From ad8dc250e29c2cd04cfc46d94aaa5c0192974586 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fredrik=20L=C3=B6nnegren?= Date: Fri, 10 May 2024 14:35:01 +0200 Subject: [PATCH] Update SELinux docs MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Fredrik Lönnegren --- docs/content/en/docs/Customizing/selinux_support.md | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/docs/content/en/docs/Customizing/selinux_support.md b/docs/content/en/docs/Customizing/selinux_support.md index 2cd4dc1492..72bb5c1e23 100644 --- a/docs/content/en/docs/Customizing/selinux_support.md +++ b/docs/content/en/docs/Customizing/selinux_support.md @@ -15,11 +15,7 @@ Elemental includes basic support for SELinux. From an elemental perspective SELi * the installed system includes the targeted files context (`/etc/selinux/targeted/contexts/files/file_contexts` file) * the binary for `targeted` policy is also present (`/etc/selinux/targeted/policy/policy.*` file) -In an Elemental workflow SElinux context labels should be applied at install/upgrade time for the readonly areas, but this is not enough as it doesn't cover the ephemeral filesystems (overlayfs on top of tmpfs), which are usually sensitive paths like `/etc/`, `/var`, `/srv`, etc. In order to properly apply file contexts over the ephemeral paths the relabelling has to happen at boot time once those overlayfs are created. The appropriate stage for that is in initrd before switching root. In fact, it can be done as a cloud-init step as part of the `initramfs` stage, using the packaged `10_selinux.yaml` with: - -{{}} - -Note it is required to load the policy in advance to be capable to apply the `restorecon` command. The `restorecon` command should be applied to all ephemeral paths and, depending on the specific use case, to the persistent paths too. Note that without restoring context on the ephemeral `/etc` it is unlikely the system is capable of properly booting, hence this is a very important step if SELinux is intended to used. +In an Elemental workflow SElinux context labels should be applied at install/upgrade time for the readonly areas, but this is not enough as it doesn't cover the ephemeral filesystems (overlayfs on top of tmpfs), which are usually sensitive paths like `/etc/`, `/var`, `/srv`, etc. In order to properly apply file contexts over the ephemeral paths the relabelling has to happen at boot time once those overlayfs are created. During boot the `elemental mount` command will try to relabel the files in ephemeral and persistent storage if it can find the correct policy and setfiles utility in the mounted system. ## Using custom SELinux modules