siderolabs / talos

Talos Linux is a modern Linux distribution built for Kubernetes.
https://www.talos.dev
Mozilla Public License 2.0
6.9k stars 555 forks source link

SELinux validity checks #9635

Open dsseng opened 2 weeks ago

dsseng commented 2 weeks ago
### Tasks
- [ ] Figure out which binaries can be ran by init and udev, add necessary SELinux rules - _Originally posted by @frezbo in https://github.com/siderolabs/talos/pull/9617#discussion_r1825640385_
- [ ] label static pods
- [ ] Ensure netlink is secured
- [ ] label libraries
- [ ] only enable on new installs unless otherwise supported
- [ ] relabel and update flow (enable SELinux if AppArmor is not enabled, relabel existing volumes)
- [ ] Have some policy similar to `setsebool secure_mode_policyload on`
frezbo commented 2 weeks ago

I guess we need to also label files coming from extensions :thinking:

dsseng commented 2 weeks ago

yes, that should probably take place when we build with extensions. Let's sort that out later