search

RedHatInsights / yggdrasil

GNU General Public License v3.0
21 stars 37 forks source link

Add distributed SELinux policy #239

Open subpop opened 3 months ago

subpop commented 3 months ago

Add a build option to enable building and installing an SELinux policy.

Card ID: CCT-461

jirihnidek commented 3 months ago

Very good idea... I created local build with packit and tried to start yggdrasil.service. The yggd wasn't able to access tags file:

----
time->Mon Jul 15 14:23:05 2024
type=AVC msg=audit(1721046185.083:625): avc:  denied  { watch } for  pid=53159 comm="yggd" path="/etc/yggdrasil/tags.toml" dev="dm-0" ino=3462982 scontext=system_u:system_r:yggd_t:s0 tcontext=unconfined_u:object_r:etc_t:s0 tclass=file permissive=1
subpop commented 3 months ago

I added files_watch_etc_files(yggd_t) to allow watching files in /etc.

jirihnidek commented 3 months ago

I can confirm that it works as expected on Fedora, but it seems that there are some issue on RHEL8 based distros. Packit build fails there with following error:

[3/6] /builddir/build/BUILD/yggdrasil-0.4.1/selinux/semodule_package.sh selinux/yggdrasil.pp ../selinux/yggdrasil.te selinux/yggdrasil.fc
FAILED: selinux/yggdrasil.pp 
/builddir/build/BUILD/yggdrasil-0.4.1/selinux/semodule_package.sh selinux/yggdrasil.pp ../selinux/yggdrasil.te selinux/yggdrasil.fc
++ mktemp -d selinux-build-XXXXXX
+ TMP=selinux-build-1CeGaY
+ output=selinux/yggdrasil.pp
+ shift
+ cp -- ../selinux/yggdrasil.te selinux/yggdrasil.fc selinux-build-1CeGaY/
++ basename selinux/yggdrasil.pp
+ make -C selinux-build-1CeGaY -f /usr/share/selinux/devel/Makefile yggdrasil.pp
make: Entering directory '/builddir/build/BUILD/yggdrasil-0.4.1/x86_64-redhat-linux-gnu/selinux-build-1CeGaY'
Compiling targeted yggdrasil module
yggdrasil.te:27:ERROR 'syntax error' at token 'files_watch_etc_files' on line 3822:
files_watch_etc_files(yggd_t)

/usr/bin/checkmodule:  error(s) encountered while parsing configuration
make: *** [/usr/share/selinux/devel/include/Makefile:157: tmp/yggdrasil.mod] Error 1
make: Leaving directory '/builddir/build/BUILD/yggdrasil-0.4.1/x86_64-redhat-linux-gnu/selinux-build-1CeGaY'

It seems that this macro (files_watch_etc_files) was added three years ago https://github.com/fedora-selinux/selinux-policy/blame/59351919636a0a57263aaab433698da4314b9e2a/policy/modules/kernel/files.if#L4409 and it is not available on RHEL8.

Do we actually need to test main branch of yggdrasil for rhel8?

subpop commented 3 months ago

I haven't considered how far back in compatibility we want to go yet, but not supporting EL8 is very likely.

jirihnidek commented 3 months ago

@subpop Is it still draft? Or do you need final review and review from selinux team?