diff --git a/pkg-new/hostutils/initialize.go b/pkg-new/hostutils/initialize.go index 024735b08..9e825e7f7 100644 --- a/pkg-new/hostutils/initialize.go +++ b/pkg-new/hostutils/initialize.go @@ -4,6 +4,7 @@ import ( "context" "fmt" "os" + "os/exec" "path/filepath" "github.com/replicatedhq/embedded-cluster/pkg/runtimeconfig" @@ -39,6 +40,31 @@ func (h *HostUtils) ConfigureHost(ctx context.Context, rc runtimeconfig.RuntimeC } } + h.logger.Debugln("checking for semanage binary in $PATH") + if _, err := exec.LookPath("semanage"); err != nil { + h.logger.Debugln("semanage not found in $PATH") + } else { + // Set selinux fcontext for embedded-cluster binary directory to bin_t + out, err := exec.Command("semanage", "fcontext", "-a", "-s", "system_u", "-t", "bin_t", rc.EmbeddedClusterBinsSubDir()+"(/.*)?").CombinedOutput() + if err != nil { + h.logger.Debugf("unable to set contexts on binary directory: %v", err) + h.logger.Debugln(out) + } + + } + + h.logger.Debugln("checking for restorecon binary in $PATH") + if _, err := exec.LookPath("restorecon"); err != nil { + h.logger.Debugln("restorecon not found in $PATH") + } else { + // Relabel whole embedded-cluster data directory since it's created with unconfined_u + out, err := exec.Command("restorecon", "-RvF", rc.EmbeddedClusterHomeDirectory()).CombinedOutput() + if err != nil { + h.logger.Debugf("unable to run restorecon: %v", err) + h.logger.Debugln(out) + } + } + h.logger.Debugf("configuring sysctl") if err := h.ConfigureSysctl(); err != nil { h.logger.Debugf("unable to configure sysctl: %v", err) diff --git a/pkg-new/preflights/host-preflight.yaml b/pkg-new/preflights/host-preflight.yaml index a3750c70b..1a3e99266 100644 --- a/pkg-new/preflights/host-preflight.yaml +++ b/pkg-new/preflights/host-preflight.yaml @@ -186,6 +186,40 @@ spec: else echo "Filesystem is not XFS (detected: $fstype). Skipping xfs_info." fi + - run: + collectorName: "selinux-labels" + command: "sh" + args: + - -c + - | + data_dir="{{ .DataDir }}" + bin_dir=$data_dir/bin + # only run our checks if getenforce is available + if ! $(command -v getenforce); then + echo "no selinux" + exit 0 + fi + # check if selinux is in enforcing mode + selinux_status=$(getenforce | tr -d '\n') + if [ "$selinux_status" != "Enforcing" ]; then + echo "selinux not enforcing" + exit 0 + fi + # check user label of data-dir + data_dir_user_label=$(secon --file $data_dir --user) + if [ ! "$data_dir_user_label" = "system_u" ]; then + echo "data_dir_user_label $data_dir_user_label" + fi + # check user label of bin dir + bin_dir_user_label=$(secon --file $bin_dir --user) + if [ ! "$bin_dir_user_label" = "system_u" ]; then + echo "bin_dir_user_label $bin_dir_user_label" + fi + # check type label of bin dir + bin_dir_type_label=$(secon --file $bin_dir --type) + if [ ! "$bin_dir_type_label" = "bin_t" ]; then + echo "bin_dir_type_label $bin_dir_type_label" + fi analyzers: - cpu: checkName: CPU @@ -1180,23 +1214,6 @@ spec: when: "connected" message: "Successful TCP connection to {{ $element }}." {{- end}} - - textAnalyze: - checkName: SELinux Mode - fileName: host-collectors/run-host/selinux-mode.txt - regexGroups: '(?PEnforcing|Permissive|Disabled|Missing)' - outcomes: - - fail: - when: "Mode == Enforcing" - message: SELinux must be disabled or run in permissive mode. To run SELinux in permissive mode, edit /etc/selinux/config, change the line 'SELINUX=enforcing' to 'SELINUX=permissive', save the file, and reboot. You can run getenforce to verify the change." - - pass: - when: "Mode == Permissive" - message: SELinux is running in permissive mode. - - pass: - when: "Mode == Disabled" - message: SELinux is disabled. - - pass: - when: "Mode == Missing" - message: SELinux is not installed. - textAnalyze: checkName: Data Directory Permissions fileName: host-collectors/run-host/check-data-dir-permissions.txt @@ -1219,3 +1236,36 @@ spec: - pass: when: "false" message: "The filesystem at {{ .DataDir }} is either not XFS or is XFS with ftype=1." + - textAnalyze: + checkName: "Selinux data-dir user label" + fileName: host-collectors/run-host/selinux-labels.txt + regex: "data_dir_user_label" + outcomes: + - fail: + when: "true" + message: >- + The selinux user context label for {{ .DataDir }} is incorrect. try running: sudo restorecon -RvF {{ .DataDir }} + - pass: + when: "false" + - textAnalyze: + checkName: "Selinux bin dir user label" + fileName: host-collectors/run-host/selinux-labels.txt + regex: "bin_dir_user_label" + outcomes: + - fail: + when: "true" + message: >- + The selinux user context label for {{ .DataDir }}/bin is incorrect. Try running: sudo restorecon -RvF {{ .DataDir }} + - pass: + when: "false" + - textAnalyze: + checkName: "Selinux bin dir type label" + fileName: host-collectors/run-host/selinux-labels.txt + regex: "bin_dir_type_label" + outcomes: + - fail: + when: "true" + message: >- + The selinux type context label for the embedded cluster binary directory are incorrect. Try running: sudo semanage fcontext -a -t bin_t "{{ .DataDir }}/bin(/.*)?" && sudo restorecon -RvF {{ .DataDir }} + - pass: + when: "false"