Add distributed SELinux policy

[subpop]

Add a build option to enable building and installing an SELinux policy.

Card ID: CCT-461

[jirihnidek]

Very good idea... I created local build with packit and tried to start yggdrasil.service. The yggd wasn't able to access tags file:

----
time->Mon Jul 15 14:23:05 2024
type=AVC msg=audit(1721046185.083:625): avc:  denied  { watch } for  pid=53159 comm="yggd" path="/etc/yggdrasil/tags.toml" dev="dm-0" ino=3462982 scontext=system_u:system_r:yggd_t:s0 tcontext=unconfined_u:object_r:etc_t:s0 tclass=file permissive=1

[subpop]

I added files_watch_etc_files(yggd_t) to allow watching files in /etc.

[jirihnidek]

I can confirm that it works as expected on Fedora, but it seems that there are some issue on RHEL8 based distros. Packit build fails there with following error:

[3/6] /builddir/build/BUILD/yggdrasil-0.4.1/selinux/semodule_package.sh selinux/yggdrasil.pp ../selinux/yggdrasil.te selinux/yggdrasil.fc
FAILED: selinux/yggdrasil.pp 
/builddir/build/BUILD/yggdrasil-0.4.1/selinux/semodule_package.sh selinux/yggdrasil.pp ../selinux/yggdrasil.te selinux/yggdrasil.fc
++ mktemp -d selinux-build-XXXXXX
+ TMP=selinux-build-1CeGaY
+ output=selinux/yggdrasil.pp
+ shift
+ cp -- ../selinux/yggdrasil.te selinux/yggdrasil.fc selinux-build-1CeGaY/
++ basename selinux/yggdrasil.pp
+ make -C selinux-build-1CeGaY -f /usr/share/selinux/devel/Makefile yggdrasil.pp
make: Entering directory '/builddir/build/BUILD/yggdrasil-0.4.1/x86_64-redhat-linux-gnu/selinux-build-1CeGaY'
Compiling targeted yggdrasil module
yggdrasil.te:27:ERROR 'syntax error' at token 'files_watch_etc_files' on line 3822:
files_watch_etc_files(yggd_t)

/usr/bin/checkmodule:  error(s) encountered while parsing configuration
make: *** [/usr/share/selinux/devel/include/Makefile:157: tmp/yggdrasil.mod] Error 1
make: Leaving directory '/builddir/build/BUILD/yggdrasil-0.4.1/x86_64-redhat-linux-gnu/selinux-build-1CeGaY'

It seems that this macro (files_watch_etc_files) was added three years ago https://github.com/fedora-selinux/selinux-policy/blame/59351919636a0a57263aaab433698da4314b9e2a/policy/modules/kernel/files.if#L4409 and it is not available on RHEL8.

Do we actually need to test main branch of yggdrasil for rhel8?

[subpop]

I haven't considered how far back in compatibility we want to go yet, but not supporting EL8 is very likely.

[jirihnidek]

@subpop Is it still draft? Or do you need final review and review from selinux team?

[jirihnidek]

I have just note that is not related to this case. We had to consider use case for rhsm.service, when some customers use NFS for sharing /etc directory and it wasn't possible to use i-notify. We had to implement regular polling as fallback solution. I hope such request will not pop up for any client tool anymore.

[subpop]

That's alarming. Machine-specific information goes into /etc. Sharing it over NFS seems unsafe. I feel like that's a condition that we should not support unless we're explicitly required to. That introduces a lot of complexity unnecessarily.