Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Refined SELinux policy #935

Merged
merged 2 commits into from
Sep 13, 2024
Merged

Refined SELinux policy #935

merged 2 commits into from
Sep 13, 2024

Conversation

engelmi
Copy link
Member

@engelmi engelmi commented Sep 7, 2024
edited
Loading

Relates to: #883

When enforcing the SELinux policy of BlueChi, the calls from bluechi-agent to systemd are blocked. The missing privileges of bluechi_agent_t (source context) on the systemd types (e.g. systemd_unit_file_t) and init type have been added.

The integration tests in multi-host mode could verify that these new rules work as expected and cover all functions of BlueChi. However, at the moment we'd need to merge this PR so we can use the rpms from COPR for it (see #884).

Updated the readthedocs page in order to show how to add new allow rules for restricted units like httpd.service:

image

@coveralls
Copy link

coveralls commented Sep 7, 2024
edited
Loading

Coverage Status

coverage: 85.312% (+0.1%) from 85.196%
when pulling a175616 on engelmi:selinux-experiments
into 096a42d on eclipse-bluechi:main.

@engelmi engelmi marked this pull request as ready for review September 9, 2024 14:47
@engelmi
Copy link
Member Author

engelmi commented Sep 9, 2024

@rhatdan @alexlarsson @dougsland PTAL
Verified manually that this works, but not sure if I covered all BlueChi features - running the integration tests in multihost mode would reveal any missing privileges (can only be triggered after merging, though. See #884 )

dougsland
dougsland approved these changes Sep 9, 2024
View reviewed changes
Copy link
Contributor

@dougsland dougsland left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Small request if possible but LGTM, as always, would be nice to have @rhatdan bless when selinux is involved.

@engelmi
Copy link
Member Author

engelmi commented Sep 11, 2024

/packit test

@engelmi
Refined SELinux policy
7731781 
Relates to: eclipse-bluechi#883

When enforcing the SELinux policy of BlueChi, the calls from
bluechi-agent to systemd are blocked. The missing privileges
of bluechi_agent_t (source context) on the systemd types (e.g.
systemd_unit_file_t) and init type have been added.

Signed-off-by: Michael Engel <[email protected]>
@engelmi
Updated readthedocs for SELinux policy
a175616 
Signed-off-by: Michael Engel <[email protected]>
mwperina
mwperina approved these changes Sep 13, 2024
View reviewed changes
Copy link
Member

@mwperina mwperina left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@engelmi
Copy link
Member Author

engelmi commented Sep 13, 2024

Lets merge this and run some multihost tests to verify nothing broke.

@engelmi engelmi merged commit d54adc0 into eclipse-bluechi:main Sep 13, 2024
22 checks passed
@engelmi engelmi mentioned this pull request Sep 13, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dougsland dougsland dougsland approved these changes

@mwperina mwperina mwperina approved these changes

@alexlarsson alexlarsson Awaiting requested review from alexlarsson alexlarsson is a code owner

@mkemel mkemel Awaiting requested review from mkemel mkemel is a code owner

@rhatdan rhatdan Awaiting requested review from rhatdan rhatdan is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@engelmi @coveralls @dougsland @mwperina