Dracut: Update Dracut overlay module to correctly locate 'chcon' #11986
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
microsoft-github-policy-service
bot
added
Packaging
3.0-dev
pebenito
reviewed
Jan 24, 2025
Comment on lines
152
to
153
| +allow ssh_keygen_t var_t:dir { write add_name remove_name }; | ||
| +allow ssh_keygen_t var_t:file { getattr setattr create open read write rename }; |
There was a problem hiding this comment.
var_t typically isn't used for files, since it is extremely generic, policy-wise. What dir(s)/file(s) are created?
There was a problem hiding this comment.
Looked into it further, it turns out we're moving the ssh key file location from /etc/ to /var/etc:
/var/etc/ssh/ssh_host_rsa_key.pub
/var/etc/ssh/ssh_host_rsa_key
/var/etc/ssh/ssh_host_ecdsa_key.pub
/var/etc/ssh/ssh_host_ecdsa_key
/var/etc/ssh/ssh_host_ed25519_key.pub
/var/etc/ssh/ssh_host_ed25519_key
This change is necessary for when verity is enabled and the etc location is read-only with a volatile overlay.
I'll drop the policy changes from the PR based on that. Thanks Chris.
gmileka
force-pushed
the
gmileka/unblock-iso-selinux
branch
3 times, most recently
from
4585c1e to
4573bf6
Compare
gmileka
changed the title
gmileka
changed the title
gmileka
force-pushed
the
gmileka/unblock-iso-selinux
branch
2 times, most recently
from
adee260 to
f482913
Compare
gmileka
changed the title
Camelron
reviewed
Feb 11, 2025
3 tasks
gmileka
added a commit
to microsoft/azure-linux-image-tools
that referenced
this pull request
Feb 12, 2025
The logic in LiveOS ISO checks the Dracut version installed on the image to be customized. If it is below a certain version, it will always disable SELinux since it knows SELinux is not supported for that version and the image will not boot. However, if it is at or higher, it leave SELinux as-is. The problem is that this version is not set at 102-8, which has a known bug blocking booting LiveOS ISO images when SELinux is enabled. This change updates the version to a new Dracut package that has the fix necessary for booting LiveOS ISO image with SELinux enabled. See corresponding dracut change here: microsoft/azurelinux#11986 <!-- Description: Please provide a summary of the changes and the motivation behind them. --> --- ### **Checklist** - [ ] Tests added/updated - [ ] Documentation updated (if needed) - [x] Code conforms to style guidelines
Camelron
approved these changes
Feb 13, 2025
himaja-kesari
pushed a commit
to microsoft/azure-linux-image-tools
that referenced
this pull request
Feb 26, 2025
The logic in LiveOS ISO checks the Dracut version installed on the image to be customized. If it is below a certain version, it will always disable SELinux since it knows SELinux is not supported for that version and the image will not boot. However, if it is at or higher, it leave SELinux as-is. The problem is that this version is not set at 102-8, which has a known bug blocking booting LiveOS ISO images when SELinux is enabled. This change updates the version to a new Dracut package that has the fix necessary for booting LiveOS ISO image with SELinux enabled. See corresponding dracut change here: microsoft/azurelinux#11986 <!-- Description: Please provide a summary of the changes and the motivation behind them. --> --- ### **Checklist** - [ ] Tests added/updated - [ ] Documentation updated (if needed) - [x] Code conforms to style guidelines
himaja-kesari
pushed a commit
to microsoft/azure-linux-image-tools
that referenced
this pull request
Feb 26, 2025
The logic in LiveOS ISO checks the Dracut version installed on the image to be customized. If it is below a certain version, it will always disable SELinux since it knows SELinux is not supported for that version and the image will not boot. However, if it is at or higher, it leave SELinux as-is. The problem is that this version is not set at 102-8, which has a known bug blocking booting LiveOS ISO images when SELinux is enabled. This change updates the version to a new Dracut package that has the fix necessary for booting LiveOS ISO image with SELinux enabled. See corresponding dracut change here: microsoft/azurelinux#11986 <!-- Description: Please provide a summary of the changes and the motivation behind them. --> --- ### **Checklist** - [ ] Tests added/updated - [ ] Documentation updated (if needed) - [x] Code conforms to style guidelines
himaja-kesari
pushed a commit
to microsoft/azure-linux-image-tools
that referenced
this pull request
Feb 26, 2025
The logic in LiveOS ISO checks the Dracut version installed on the image to be customized. If it is below a certain version, it will always disable SELinux since it knows SELinux is not supported for that version and the image will not boot. However, if it is at or higher, it leave SELinux as-is. The problem is that this version is not set at 102-8, which has a known bug blocking booting LiveOS ISO images when SELinux is enabled. This change updates the version to a new Dracut package that has the fix necessary for booting LiveOS ISO image with SELinux enabled. See corresponding dracut change here: microsoft/azurelinux#11986 <!-- Description: Please provide a summary of the changes and the motivation behind them. --> --- ### **Checklist** - [ ] Tests added/updated - [ ] Documentation updated (if needed) - [x] Code conforms to style guidelines
himaja-kesari
pushed a commit
to microsoft/azure-linux-image-tools
that referenced
this pull request
Feb 27, 2025
The logic in LiveOS ISO checks the Dracut version installed on the image to be customized. If it is below a certain version, it will always disable SELinux since it knows SELinux is not supported for that version and the image will not boot. However, if it is at or higher, it leave SELinux as-is. The problem is that this version is not set at 102-8, which has a known bug blocking booting LiveOS ISO images when SELinux is enabled. This change updates the version to a new Dracut package that has the fix necessary for booting LiveOS ISO image with SELinux enabled. See corresponding dracut change here: microsoft/azurelinux#11986 <!-- Description: Please provide a summary of the changes and the motivation behind them. --> --- ### **Checklist** - [ ] Tests added/updated - [ ] Documentation updated (if needed) - [x] Code conforms to style guidelines
himaja-kesari
pushed a commit
to microsoft/azure-linux-image-tools
that referenced
this pull request
Feb 27, 2025
The logic in LiveOS ISO checks the Dracut version installed on the image to be customized. If it is below a certain version, it will always disable SELinux since it knows SELinux is not supported for that version and the image will not boot. However, if it is at or higher, it leave SELinux as-is. The problem is that this version is not set at 102-8, which has a known bug blocking booting LiveOS ISO images when SELinux is enabled. This change updates the version to a new Dracut package that has the fix necessary for booting LiveOS ISO image with SELinux enabled. See corresponding dracut change here: microsoft/azurelinux#11986 <!-- Description: Please provide a summary of the changes and the motivation behind them. --> --- ### **Checklist** - [ ] Tests added/updated - [ ] Documentation updated (if needed) - [x] Code conforms to style guidelines
…ate 'chcon' We now use the full path of 'chcon' to ensure we always find it regardless of the contents of initrd.
gmileka
force-pushed
the
gmileka/unblock-iso-selinux
branch
from
f482913 to
d88a7cb
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Merge Checklist
All boxes should be checked before merging the PR (just tick any boxes which don't apply to this PR)
*-staticsubpackages, etc.) have had theirReleasetag incremented../cgmanifest.json,./toolkit/scripts/toolchain/cgmanifest.json,.github/workflows/cgmanifest.json)./LICENSES-AND-NOTICES/SPECS/data/licenses.json,./LICENSES-AND-NOTICES/SPECS/LICENSES-MAP.md,./LICENSES-AND-NOTICES/SPECS/LICENSE-EXCEPTIONS.PHOTON)*.signatures.jsonfilessudo make go-tidy-allandsudo make go-test-coveragepassSummary
LiveOS ISO utilizes an overlay file system that consists of a read-only full OS rootfs (lower dir) and an in-memory read-write file system (upper dir).
When selinux is enabled, the final root (
/) must be labeledroot_t. Given that the final root (/) is constructed from the lower dir and the upper dir, both should also be marked as such (i.e. withroot_t). The read-only full OS rootfs is already labeled as such during build time. The in-memory file system is new, however, and still need to be labeled.A fix was merged in December to achieve that by calling selinux
chconutility. At the time, the labeling was done correctly, and selinux did not report any violations in our private testing.However, this bug report alerted us that
chconis not being found on the path as tested by Brian, and as a result, the labeling is not taking place, and the liveos iso does not boot when selinux is enabled.This fix changes the dracut module responsible for the labeling to explicitly specify the full path of the
chconutility. This guarantees that regardless of the contents of the initrd, the command always succeeds.When doing root cause analysis for the regression, the most likely reason it did not not show in the private testing is that the initrd had a copy of
chcon, and it was on the path. This hid the problem that would arise if the contents of the initrd changed.Change Log
Does this affect the toolchain?
Associated issues
Links to CVEs
Test Methodology
Validation
Automation
Note While we've put in automation to catch this kind of failures in the future, the downloaded images in the test are the public one which do not have the fixed Dracut package. However, once the Dracut package is published, the test will automatically pick it up and verify it boots.