-
-
Notifications
You must be signed in to change notification settings - Fork 178
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SELinux Challenges #727
Comments
If you can post a doc snippet here that'd be useful: https://universal-blue.discourse.group/c/bluefin/6 Then I'll make it a wiki and tag it appropriately so it shows up in the documentation section. Are there any other things that we know of that don't work right? |
cc @bketelsen for the incus issues. |
confirmed. I set SELinux to permissive to run incus. |
Right now things that have rough edges:
When going down custom image route:
I have some time tomorrow and I'll draft something up. I'm sure there are more. In the linked issue and on discord I put a workaround for swtpm in that could possibly work for some of the other ones (but most definitely not incus). |
I added the swtpm workaround method to the discourse. https://universal-blue.discourse.group/t/selinux-workarounds-for-binaries-with-the-wrong-label/342 For the others, Incus: Has no policies, needs someone to work with upstream to develop them. docker/Podman: This is nothing different from workstation. Waydroid/Greetd: The workaround for swtpm could possibly work for these. But hasn't been tested yet. |
Using the following set of file contexts, I am able to run incus in enforcing mode.
This appears to work for containers and VMs. You will have to use the same socket workarounds as LXD. |
Documentation on discourse updated. I guess the workaround can be expanded to anything that needs to have additional capabilities as seen in Bazzites sunshine workaround. Incus now has policies (workaround needed but documented). LXD has workaround documented upstream as well. We probably still need an actual beginners guide to SELinux, but linking to something from fedora could possibly be sufficient. |
Describe the bug
SELinux is installed and in enforcing mode by default. This is a good thing. However, due to the nature of OCI packaging, the build process labels binaries incorrectly. See ostreedev/ostree-rs-ext#510
Beyond things being labeled incorrectly, some software that is shipped with the -dx image does not work with SELinux in enforcing mode like Incus. Systemd-homed is also broken. Those are upstream issues and not in the purview of this project. However, I think we should make mention of things that SELinux currently breaks. Waydroid mentions this, but it seems to be missing in other places.
What did you expect to happen?
Documentation of SELinux limitations with bluefin. I.E. in certain work cases consider SELinux in permissive mode. Additionally, identify workarounds for single binaries having the wrong context. -dx mode is aimed at developers who are used to working around issues; however, we should be a bit more forthcoming about said issues that they can encounter.
Output of
rpm-ostree status
No response
Extra information or context
No response
The text was updated successfully, but these errors were encountered: