feat: machined: initial SELinux bring-up

siderolabs / talos

Talos Linux is a modern Linux distribution built for Kubernetes.

https://www.talos.dev

Mozilla Public License 2.0

6.91k stars 556 forks source link

feat: machined: initial SELinux bring-up #9617

Closed dsseng closed 3 weeks ago

dsseng commented 3 weeks ago

Part of: #9127

Label executables and processes, build, load and manage SELinux policy, enable audit support.

Labeling filesystems, devices and runtime files will be done in further changes, see the full PR.

TODO: label static pods

Signed-off-by: Dmitry Sharshakov dmitry.sharshakov@siderolabs.com

dsseng commented 3 weeks ago

; audit(1730388431.799:429):
;  scontext="system_u:system_r:sys_containerd_t:s0" tcontext="system_u:object_r:init_exec_t:s0"
;  class="file" perms="execute"
;  comm="runc:[2:INIT]" exe="" path=""
;  message="[    4.376219] audit: type=1400 audit(1730388431.799:429): avc:
;   denied  { execute } for  pid=1948 comm="runc:[2:INIT]" name="dashboard"
;   dev="loop0" ino=503 scontext=system_u:system_r:sys_containerd_t:s0
;   tcontext=system_u:object_r:init_exec_t:s0 tclass=file permissive=1 "

smira commented 3 weeks ago

dsseng commented 3 weeks ago