Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Build Fedora templates with SELinux enabled from the start #7988

Closed
marmarek opened this issue Jan 16, 2023 · 1 comment
Closed

Build Fedora templates with SELinux enabled from the start #7988

marmarek opened this issue Jan 16, 2023 · 1 comment
Assignees
@DemiMarie
Labels
C: Fedora P: default Priority: default. Default priority for new issues, to be replaced given sufficient information. release notes This issue should be mentioned in the release notes. T: enhancement Type: enhancement. A new feature that does not yet exist or improvement of existing functionality.
Milestone
Release 4.2

Comments

@marmarek
Copy link
Member

How to file a helpful issue

The problem you're addressing (if any)

Currently Fedora templates have SELinux disabled, which diverges from upstream. SELinux support has been implemented as part of #4239 but it still needs to be installed manually (and then relabeling root fs takes significant amount of time).

The solution you'd like

Ship template with SELinux labels set, and SELinux enabled by default (with unconfined default user - same as upstream).

This requires:

  1. Advertise SELinux support via standard feature-advertisement API, similar to how AppArmor is handled (Advertise apparmor support qubes-core-agent-linux#246, although it isn't exactly service here, IMO it's more consistent to treat it as such, especially as we have "apparmor" service already).
  2. Enable SELinux by default if template supports it (again similar how it's done for AppArmor)
  3. Add relabeling to the template build process (builder-rpm repo). Probably should be guarded with some template "option", so it's possible to build template without selinux too (template for R4.1 won't have it, and maybe minimal templates shouldn't have it too?). And also advertise SELinux support in template.conf (that will be first actual use of this file, so builder-rpm doesn't know about it yet - see here for hints where to place it), so it can be detected before starting the template for the first time. See documentation about template.conf
  4. Extend qvm-template-postprocess to mark selinux as supported (and have it enabled, before starting the template for the first time) if template package advertise its support in template.conf.

The value to a user, and who that user might be

Template by default more consistent with upstream features. No need for slow relabeling when enabling SELinux manually.
@marmarek marmarek added T: enhancement Type: enhancement. A new feature that does not yet exist or improvement of existing functionality. release notes This issue should be mentioned in the release notes. C: Fedora P: default Priority: default. Default priority for new issues, to be replaced given sufficient information. labels Jan 16, 2023
@marmarek marmarek added this to the Release 4.2 milestone Jan 16, 2023
@andrewdavidwong andrewdavidwong changed the title Built Fedora templates with SELinux enabled from start Build Fedora templates with SELinux enabled from the start Jan 16, 2023
marmarek added a commit to marmarek/qubes-builderv2 that referenced this issue Feb 11, 2023
@marmarek
Allow builder plugin to dynamically generate template.conf
2ead913 
Export a TEMPLATE_CONF variable with expected location for the
template.conf. Builder plugin can create it dynamically in the
04_install_qubes.sh step. If it doesn't - old logic is used.

QubesOS/qubes-issues#7988
@marmarek marmarek mentioned this issue Feb 11, 2023
Merged
marmarek added a commit to marmarek/qubes-linux-template-builder that referenced this issue Feb 11, 2023
@marmarek
Allow builder plugin to dynamically generate template.conf
3981a3e 
Export a TEMPLATE_CONF variable with expected location for the
template.conf. Builder plugin can create it dynamically in the
04_install_qubes.sh step. If it doesn't - old logic is used.

QubesOS/qubes-issues#7988
This was referenced Feb 11, 2023
Merged
Merged
marmarek added a commit to marmarek/qubes-builderv2 that referenced this issue Feb 11, 2023
@marmarek
Allow builder plugin to dynamically generate template.conf
657b627 
Export a TEMPLATE_CONF variable with expected location for the
template.conf. Builder plugin can create it dynamically in the
04_install_qubes.sh step. If it doesn't - old logic is used.

QubesOS/qubes-issues#7988
marmarek added a commit to QubesOS/qubes-builder that referenced this issue Feb 26, 2023
@marmarek
Fix parsing template options with empty flavor
4e4c15d 
This is relevant for example with 'selinux' template option, but with
default flavor: "fc37++selinux" should be parsed as "fc37" dist, empty
flavor and "selinux" option. Previously it was parsed as "selinux"
flavor, which doesn't exist. Use 'read -a' bash builtin instead of
string replace to construct array, without collapsing repeated
delimiters.

Related to QubesOS/qubes-issues#7988
marmarek added a commit to QubesOS/qubes-builderv2 that referenced this issue Feb 26, 2023
@marmarek
example-configs: enable selinux on default Fedora template
1ff3ebd 
QubesOS/qubes-issues#7988
marmarek added a commit to QubesOS/qubes-builder that referenced this issue Feb 26, 2023
@marmarek
example-configs: enable selinux in default Fedora template on R4.2
3b0d445 
QubesOS/qubes-issues#7988
marmarek added a commit to QubesOS/qubes-release-configs that referenced this issue Feb 26, 2023
@marmarek
R4.2: enable selinux on default Fedora templates
4acfff3 
QubesOS/qubes-issues#7988
@marmarek
Copy link
Member Author

All done and enabled in default builder config.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@DemiMarie DemiMarie

Labels
C: Fedora P: default Priority: default. Default priority for new issues, to be replaced given sufficient information. release notes This issue should be mentioned in the release notes. T: enhancement Type: enhancement. A new feature that does not yet exist or improvement of existing functionality.
Projects
None yet
Milestone
Release 4.2
Development

No branches or pull requests
2 participants
@marmarek @DemiMarie