From 9cca82ca77f5f27aa513351c9a84f19e083c9c72 Mon Sep 17 00:00:00 2001 From: hedge-sparrow Date: Mon, 30 Jun 2025 13:38:38 +0100 Subject: [PATCH 1/8] run restorecon after materialising files --- pkg-new/hostutils/initialize.go | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/pkg-new/hostutils/initialize.go b/pkg-new/hostutils/initialize.go index 024735b08..60f64b8fb 100644 --- a/pkg-new/hostutils/initialize.go +++ b/pkg-new/hostutils/initialize.go @@ -4,6 +4,7 @@ import ( "context" "fmt" "os" + "os/exec" "path/filepath" "github.com/replicatedhq/embedded-cluster/pkg/runtimeconfig" @@ -39,6 +40,17 @@ func (h *HostUtils) ConfigureHost(ctx context.Context, rc runtimeconfig.RuntimeC } } + h.logger.Debugln("checking for restorecon binary in $PATH") + if _, err := exec.LookPath("restorecon"); err != nil { + h.logger.Debugln("restorecon not found") + } else { + out, err := exec.Command("restorecon", "-RvF", rc.EmbeddedClusterHomeDirectory()).CombinedOutput() + if err != nil { + h.logger.Debugf("unable to run restorecon: %v", err) + h.logger.Debugln(out) + } + } + h.logger.Debugf("configuring sysctl") if err := h.ConfigureSysctl(); err != nil { h.logger.Debugf("unable to configure sysctl: %v", err) From c182dce557088e15f4d39576a0e4d9d9acdd9356 Mon Sep 17 00:00:00 2001 From: hedge-sparrow Date: Mon, 30 Jun 2025 14:03:18 +0100 Subject: [PATCH 2/8] don't care about selinux enforcing --- pkg-new/preflights/host-preflight.yaml | 17 ----------------- 1 file changed, 17 deletions(-) diff --git a/pkg-new/preflights/host-preflight.yaml b/pkg-new/preflights/host-preflight.yaml index a3750c70b..e96696ca6 100644 --- a/pkg-new/preflights/host-preflight.yaml +++ b/pkg-new/preflights/host-preflight.yaml @@ -1180,23 +1180,6 @@ spec: when: "connected" message: "Successful TCP connection to {{ $element }}." {{- end}} - - textAnalyze: - checkName: SELinux Mode - fileName: host-collectors/run-host/selinux-mode.txt - regexGroups: '(?PEnforcing|Permissive|Disabled|Missing)' - outcomes: - - fail: - when: "Mode == Enforcing" - message: SELinux must be disabled or run in permissive mode. To run SELinux in permissive mode, edit /etc/selinux/config, change the line 'SELINUX=enforcing' to 'SELINUX=permissive', save the file, and reboot. You can run getenforce to verify the change." - - pass: - when: "Mode == Permissive" - message: SELinux is running in permissive mode. - - pass: - when: "Mode == Disabled" - message: SELinux is disabled. - - pass: - when: "Mode == Missing" - message: SELinux is not installed. - textAnalyze: checkName: Data Directory Permissions fileName: host-collectors/run-host/check-data-dir-permissions.txt From 0cd59ae7e23c50700c67aed7cdb08b0a99a34081 Mon Sep 17 00:00:00 2001 From: hedge-sparrow Date: Mon, 30 Jun 2025 14:21:58 +0100 Subject: [PATCH 3/8] set specific bin_t context on bins dir --- pkg-new/hostutils/initialize.go | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/pkg-new/hostutils/initialize.go b/pkg-new/hostutils/initialize.go index 60f64b8fb..5f704ff96 100644 --- a/pkg-new/hostutils/initialize.go +++ b/pkg-new/hostutils/initialize.go @@ -40,11 +40,20 @@ func (h *HostUtils) ConfigureHost(ctx context.Context, rc runtimeconfig.RuntimeC } } - h.logger.Debugln("checking for restorecon binary in $PATH") - if _, err := exec.LookPath("restorecon"); err != nil { - h.logger.Debugln("restorecon not found") + h.logger.Debugln("checking for semanage binary in $PATH") + if _, err := exec.LookPath("semanage"); err != nil { + h.logger.Debugln("semanage not found") } else { - out, err := exec.Command("restorecon", "-RvF", rc.EmbeddedClusterHomeDirectory()).CombinedOutput() + + // Set selinux fcontext for embedded-cluster binary directory to bin_t + out, err := exec.Command("semanage", "fcontext", "-a", "-s", "system_u", "-t", "bin_t", rc.EmbeddedClusterBinsSubDir()+"(.*)?").CombinedOutput() + if err != nil { + h.logger.Debugf("unable to set contexts on binary directory: %v", err) + h.logger.Debugln(out) + } + + // Relabel whole embedded-cluster data directory since it's created with unconfined_u + out, err = exec.Command("restorecon", "-RvF", rc.EmbeddedClusterHomeDirectory()).CombinedOutput() if err != nil { h.logger.Debugf("unable to run restorecon: %v", err) h.logger.Debugln(out) From bbbd686a394319b2f78af3095856d9b5d86af1c7 Mon Sep 17 00:00:00 2001 From: hedge-sparrow Date: Mon, 30 Jun 2025 14:22:56 +0100 Subject: [PATCH 4/8] path --- pkg-new/hostutils/initialize.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg-new/hostutils/initialize.go b/pkg-new/hostutils/initialize.go index 5f704ff96..ab637267f 100644 --- a/pkg-new/hostutils/initialize.go +++ b/pkg-new/hostutils/initialize.go @@ -46,7 +46,7 @@ func (h *HostUtils) ConfigureHost(ctx context.Context, rc runtimeconfig.RuntimeC } else { // Set selinux fcontext for embedded-cluster binary directory to bin_t - out, err := exec.Command("semanage", "fcontext", "-a", "-s", "system_u", "-t", "bin_t", rc.EmbeddedClusterBinsSubDir()+"(.*)?").CombinedOutput() + out, err := exec.Command("semanage", "fcontext", "-a", "-s", "system_u", "-t", "bin_t", rc.EmbeddedClusterBinsSubDir()+"/(.*)?").CombinedOutput() if err != nil { h.logger.Debugf("unable to set contexts on binary directory: %v", err) h.logger.Debugln(out) From 7eace5f4037380d136f3cbaf0641fde069cc2f54 Mon Sep 17 00:00:00 2001 From: hedge-sparrow Date: Mon, 30 Jun 2025 14:42:10 +0100 Subject: [PATCH 5/8] Correct match group --- pkg-new/hostutils/initialize.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg-new/hostutils/initialize.go b/pkg-new/hostutils/initialize.go index ab637267f..14a9115bf 100644 --- a/pkg-new/hostutils/initialize.go +++ b/pkg-new/hostutils/initialize.go @@ -46,7 +46,7 @@ func (h *HostUtils) ConfigureHost(ctx context.Context, rc runtimeconfig.RuntimeC } else { // Set selinux fcontext for embedded-cluster binary directory to bin_t - out, err := exec.Command("semanage", "fcontext", "-a", "-s", "system_u", "-t", "bin_t", rc.EmbeddedClusterBinsSubDir()+"/(.*)?").CombinedOutput() + out, err := exec.Command("semanage", "fcontext", "-a", "-s", "system_u", "-t", "bin_t", rc.EmbeddedClusterBinsSubDir()+"(/.*)?").CombinedOutput() if err != nil { h.logger.Debugf("unable to set contexts on binary directory: %v", err) h.logger.Debugln(out) From f10bebcae1e2491564d16b100f5a89928afb1f4e Mon Sep 17 00:00:00 2001 From: hedge-sparrow Date: Thu, 3 Jul 2025 11:20:36 +0100 Subject: [PATCH 6/8] add selinux preflight --- pkg-new/preflights/host-preflight.yaml | 70 ++++++++++++++++++++++++++ 1 file changed, 70 insertions(+) diff --git a/pkg-new/preflights/host-preflight.yaml b/pkg-new/preflights/host-preflight.yaml index e96696ca6..54ab157cf 100644 --- a/pkg-new/preflights/host-preflight.yaml +++ b/pkg-new/preflights/host-preflight.yaml @@ -186,6 +186,40 @@ spec: else echo "Filesystem is not XFS (detected: $fstype). Skipping xfs_info." fi + - run: + collectorName: "selinux-labels" + command: "sh" + args: + - -c + - | + data_dir="{{ .DataDir }}" + bin_dir=$data_dir/bin + # only run our checks if getenforce is available + if ! $(command -v getenforce); then + echo "no selinux" + exit 0 + fi + # check if selinux is in enforcing mode + selinux_status=$(getenforce | tr -d '\n') + if [ "$selinux_status" != "Enforcing" ]; then + echo "selinux not enforcing" + exit 0 + fi + # check user label of data-dir + data_dir_user_label=$(secon --file $data_dir --user) + if [ ! "$data_dir_user_label" = "system_u" ]; then + echo "data_dir_user_label $data_dir_user_label" + fi + # check user label of bin dir + bin_dir_user_label=$(secon --file $bin_dir --user) + if [ ! "$bin_dir_user_label" = "system_u" ]; then + echo "bin_dir_user_label $bin_dir_user_label" + fi + # check type label of bin dir + bin_dir_type_label=$(secon --file $bin_dir --type) + if [ ! "$bin_dir_type_label" = "bin_t" ]; then + echo "bin_dir_type_label $bin_dir_type_label" + fi analyzers: - cpu: checkName: CPU @@ -1202,3 +1236,39 @@ spec: - pass: when: "false" message: "The filesystem at {{ .DataDir }} is either not XFS or is XFS with ftype=1." + - textAnalyze: + checkName: "Selinux data-dir user label" + fileName: host-collectors/run-host/selinux-labels.txt + regex: "data_dir_user_label" + outcomes: + - fail: + when: "true" + message: | + The selinux user context label for {{ .DataDir }} is incorrect. + try running: sudo restorecon -RvF {{ .DataDir }} + - pass: + when: "false" + - textAnalyze: + checkName: "Selinux bin dir user label" + fileName: host-collectors/run-host/selinux-labels.txt + regex: "bin_dir_user_label" + outcomes: + - fail: + when: "true" + message: | + The selinux user context label for {{ .DataDir }}/bin is incorrect. + Try running: sudo semanage fcontext -a -t bin_t "{{ .DataDir }}/bin(/.*)?" && sudo restorecon -RvF {{ .DataDir }} + - pass: + when: "false" + - textAnalyze: + checkName: "Selinux bin dir type label" + fileName: host-collectors/run-host/selinux-labels.txt + regex: "bin_dir_type_label" + outcomes: + - fail: + when: "true" + message: | + The selinux type context label for the embedded cluster binary directory are incorrect. + Try running: sudo restorecon -RvF {{ .DataDir }} + - pass: + when: "false" From d805f9533f7be291afba7ce6ff6996d56e8226d8 Mon Sep 17 00:00:00 2001 From: hedge-sparrow Date: Thu, 3 Jul 2025 11:35:00 +0100 Subject: [PATCH 7/8] message formatting --- pkg-new/preflights/host-preflight.yaml | 15 ++++++--------- 1 file changed, 6 insertions(+), 9 deletions(-) diff --git a/pkg-new/preflights/host-preflight.yaml b/pkg-new/preflights/host-preflight.yaml index 54ab157cf..1a3e99266 100644 --- a/pkg-new/preflights/host-preflight.yaml +++ b/pkg-new/preflights/host-preflight.yaml @@ -1243,9 +1243,8 @@ spec: outcomes: - fail: when: "true" - message: | - The selinux user context label for {{ .DataDir }} is incorrect. - try running: sudo restorecon -RvF {{ .DataDir }} + message: >- + The selinux user context label for {{ .DataDir }} is incorrect. try running: sudo restorecon -RvF {{ .DataDir }} - pass: when: "false" - textAnalyze: @@ -1255,9 +1254,8 @@ spec: outcomes: - fail: when: "true" - message: | - The selinux user context label for {{ .DataDir }}/bin is incorrect. - Try running: sudo semanage fcontext -a -t bin_t "{{ .DataDir }}/bin(/.*)?" && sudo restorecon -RvF {{ .DataDir }} + message: >- + The selinux user context label for {{ .DataDir }}/bin is incorrect. Try running: sudo restorecon -RvF {{ .DataDir }} - pass: when: "false" - textAnalyze: @@ -1267,8 +1265,7 @@ spec: outcomes: - fail: when: "true" - message: | - The selinux type context label for the embedded cluster binary directory are incorrect. - Try running: sudo restorecon -RvF {{ .DataDir }} + message: >- + The selinux type context label for the embedded cluster binary directory are incorrect. Try running: sudo semanage fcontext -a -t bin_t "{{ .DataDir }}/bin(/.*)?" && sudo restorecon -RvF {{ .DataDir }} - pass: when: "false" From b8560c52ad5eb7497320791a672f53aa27d7332d Mon Sep 17 00:00:00 2001 From: hedge-sparrow Date: Thu, 3 Jul 2025 14:15:54 +0100 Subject: [PATCH 8/8] explicitly check for restorecon binary --- pkg-new/hostutils/initialize.go | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/pkg-new/hostutils/initialize.go b/pkg-new/hostutils/initialize.go index 14a9115bf..9e825e7f7 100644 --- a/pkg-new/hostutils/initialize.go +++ b/pkg-new/hostutils/initialize.go @@ -42,9 +42,8 @@ func (h *HostUtils) ConfigureHost(ctx context.Context, rc runtimeconfig.RuntimeC h.logger.Debugln("checking for semanage binary in $PATH") if _, err := exec.LookPath("semanage"); err != nil { - h.logger.Debugln("semanage not found") + h.logger.Debugln("semanage not found in $PATH") } else { - // Set selinux fcontext for embedded-cluster binary directory to bin_t out, err := exec.Command("semanage", "fcontext", "-a", "-s", "system_u", "-t", "bin_t", rc.EmbeddedClusterBinsSubDir()+"(/.*)?").CombinedOutput() if err != nil { @@ -52,8 +51,14 @@ func (h *HostUtils) ConfigureHost(ctx context.Context, rc runtimeconfig.RuntimeC h.logger.Debugln(out) } + } + + h.logger.Debugln("checking for restorecon binary in $PATH") + if _, err := exec.LookPath("restorecon"); err != nil { + h.logger.Debugln("restorecon not found in $PATH") + } else { // Relabel whole embedded-cluster data directory since it's created with unconfined_u - out, err = exec.Command("restorecon", "-RvF", rc.EmbeddedClusterHomeDirectory()).CombinedOutput() + out, err := exec.Command("restorecon", "-RvF", rc.EmbeddedClusterHomeDirectory()).CombinedOutput() if err != nil { h.logger.Debugf("unable to run restorecon: %v", err) h.logger.Debugln(out)