From 16f0010621e5e1b24de03d0c43833dd1e3ef8d57 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?C=C3=A9dric=20Jeanneret?= Date: Fri, 5 Jun 2020 09:52:43 +0200 Subject: [PATCH] Modify how libvirt related containers use SELinux 1- Add specific mounts in nova_libvirt They are needed in order to get SELinux support within the container 2- Remove now deprecated docker_enable condition Since this one isn't needed anymore, just drop it. 3- Drop "z" flag from libvirt related mounts This avoids relabelling issues from non-privileged containers 4- Set specific labels for the container itself. See note 2 for more details. Notes: 1- This will require to patch podman-1.6.4 in order to allow to actually use security-opt when --privileged and/or --pid=host are passed[1]. 2- The "container_share_t" filetype will be updated in a follow-up to the newer version, "container_ro_file_t". This makes backports easier to older releases that might not be aware of this new type. The follow-up change is purely cosmetic in order to reflect the actual behavior of SELinux and has no functional change. Testing: The first tests were done using a podman 1.9.3 in order to work around the mentionned issues. Newer tests were done using podman 1.6.4 scratch-builds in order to ensure the reported issues were fixed. [1] https://bugzilla.redhat.com/show_bug.cgi?id=1846364 Depends-On: https://review.opendev.org/736255 Co-Authored-By: Daniel Berrange Co-Authored-By: Kashyap Chamarthy Change-Id: I9e0da2a48c23c35e084bea831fc744b9f053508b (cherry picked from commit 9f0e5d724f6ac9f24a6296907c400dce54e9d2cd) (cherry picked from commit 909984bbe18d841c09c598c8336bea50b7b91582) --- .../nova/nova-compute-container-puppet.yaml | 2 +- .../nova/nova-libvirt-container-puppet.yaml | 32 ++++++++----------- 2 files changed, 15 insertions(+), 19 deletions(-) diff --git a/deployment/nova/nova-compute-container-puppet.yaml b/deployment/nova/nova-compute-container-puppet.yaml index 14613eef65..3cde8f5eb6 100644 --- a/deployment/nova/nova-compute-container-puppet.yaml +++ b/deployment/nova/nova-compute-container-puppet.yaml @@ -823,7 +823,7 @@ outputs: - /lib/modules:/lib/modules:ro - /run:/run - /var/lib/iscsi:/var/lib/iscsi:z - - /var/lib/libvirt:/var/lib/libvirt:shared,z + - /var/lib/libvirt:/var/lib/libvirt:shared - /sys/class/net:/sys/class/net - /sys/bus/pci:/sys/bus/pci - /boot:/boot:ro diff --git a/deployment/nova/nova-libvirt-container-puppet.yaml b/deployment/nova/nova-libvirt-container-puppet.yaml index 9626f3c04c..617e6a4d61 100644 --- a/deployment/nova/nova-libvirt-container-puppet.yaml +++ b/deployment/nova/nova-libvirt-container-puppet.yaml @@ -307,11 +307,6 @@ conditions: - {get_param: QemuCACert} - '' - docker_enabled: - equals: - - {get_param: ContainerCli} - - 'docker' - nova_nfs_enabled: or: - and: @@ -680,7 +675,7 @@ outputs: - /dev:/dev - /run:/run - /sys/fs/cgroup:/sys/fs/cgroup - - /var/run/libvirt:/var/run/libvirt:shared,z + - /var/run/libvirt:/var/run/libvirt:shared - /var/lib/libvirt:/var/lib/libvirt - /etc/libvirt/qemu:/etc/libvirt/qemu:ro - /var/log/libvirt/qemu:/var/log/libvirt/qemu @@ -694,7 +689,10 @@ outputs: net: host pid: host privileged: true - security_opt: label=disable + security_opt: + - label=level:s0 + - label=type:spc_t + - label=filetype:container_share_t restart: always cpuset_cpus: {get_attr: [RoleParametersValue, value, container_cpuset_cpus]} depends_on: @@ -716,17 +714,14 @@ outputs: - /run:/run - /sys/fs/cgroup:/sys/fs/cgroup - /etc/libvirt:/etc/libvirt - - /var/run/libvirt:/var/run/libvirt:shared,z - - /var/lib/libvirt:/var/lib/libvirt:shared,z + - /var/run/libvirt:/var/run/libvirt:shared + - /var/cache/libvirt:/var/cache/libvirt:shared + - /var/lib/libvirt:/var/lib/libvirt:shared - /var/log/libvirt/qemu:/var/log/libvirt/qemu:ro - /var/lib/vhost_sockets:/var/lib/vhost_sockets:z - /var/lib/nova:/var/lib/nova:shared - - - if: - - docker_enabled - - - - /sys/fs/selinux:/sys/fs/selinux - - null + - /sys/fs/selinux:/sys/fs/selinux + - /etc/selinux/config:/etc/selinux/config:ro - if: - use_tls_for_live_migration @@ -798,8 +793,8 @@ outputs: - - /var/lib/config-data/puppet-generated/nova_libvirt/etc/nova:/etc/nova:ro - /etc/libvirt:/etc/libvirt - - /var/run/libvirt:/var/run/libvirt:shared,z - - /var/lib/libvirt:/var/lib/libvirt:shared,z + - /var/run/libvirt:/var/run/libvirt:shared + - /var/lib/libvirt:/var/lib/libvirt:shared command: - /bin/bash - -c @@ -840,12 +835,13 @@ outputs: file: path: "{{ item.path }}" state: directory - setype: "{{ item.setype }}" + setype: "{{ item.setype | default(omit) }}" with_items: - { 'path': /etc/libvirt, 'setype': svirt_sandbox_file_t } - { 'path': /etc/libvirt/secrets, 'setype': svirt_sandbox_file_t } - { 'path': /etc/libvirt/qemu, 'setype': svirt_sandbox_file_t } - { 'path': /var/lib/libvirt, 'setype': svirt_sandbox_file_t } + - { 'path': /var/cache/libvirt } - { 'path': /var/lib/nova, 'setype': svirt_sandbox_file_t } - { 'path': /var/run/libvirt, 'setype': virt_var_run_t } - { 'path': /var/log/libvirt, 'setype': svirt_sandbox_file_t }