-
Notifications
You must be signed in to change notification settings - Fork 99
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
opt out of SELinux module compilation #223
Comments
I would be okay to make this completely optional, but I am also curious about your opinion on whether this can be completely removed from the role (and maybe moved to a doc item?). WDYT @tsabirgaliev @major @noonedeadpunk ? |
Side note, to not run this part of the role, you only need to define this in your variables: |
@evrardjp yep, that works, found it yesterday, just didn't yet have time to mention it here. |
@evrardjp I think a good compromise would be having to enable each selinux tweak explicitly and documenting it in readme. In other words, making selinux explicily opt-in feature. |
Another argument for making selinux optional is that haproxy rules are already not compiled by default. I completely can relate to efforts to make selinux easier to end-users, but unfortunately this made it harder for ansible-unsavvy me to figure out how to opt out :) Also I recognize there is no 'right' place to put cross-package concerns like keepalived+haproxy, so I think this role is a good place to host them keeping them optional. |
@tsabirgaliev , well, interestingly enough, other contributors are in need of this coordination for HA. I am okay to move from opt-out to opt-in. @major if you have some time to spare, it would be great to know (if you remember) why we made this opt-out in the first place. I can't remember myself. |
Well, my first thought there was also, that we can drop selinux and it can be managed externaly. But then I realized, that I have no idea when mentioned selinux rules will be installed on any CentOS Stream or things like Rocky Linux. As of today I don't see such changes for CentOS packaging [1]. Also, all rules are being installed in 100 folder, while we're using 400, so it's highly unlikely to overlap (being dropped with selinux-policy package update). What we can do indeed, is to create variable, like ansible-keepalived/tasks/main.yml Line 31 in ebbeac6
|
For me, the way to override the variable doesn't matter much, what matters is that we define what's the good way forward: Should this part of the code be removed, opt-in, or opt-out? That's why I would like the advice of @major :) |
This was a long long time ago, but I remember adding the extra SELinux rules there because the upstream package was missing some rules that we needed. If those fixes are now available in the regular Perhaps the logic could be something like this:
|
Thanks @major ! Not really sure what I assume this means that I will eventually use https://docs.ansible.com/ansible/latest/collections/ansible/posix/seboolean_module.html , but outside that, it's not clear yet. |
So SELinux booleans are basically switches for SELinux where you can turn a feature off or on, or allow something to happen on the system without SELinux getting in the way. For example:
This allows you to toggle a boolean on and off that allows Samba to share content in users' home directories. Someone wrote the policy such that it can be turned on or off easily with a boolean. No knowledge of writing SELinux policy is required. These booleans (and the associated SELinux policy) didn't exist before for keepalived. If they exist now, then we don't need the custom policies compiled any longer and you can just flip those booleans on or off. 😉 |
So you meant that some keepalived selinux booleans could exist now, and an investigation has to be made to leverage them. Thanks @major ! |
From a quick glance, it doesn't look like there are any new booleans in there for keepalived right now: https://github.com/fedora-selinux/selinux-policy/blob/rawhide/policy/modules/contrib/keepalived.te#L8-L14 |
Wow thanks for that link. I think it helps me take a decision. From what I can see in that policy, the second part of the current opt-out list of policies to compile seems taken care of (See https://github.com/evrardjp/ansible-keepalived/blob/eb1bc4dbcd52602a3337cc7fd7aa1fb85d57495a/files/keepalived_setpgid.te vs https://github.com/fedora-selinux/selinux-policy/blob/f105dbd547a8f2f63d3695edbe4eb2062d4251c6/policy/modules/contrib/keepalived.te#L41 ). The first one of that list is just a convenience. So unless I am really wrong (as I don't understand anything I am doing there!), let's make this opt-in and remove the setpgid one. Thanks everyone involved. |
@evrardjp Yep, that is the same link I attached to the original post :) And the updated rules also allow keepalived to open ICMP sockets, I'm not sure if this transitively allows to execute ping, but anyway, keepalived is allowed to execute any script residing in /usr/libexec/keepalived/. So IMO the best advice for RHEL-fork users would be to update selinux-policy package and follow RHEL best practices for keepalived
|
Just to repeat what I already said - these rules are part of Fedora only and they do not exist even for CentOS 9 Stream, so imo - you still should be careful with that. Also isn't RHEL technically fork of Fedora? So if you're using bleeding edge, it doesn't really mean that systems designed for production usage should struggle because of that. But it's completely different topic:) |
@noonedeadpunk what specific rule you don't have on CentOS? In the issue description I use sesearch on CentOS 8 Stream to demonstrate that the relevant rules are there. For example, setpgid is there: [root@localhost ~]# sesearch -A -s keepalived_t -t keepalived_t -p setpgid
allow keepalived_t keepalived_t:process { fork getcap getpgid getsched setpgid setsched sigchld sigkill signal signull sigstop }; BTW, probably you are looking the wrong place for package updates. The package you need is this one: https://centos.pkgs.org/8-stream/centos-baseos-x86_64/selinux-policy-3.14.3-105.el8.noarch.rpm.html And that package changelog includes the latest change to https://github.com/fedora-selinux/selinux-policy/commits/rawhide/policy/modules/contrib/keepalived.te:
Rocky Linux 8, which actually lags behind RHEL8 also includes the latest changes from fedora-selinux/selinux-policy https://rockylinux.pkgs.org/8/rockylinux-baseos-x86_64/selinux-policy-3.14.3-95.el8_6.1.noarch.rpm.html While I agree that this is not generally the rule, the selinux-policy package is somewhat an exception that it runs very close to the upstream package and the changes are quickly backported to RHEL and all the other forks |
@noonedeadpunk I'm sorry, I was wrong about this one. The latest change included in RHEL is this one:
|
Ah, ok then, I haven't checked content today, so it's good that it has been backported and now available almost everywhere |
It matches what I have seen on my side. |
We need a way to opt out of SELinux module additions, because recent versions of
selinux-policy
package come with relevant fixes and booleans and may eventually supersede all the selinux tweaks in the role. See [0].The most robust way (that I know of) to detect for presence of relevant selinux permissions requires installing
setools-console
package and usingsesearch
:A good though indirect way to detect is to check for a minimal
selinux-policy
package version:[0] https://github.com/fedora-selinux/selinux-policy/commits/rawhide/policy/modules/contrib/keepalived.te
The text was updated successfully, but these errors were encountered: