replicatedhq · hedge-sparrow · Jun 30, 2025 · Jun 30, 2025 · Jun 30, 2025 · Jun 30, 2025
diff --git a/pkg-new/hostutils/initialize.go b/pkg-new/hostutils/initialize.go
@@ -4,6 +4,7 @@ import (
 	"context"
 	"fmt"
 	"os"
+	"os/exec"
 	"path/filepath"
 
 	"github.com/replicatedhq/embedded-cluster/pkg/runtimeconfig"
@@ -39,6 +40,31 @@ func (h *HostUtils) ConfigureHost(ctx context.Context, rc runtimeconfig.RuntimeC
 		}
 	}
 
+	h.logger.Debugln("checking for semanage binary in $PATH")
+	if _, err := exec.LookPath("semanage"); err != nil {
+		h.logger.Debugln("semanage not found in $PATH")
+	} else {
+		// Set selinux fcontext for embedded-cluster binary directory to bin_t
+		out, err := exec.Command("semanage", "fcontext", "-a", "-s", "system_u", "-t", "bin_t", rc.EmbeddedClusterBinsSubDir()+"(/.*)?").CombinedOutput()
+		if err != nil {
+			h.logger.Debugf("unable to set contexts on binary directory: %v", err)
+			h.logger.Debugln(out)
+		}
+
+	}
+
+	h.logger.Debugln("checking for restorecon binary in $PATH")
+	if _, err := exec.LookPath("restorecon"); err != nil {
+		h.logger.Debugln("restorecon not found in $PATH")
+	} else {
+		// Relabel whole embedded-cluster data directory since it's created with unconfined_u
+		out, err := exec.Command("restorecon", "-RvF", rc.EmbeddedClusterHomeDirectory()).CombinedOutput()
+		if err != nil {
+			h.logger.Debugf("unable to run restorecon: %v", err)
+			h.logger.Debugln(out)
+		}
+	}
+
 	h.logger.Debugf("configuring sysctl")
 	if err := h.ConfigureSysctl(); err != nil {
 		h.logger.Debugf("unable to configure sysctl: %v", err)

diff --git a/pkg-new/preflights/host-preflight.yaml b/pkg-new/preflights/host-preflight.yaml
@@ -186,6 +186,40 @@ spec:
           else
             echo "Filesystem is not XFS (detected: $fstype). Skipping xfs_info."
           fi
+    - run:
+        collectorName: "selinux-labels"
+        command: "sh"
+        args:
+            - -c
+            - |
+              data_dir="{{ .DataDir }}"
+              bin_dir=$data_dir/bin
+              # only run our checks if getenforce is available
+              if ! $(command -v getenforce); then
+                echo "no selinux"
+                exit 0
+              fi
+              # check if selinux is in enforcing mode
+              selinux_status=$(getenforce | tr -d '\n')
+              if [ "$selinux_status" != "Enforcing" ]; then
+                echo "selinux not enforcing"
+                exit 0
+              fi
+              # check user label of data-dir
+              data_dir_user_label=$(secon --file $data_dir --user)
+              if [ ! "$data_dir_user_label" = "system_u" ]; then
+                echo "data_dir_user_label $data_dir_user_label"
+              fi
+              # check user label of bin dir
+              bin_dir_user_label=$(secon --file $bin_dir --user)
+              if [ ! "$bin_dir_user_label" = "system_u" ]; then
+                echo "bin_dir_user_label $bin_dir_user_label"
+              fi
+              # check type label of bin dir
+              bin_dir_type_label=$(secon --file $bin_dir --type)
+              if [ ! "$bin_dir_type_label" = "bin_t" ]; then
+                echo "bin_dir_type_label $bin_dir_type_label"
+              fi
   analyzers:
     - cpu:
         checkName: CPU
@@ -1180,23 +1214,6 @@ spec:
               when: "connected"
               message: "Successful TCP connection to {{ $element }}."
 {{- end}}
-    - textAnalyze:
-        checkName: SELinux Mode
-        fileName: host-collectors/run-host/selinux-mode.txt
-        regexGroups: '(?P<Mode>Enforcing|Permissive|Disabled|Missing)'
-        outcomes:
-          - fail:
-              when: "Mode == Enforcing"
-              message: SELinux must be disabled or run in permissive mode. To run SELinux in permissive mode, edit /etc/selinux/config, change the line 'SELINUX=enforcing' to 'SELINUX=permissive', save the file, and reboot. You can run getenforce to verify the change."
-          - pass:
-              when: "Mode == Permissive"
-              message: SELinux is running in permissive mode.
-          - pass:
-              when: "Mode == Disabled"
-              message: SELinux is disabled.
-          - pass:
-              when: "Mode == Missing"
-              message: SELinux is not installed.
     - textAnalyze:
         checkName: Data Directory Permissions
         fileName: host-collectors/run-host/check-data-dir-permissions.txt
@@ -1219,3 +1236,36 @@ spec:
           - pass:
               when: "false"
               message: "The filesystem at {{ .DataDir }} is either not XFS or is XFS with ftype=1."
+    - textAnalyze:
+        checkName: "Selinux data-dir user label"
+        fileName: host-collectors/run-host/selinux-labels.txt
+        regex: "data_dir_user_label"
+        outcomes:
+          - fail:
+              when: "true"
+              message: >-
+                  The selinux user context label for {{ .DataDir }} is incorrect. try running: sudo restorecon -RvF {{ .DataDir }}
+          - pass:
+              when: "false"
+    - textAnalyze:
+        checkName: "Selinux bin dir user label"
+        fileName: host-collectors/run-host/selinux-labels.txt
+        regex: "bin_dir_user_label"
+        outcomes:
+          - fail:
+              when: "true"
+              message: >-
+                  The selinux user context label for {{ .DataDir }}/bin is incorrect. Try running: sudo restorecon -RvF {{ .DataDir }}
+          - pass:
+              when: "false"
+    - textAnalyze:
+        checkName: "Selinux bin dir type label"
+        fileName: host-collectors/run-host/selinux-labels.txt
+        regex: "bin_dir_type_label"
+        outcomes:
+          - fail:
+              when: "true"
+              message: >-
+                  The selinux type context label for the embedded cluster binary directory are incorrect. Try running: sudo semanage fcontext -a -t bin_t "{{ .DataDir }}/bin(/.*)?" && sudo restorecon -RvF {{ .DataDir }}
+          - pass:
+              when: "false"