label etcd data

Signed-off-by: Dmitry Sharshakov <[email protected]>
siderolabs · Nov 16, 2024 · d4a2407 · d4a2407
1 parent 026a2c7
commit d4a2407
Show file tree

Hide file tree

Showing 5 changed files with 16 additions and 1 deletion.
diff --git a/internal/app/machined/pkg/system/services/etcd.go b/internal/app/machined/pkg/system/services/etcd.go
@@ -40,6 +40,7 @@ import (
 	"github.com/siderolabs/talos/internal/pkg/containers/image"
 	"github.com/siderolabs/talos/internal/pkg/environment"
 	"github.com/siderolabs/talos/internal/pkg/etcd"
+	"github.com/siderolabs/talos/internal/pkg/selinux"
 	"github.com/siderolabs/talos/pkg/argsbuilder"
 	"github.com/siderolabs/talos/pkg/conditions"
 	"github.com/siderolabs/talos/pkg/filetree"
@@ -93,6 +94,11 @@ func (e *Etcd) PreFunc(ctx context.Context, r runtime.Runtime) error {
 		return err
 	}
 
+	// Relabel in case of upgrade from older version or SELinux being disabled and then enabled.
+	if err := selinux.SetLabel(constants.EtcdDataPath, constants.EtcdDataSELinuxLabel); err != nil {
+		return err
+	}
+
 	// Make sure etcd user can access files in the data directory.
 	if err := filetree.ChownRecursive(constants.EtcdDataPath, constants.EtcdUserID, constants.EtcdUserID); err != nil {
 		return err

diff --git a/internal/integration/api/selinux.go b/internal/integration/api/selinux.go
@@ -96,7 +96,9 @@ func (suite *SELinuxSuite) TestFileMountLabels() {
 
 	// Only running on controlplane
 	expectedLabelsControlPlane := map[string]string{
-		constants.EtcdPKIPath:                           constants.EtcdPKISELinuxLabel,
+		constants.EtcdPKIPath: constants.EtcdPKISELinuxLabel,
+		// Initially we give it system_u, but further files created by etcd are going to be client_u
+		constants.EtcdDataPath:                          ":object_r:etcd_data_t:s0",
 		constants.KubernetesAPIServerConfigDir:          constants.KubernetesAPIServerConfigDirSELinuxLabel,
 		constants.KubernetesAPIServerSecretsDir:         constants.KubernetesAPIServerSecretsDirSELinuxLabel,
 		constants.KubernetesControllerManagerSecretsDir: constants.KubernetesControllerManagerSecretsDirSELinuxLabel,

diff --git a/internal/pkg/selinux/policy/policy.33 b/internal/pkg/selinux/policy/policy.33
diff --git a/internal/pkg/selinux/policy/selinux/services/cri.cil b/internal/pkg/selinux/policy/selinux/services/cri.cil
@@ -25,6 +25,10 @@
 (allow etcd_pki_t tmpfs_t (filesystem (associate)))
 (allow etcd_t etcd_pki_t (fs_classes (ro)))
 
+(type etcd_data_t)
+(call protected_f (etcd_data_t))
+(allow etcd_t etcd_data_t (fs_classes (rw)))
+
 (type kube_apiserver_config_t)
 (call protected_f (kube_apiserver_config_t))
 (allow kube_apiserver_config_t tmpfs_t (filesystem (associate)))

diff --git a/pkg/machinery/constants/constants.go b/pkg/machinery/constants/constants.go
@@ -469,6 +469,9 @@ const (
 	// EtcdDataPath is the path where etcd stores its' data.
 	EtcdDataPath = "/var/lib/etcd"
 
+	// EtcdDataSELinuxLabel is the SELinux label for the etcd data directory.
+	EtcdDataSELinuxLabel = "system_u:object_r:etcd_data_t:s0"
+
 	// EtcdRecoverySnapshotPath is the path where etcd snapshot is uploaded for recovery.
 	EtcdRecoverySnapshotPath = "/var/lib/etcd.snapshot"