kola: Enable SELinux as early as possible

We never really tested SELinux because we enabled it after boot while normally it would be permanently enabled even during (re)boot. We need to enable it via Ignition. Since this won't work with old releases due to policy problems, introduce a flag that the old scripts branches can pass. Note: If tests differ between early and non-early enabling I would rather disable SELinux for those cases and add a comment if and under what future conditions it can be reenabled. The alternative would be to only make them run with the new early mode but this means we reduce test coverage for Stable which is not a good idea.
flatcar · Dec 20, 2023 · 9dee4e6 · 9dee4e6
1 parent ccdd746
commit 9dee4e6
Show file tree

Hide file tree

Showing 6 changed files with 15 additions and 2 deletions.
diff --git a/cmd/kola/options.go b/cmd/kola/options.go
@@ -81,6 +81,7 @@ func init() {
 	root.PersistentFlags().StringVarP(&kolaOffering, "offering", "", "basic", "Offering: "+strings.Join(kolaOfferings, ", "))
 	root.PersistentFlags().StringVarP(&kola.Options.Distribution, "distro", "b", "cl", "Distribution: "+strings.Join(kolaDistros, ", "))
 	root.PersistentFlags().IntVarP(&kola.TestParallelism, "parallel", "j", 1, "number of tests to run in parallel")
+	bv(&kola.LateSelinux, "late-selinux", false, "Enable SELinux only after bootup")
 	sv(&kola.TAPFile, "tapfile", "", "file to write TAP results to")
 	sv(&kola.Options.BaseName, "basename", "kola", "Cluster name prefix")
 	ss("debug-systemd-unit", []string{}, "full-unit-name.service to enable SYSTEMD_LOG_LEVEL=debug on. Specify multiple times for multiple units.")

diff --git a/kola/harness.go b/kola/harness.go
@@ -79,6 +79,7 @@ var (
 	TestParallelism        int    //glue var to set test parallelism from main
 	TAPFile                string // if not "", write TAP results here
 	TorcxManifestFile      string // torcx manifest to expose to tests, if set
+	LateSelinux            bool   // delay the switching of SELinux to enforce mode
 	DevcontainerURL        string // dev container to expose to tests, if set
 	DevcontainerBinhostURL string // dev container binhost URL to use in the devcontainer test
 	DevcontainerFile       string // dev container path to expose to tests, if set
@@ -574,6 +575,7 @@ func runTest(h *harness.H, t *register.Test, pltfrm string, flight platform.Flig
 		SSHRetries:         Options.SSHRetries,
 		SSHTimeout:         Options.SSHTimeout,
 		DefaultUser:        t.DefaultUser,
+		LateSelinux:        LateSelinux,
 	}
 	c, err := flight.NewCluster(rconf)
 	if err != nil {

diff --git a/kola/register/register.go b/kola/register/register.go
@@ -30,7 +30,7 @@ const (
 	NoSSHKeyInUserData      Flag = iota // don't inject SSH key into Ignition/cloud-config
 	NoSSHKeyInMetadata                  // don't add SSH key to platform metadata
 	NoEmergencyShellCheck               // don't check console output for emergency shell invocation
-	NoEnableSelinux                     // don't enable selinux when starting or rebooting a machine
+	NoEnableSelinux                     // don't enable selinux
 	NoKernelPanicCheck                  // don't check console output for kernel panic
 	NoVerityCorruptionCheck             // don't check console output for verity corruption
 	NoDisableUpdates                    // don't disable usage of the public update server

diff --git a/platform/cluster.go b/platform/cluster.go
@@ -191,6 +191,15 @@ func (bc *BaseCluster) RenderUserData(userdata *conf.UserData, ignitionVars map[
 		conf.CopyKeys(keys)
 	}
 
+	if !bc.rconf.NoEnableSelinux && !bc.rconf.LateSelinux {
+		conf.AddFile("/etc/flatcar/update.conf", "root", `SELINUX=enforcing
+SELINUXTYPE=mcs
+`, 0644)
+		// These files used to be deleted but empty files should work, too
+		conf.AddFile("/etc/audit/rules.d/80-selinux.rules", "root", ``, 0644)
+		conf.AddFile("/etc/audit/rules.d/99-default.rules", "root", ``, 0644)
+	}
+
 	// disable the public update server by default
 	if !bc.rconf.NoDisableUpdates {
 		conf.AddFile("/etc/flatcar/update.conf", "root", `SERVER=disabled

diff --git a/platform/platform.go b/platform/platform.go
@@ -182,6 +182,7 @@ type RuntimeConfig struct {
 	AllowFailedUnits   bool          // don't fail CheckMachine if a systemd unit has failed
 	SSHRetries         int           // see SSHRetries field in Options
 	SSHTimeout         time.Duration // see SSHTimeout field in Options
+	LateSelinux        bool          // see LateSelinux field in Options
 
 	// DefaultUser is the user used for SSH connection, it will be created via Ignition when possible.
 	DefaultUser string

diff --git a/platform/util.go b/platform/util.go
@@ -129,7 +129,7 @@ func StartMachine(m Machine, j *Journal) error {
 	if err := CheckMachine(context.TODO(), m); err != nil {
 		return fmt.Errorf("machine %q failed basic checks: %v", m.ID(), err)
 	}
-	if !m.RuntimeConf().NoEnableSelinux {
+	if !m.RuntimeConf().NoEnableSelinux && m.RuntimeConf().LateSelinux {
 		if err := EnableSelinux(m); err != nil {
 			return fmt.Errorf("machine %q failed to enable selinux: %v", m.ID(), err)
 		}