Set EC2 cirrus-agent SELinux context to unconfined

Long ago, many test failures and other problems were experienced in Cirrus-CI managed google-cloud VMs. None of the problems were reproducible manually. It was discovered that because the cirrus agent starts from a metadata-downloaded script, it was executing with a more restrictive SELinux type. This is not the case when running tests manually, where root sshs in. It's been observed recently, a similar situation may be occurring in EC2. However, in this case, the agent is started by cloud-init, and was observed operating with the type `cloud_init_t`. In case this is the source of trouble now or in the future, fix the setup to match GCP. Signed-off-by: Chris Evich <[email protected]>
containers · Aug 4, 2022 · c6cfe6c · c6cfe6c
1 parent 5798c72
commit c6cfe6c
Showing 1 changed file with 10 additions and 5 deletions.
diff --git a/base_images/fedora_base-setup.sh b/base_images/fedora_base-setup.sh
@@ -75,15 +75,20 @@ if ! ((CONTAINER)); then
     # service must be labeled properly to ensure it's child processes can
     # run with the proper contexts.
     METADATA_SERVICE_CTX=unconfined_u:unconfined_r:unconfined_t:s0
-    if [[ ! "$PACKER_BUILD_NAME" =~ "aws" ]]; then  # GCP Image
+    if [[ "$PACKER_BUILD_NAME" =~ "aws" ]]; then
+        echo "Setting AWS startup service (for Cirrus-CI agent) SELinux unconfined"
+        # AWS relies on cloud-init to run a user-data startup script.  Manual
+        # observation showed this happens in the cloud-final service.
+        METADATA_SERVICE_PATH=cloud-final.service
+    else  # GCP Image
         echo "Setting GCP startup service (for Cirrus-CI agent) SELinux unconfined"
         # ref: https://cloud.google.com/compute/docs/startupscript
         METADATA_SERVICE_PATH=systemd/system/google-startup-scripts.service
-        echo "$sourcemsg" | $SUDO tee -a /etc/$METADATA_SERVICE_PATH
-        sed -r -e \
-            "s/^Type=oneshot/Type=oneshot\nSELinuxContext=$METADATA_SERVICE_CTX/" \
-            /lib/$METADATA_SERVICE_PATH | $SUDO tee -a /etc/$METADATA_SERVICE_PATH
     fi
+    echo "$sourcemsg" | $SUDO tee -a /etc/$METADATA_SERVICE_PATH
+    sed -r -e \
+        "s/^Type=oneshot/Type=oneshot\nSELinuxContext=$METADATA_SERVICE_CTX/" \
+        /lib/$METADATA_SERVICE_PATH | $SUDO tee -a /etc/$METADATA_SERVICE_PATH
 fi
 
 if [[ "$OS_RELEASE_ID" == "fedora" ]] && ((OS_RELEASE_VER>=33)); then