you suggested, but have never done something like that before so I'd have to do a little research on how I'd go about creating that script and having it run early in the provisioning process.

[Ryan Novosielski]

Typically I'd do this with a systemd override file, which would go in /etc/systemd/system/<whatever>.service as an ExecStartPre= line. But I'd have to think about what service makes sense. I suppose it could also be for one of the targets (similar to old-school "runlevel" provided those permit overrides in the same way – have not tried it personally). In most cases, it's "service Y requires X first, do as an override to service Y," but it's less clear when it's such a systemic thing.

What mechanism triggers this when autorelabel happens on a reboot as you described? If it's by a file in the filesystem as I've seen before for other processes (just as a hypothetical, if it were triggered by /.autorelabel), or something like that, potentially you could make sure your VNFS has that file.

________________________________________
From: Ryan Snyder <rjs...@g.rit.edu>
Sent: Monday, November 22, 2021 10:33
To: Warewulf
Cc: jason....@gmail.com
Subject: Re: [Warewulf] Any way to get selinux enabled in a provisioned node?

To unsubscribe from this group and stop receiving emails from it, send an email to warewulf+u...@lbl.gov<mailto:warewulf+u...@lbl.gov>.
To view this discussion on the web visit https://groups.google.com/a/lbl.gov/d/msgid/warewulf/d89d361d-f73a-48c9-8e03-dbee42d31e81n%40lbl.gov<https://groups.google.com/a/lbl.gov/d/msgid/warewulf/d89d361d-f73a-48c9-8e03-dbee42d31e81n%40lbl.gov?utm_medium=email&utm_source=footer>.

[Ryan Snyder]

So the system will look for autorelabel file when selinux is enabled/enforced when provisioning. The vnfs has this file so is able to find it. Unfortunately, the relabeling requires a reboot in order for changes to be made which in the case of a stateless provision it doesn't help me. From what I read of selinux this relabeling is required if selinux wasn't previously enabled and the only way for changes to occur is through a reboot. 

This is what console looks like for further context: