From 9dee4e652c527071af10748825a00565c88d86e7 Mon Sep 17 00:00:00 2001 From: Kai Lueke Date: Thu, 30 Nov 2023 11:26:10 +0100 Subject: [PATCH] kola: Enable SELinux as early as possible We never really tested SELinux because we enabled it after boot while normally it would be permanently enabled even during (re)boot. We need to enable it via Ignition. Since this won't work with old releases due to policy problems, introduce a flag that the old scripts branches can pass. Note: If tests differ between early and non-early enabling I would rather disable SELinux for those cases and add a comment if and under what future conditions it can be reenabled. The alternative would be to only make them run with the new early mode but this means we reduce test coverage for Stable which is not a good idea. --- cmd/kola/options.go | 1 + kola/harness.go | 2 ++ kola/register/register.go | 2 +- platform/cluster.go | 9 +++++++++ platform/platform.go | 1 + platform/util.go | 2 +- 6 files changed, 15 insertions(+), 2 deletions(-) diff --git a/cmd/kola/options.go b/cmd/kola/options.go index e46be3e54..eba7fede8 100644 --- a/cmd/kola/options.go +++ b/cmd/kola/options.go @@ -81,6 +81,7 @@ func init() { root.PersistentFlags().StringVarP(&kolaOffering, "offering", "", "basic", "Offering: "+strings.Join(kolaOfferings, ", ")) root.PersistentFlags().StringVarP(&kola.Options.Distribution, "distro", "b", "cl", "Distribution: "+strings.Join(kolaDistros, ", ")) root.PersistentFlags().IntVarP(&kola.TestParallelism, "parallel", "j", 1, "number of tests to run in parallel") + bv(&kola.LateSelinux, "late-selinux", false, "Enable SELinux only after bootup") sv(&kola.TAPFile, "tapfile", "", "file to write TAP results to") sv(&kola.Options.BaseName, "basename", "kola", "Cluster name prefix") ss("debug-systemd-unit", []string{}, "full-unit-name.service to enable SYSTEMD_LOG_LEVEL=debug on. Specify multiple times for multiple units.") diff --git a/kola/harness.go b/kola/harness.go index 09025c9b8..fb07113bb 100644 --- a/kola/harness.go +++ b/kola/harness.go @@ -79,6 +79,7 @@ var ( TestParallelism int //glue var to set test parallelism from main TAPFile string // if not "", write TAP results here TorcxManifestFile string // torcx manifest to expose to tests, if set + LateSelinux bool // delay the switching of SELinux to enforce mode DevcontainerURL string // dev container to expose to tests, if set DevcontainerBinhostURL string // dev container binhost URL to use in the devcontainer test DevcontainerFile string // dev container path to expose to tests, if set @@ -574,6 +575,7 @@ func runTest(h *harness.H, t *register.Test, pltfrm string, flight platform.Flig SSHRetries: Options.SSHRetries, SSHTimeout: Options.SSHTimeout, DefaultUser: t.DefaultUser, + LateSelinux: LateSelinux, } c, err := flight.NewCluster(rconf) if err != nil { diff --git a/kola/register/register.go b/kola/register/register.go index d792a4696..c0aa6d02f 100644 --- a/kola/register/register.go +++ b/kola/register/register.go @@ -30,7 +30,7 @@ const ( NoSSHKeyInUserData Flag = iota // don't inject SSH key into Ignition/cloud-config NoSSHKeyInMetadata // don't add SSH key to platform metadata NoEmergencyShellCheck // don't check console output for emergency shell invocation - NoEnableSelinux // don't enable selinux when starting or rebooting a machine + NoEnableSelinux // don't enable selinux NoKernelPanicCheck // don't check console output for kernel panic NoVerityCorruptionCheck // don't check console output for verity corruption NoDisableUpdates // don't disable usage of the public update server diff --git a/platform/cluster.go b/platform/cluster.go index e7adfc67b..aedb3be78 100644 --- a/platform/cluster.go +++ b/platform/cluster.go @@ -191,6 +191,15 @@ func (bc *BaseCluster) RenderUserData(userdata *conf.UserData, ignitionVars map[ conf.CopyKeys(keys) } + if !bc.rconf.NoEnableSelinux && !bc.rconf.LateSelinux { + conf.AddFile("/etc/flatcar/update.conf", "root", `SELINUX=enforcing +SELINUXTYPE=mcs +`, 0644) + // These files used to be deleted but empty files should work, too + conf.AddFile("/etc/audit/rules.d/80-selinux.rules", "root", ``, 0644) + conf.AddFile("/etc/audit/rules.d/99-default.rules", "root", ``, 0644) + } + // disable the public update server by default if !bc.rconf.NoDisableUpdates { conf.AddFile("/etc/flatcar/update.conf", "root", `SERVER=disabled diff --git a/platform/platform.go b/platform/platform.go index dd9c01e28..118c43444 100644 --- a/platform/platform.go +++ b/platform/platform.go @@ -182,6 +182,7 @@ type RuntimeConfig struct { AllowFailedUnits bool // don't fail CheckMachine if a systemd unit has failed SSHRetries int // see SSHRetries field in Options SSHTimeout time.Duration // see SSHTimeout field in Options + LateSelinux bool // see LateSelinux field in Options // DefaultUser is the user used for SSH connection, it will be created via Ignition when possible. DefaultUser string diff --git a/platform/util.go b/platform/util.go index e9d2c5f87..a3a5fc551 100644 --- a/platform/util.go +++ b/platform/util.go @@ -129,7 +129,7 @@ func StartMachine(m Machine, j *Journal) error { if err := CheckMachine(context.TODO(), m); err != nil { return fmt.Errorf("machine %q failed basic checks: %v", m.ID(), err) } - if !m.RuntimeConf().NoEnableSelinux { + if !m.RuntimeConf().NoEnableSelinux && m.RuntimeConf().LateSelinux { if err := EnableSelinux(m); err != nil { return fmt.Errorf("machine %q failed to enable selinux: %v", m.ID(), err) }