Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add bluechi uds to policy #703

Merged
merged 2 commits into from
Jan 16, 2025
Merged

Add bluechi uds to policy #703

merged 2 commits into from
Jan 16, 2025

Conversation

engelmi
Copy link
Member

@engelmi engelmi commented Jan 14, 2025

Fixes: #677

Recently, BlueChi enhanced the support for Unix Domain Sockets, including the respective SELinux policy (see In eclipse-bluechi/bluechi#1015). On a setup QM + BlueChi it makes sense to mount the UDS of BlueChi into QM and have the bluechi-agent inside connect to it. This, however, is currently rejected due to missing SELinux policy rules. Let's add this rule.

@engelmi
Copy link
Member Author

engelmi commented Jan 14, 2025

@dougsland @alexlarsson PTAL
I tried to verified that the changes work, but didn't manage to manually setup a working QM env with the latest BlueChi RPMs from copr. Is it possible to use a-i-b with the minimal QM image and install QM from file (and BlueChi from copr)?

@dougsland
Copy link
Collaborator

@Yarboa PTAL too

@engelmi engelmi force-pushed the add-bluechi-uds-to-policy branch from e665b80 to 87b2a51 Compare January 14, 2025 14:32
Yarboa
Yarboa reviewed Jan 14, 2025
View reviewed changes
@Yarboa
Copy link
Collaborator

Yarboa commented Jan 15, 2025

@dougsland @alexlarsson PTAL I tried to verified that the changes work, but didn't manage to manually setup a working QM env with the latest BlueChi RPMs from copr. Is it possible to use a-i-b with the minimal QM image and install QM from file (and BlueChi from copr)?

@engelmi which version do you want o consume?
It could be tweaked, through script

@engelmi
Copy link
Member Author

engelmi commented Jan 15, 2025

@dougsland @alexlarsson PTAL I tried to verified that the changes work, but didn't manage to manually setup a working QM env with the latest BlueChi RPMs from copr. Is it possible to use a-i-b with the minimal QM image and install QM from file (and BlueChi from copr)?

@engelmi which version do you want o consume? It could be tweaked, through script

@Yarboa The latest BlueChi from copr snapshot and QM from this PR.
I built the QM RPM from this PR and used the /usr/share/qm/setup script. Then I had to uninstall bluechi-agent inside QM and install the one from copr via dnf install --installroot={rootfs} --repo <copr> bluechi-agent bluechi-selinux. After that the setup was somehow broken (systemd was degraded after reboot).

@Yarboa
Copy link
Collaborator

Yarboa commented Jan 15, 2025
edited
Loading

bluechi-selinux

As discussed selinux should be installed on the host,
I will propose a change for tmt test prepare step to install selinux on the host from non release bluechi-repo
https://copr.fedorainfracloud.org/coprs/g/centos-automotive-sig/bluechi-snapshot/

Will update here

@alexlarsson
Copy link
Collaborator

I think the specfile has to build-require bluechi-policy, or you cannot guarantee that the optional part of the policy is built during package build.

@alexlarsson
Copy link
Collaborator

alexlarsson commented Jan 15, 2025
edited
Loading

I tried this, but the qm agent still fails to connect:

Jan 15 15:47:33 755068142da0 bluechi-agent[38]: Agent connection attempt failed, retrying
Jan 15 15:47:33 755068142da0 bluechi-agent[38]: Trying to connect to controller (try 10)
Jan 15 15:47:33 755068142da0 bluechi-agent[38]: Connecting to controller on unix:path=/run/bluechi/bluechi.sock
Jan 15 15:47:33 755068142da0 bluechi-agent[38]: Failed to start peer bus: Permission denied
Jan 15 15:47:33 755068142da0 bluechi-agent[38]: Failed to open peer dbus

with:

Jan 15 16:02:54 localhost kernel: audit: type=1400 audit(1736956974.687:8): avc: denied { write } for pid=767 comm="bluechi-agent" name="bluechi.sock" dev="tmpfs" ino=551 scontext=system_u:system_r:qm_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file permissive=0

@alexlarsson
Copy link
Collaborator

If I disable selinux enforcing mode I see these two AVCS:

avc:  denied  { write } for  pid=767 comm="bluechi-agent" name="bluechi.sock" dev="tmpfs" ino=551 scontext=system_u:system_r:qm_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file permissive=1
avc:  denied  { connectto } for  pid=767 comm="bluechi-agent" path="/run/bluechi/bluechi.sock" scontext=system_u:system_r:qm_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=unix_stream_socket permissive=1

Which we need to fix

@alexlarsson
Copy link
Collaborator

This is what audit2allow says (although take that as a hint rather than a must):

allow qm_t unconfined_service_t:unix_stream_socket connectto;
allow qm_t var_run_t:sock_file write;

@alexlarsson
Copy link
Collaborator

Turns out i just didn't have bluechi-selinux installed, because it is not a hard dependency. It works now.

@engelmi
Removed bluechi-agent dependency in QM
73b5a90 
Signed-off-by: Michael Engel <[email protected]>
@engelmi
Extended SELinux policy to support BlueChi UDS
6459e7e 
Fixes: containers#677

Recently, BlueChi enhanced the support for Unix Domain Sockets,
including the respective SELinux policy (see In eclipse-bluechi/bluechi#1015).
On a setup QM + BlueChi it makes sense to mount the UDS of BlueChi into QM
and have the bluechi-agent inside connect to it. This, however, is currently
rejected due to missing SELinux policy rules. Let's add this rule.

Signed-off-by: Michael Engel <[email protected]>
@engelmi engelmi force-pushed the add-bluechi-uds-to-policy branch from 87b2a51 to 6459e7e Compare January 16, 2025 09:31
@engelmi
Copy link
Member Author

engelmi commented Jan 16, 2025

Thanks for your help! @alexlarsson @Yarboa

I pushed the change to add the BuildRequires: bluechi-selinux to the spec - so feature-wise it should be complete.

@Yarboa About updating the documentation: Where do I need to update it?
In #703 (comment) you mentioned the man page. I only see the qm_selinux.8 file, which is a bit hard to update. I'd add a make target to convert a .md to .8 file via md2man so we can use .md file(s) which are easier to edit. If its ok, I'd do the doc update in a separate, follow-up PR.
What do you think? @dougsland @Yarboa

@Yarboa
Copy link
Collaborator

Yarboa commented Jan 16, 2025
edited
Loading

Thanks for your help! @alexlarsson @Yarboa

I pushed the change to add the BuildRequires: bluechi-selinux to the spec - so feature-wise it should be complete.

@Yarboa About updating the documentation: Where do I need to update it? In #703 (comment) you mentioned the man page. I only see the qm_selinux.8 file, which is a bit hard to update. I'd add a make target to convert a .md to .8 file via md2man so we can use .md file(s) which are easier to edit. If its ok, I'd do the doc update in a separate, follow-up PR. What do you think? @dougsland @Yarboa

vim-enhanced is doing the trick i think, tend to to keep things KISS
you could check output with man ./qm_selinux.8

@engelmi
Copy link
Member Author

engelmi commented Jan 16, 2025

Thanks for your help! @alexlarsson @Yarboa
I pushed the change to add the BuildRequires: bluechi-selinux to the spec - so feature-wise it should be complete.
@Yarboa About updating the documentation: Where do I need to update it? In #703 (comment) you mentioned the man page. I only see the qm_selinux.8 file, which is a bit hard to update. I'd add a make target to convert a .md to .8 file via md2man so we can use .md file(s) which are easier to edit. If its ok, I'd do the doc update in a separate, follow-up PR. What do you think? @dougsland @Yarboa

vim-enhanced is doing the trick i think, tend to to keep things KISS you could check output with man ./qm_selinux.8

Seems to be quite hard to edit, though, to be honest.

Checking the man page, it seems like this PR doesn't add anything that needs to be added there.
Therefore, I think we can merge this one? @dougsland @Yarboa

@Yarboa
Copy link
Collaborator

Yarboa commented Jan 16, 2025

Thanks for your help! @alexlarsson @Yarboa
I pushed the change to add the BuildRequires: bluechi-selinux to the spec - so feature-wise it should be complete.
@Yarboa About updating the documentation: Where do I need to update it? In #703 (comment) you mentioned the man page. I only see the qm_selinux.8 file, which is a bit hard to update. I'd add a make target to convert a .md to .8 file via md2man so we can use .md file(s) which are easier to edit. If its ok, I'd do the doc update in a separate, follow-up PR. What do you think? @dougsland @Yarboa

vim-enhanced is doing the trick i think, tend to to keep things KISS you could check output with man ./qm_selinux.8

Seems to be quite hard to edit, though, to be honest.

Checking the man page, it seems like this PR doesn't add anything that needs to be added there. Therefore, I think we can merge this one? @dougsland @yarbo

Thanks for your help! @alexlarsson @Yarboa
I pushed the change to add the BuildRequires: bluechi-selinux to the spec - so feature-wise it should be complete.
@Yarboa About updating the documentation: Where do I need to update it? In #703 (comment) you mentioned the man page. I only see the qm_selinux.8 file, which is a bit hard to update. I'd add a make target to convert a .md to .8 file via md2man so we can use .md file(s) which are easier to edit. If its ok, I'd do the doc update in a separate, follow-up PR. What do you think? @dougsland @Yarboa

vim-enhanced is doing the trick i think, tend to to keep things KISS you could check output with man ./qm_selinux.8

Seems to be quite hard to edit, though, to be honest.

Checking the man page, it seems like this PR doesn't add anything that needs to be added there. Therefore, I think we can merge this one? @dougsland @Yarboa

@engelmi dont you think we should have socket tests aligned with this change?
like add to this plan?

/plans/e2e/tier-0

@engelmi
Copy link
Member Author

engelmi commented Jan 16, 2025

@engelmi dont you think we should have socket tests aligned with this change? like add to this plan?

/plans/e2e/tier-0

Integration tests for BlueChi + QM definitely make sense. I am not sure if the QM repo is the right place for it, though. If I remember correctly, there were discussions of creating a repo/pipeline where the integration between QM and different services should be tested - I'd place these integration tests there.
(As mentioned in #677 its also not ideal to have these policy changes in QM, but its the most pragmatic)

You are the maintainer and if you want the integration tests in the QM repo, then I can try to implement them here, of course :)

@Yarboa Yarboa mentioned this pull request Jan 16, 2025
Open
@Yarboa Yarboa merged commit 4f3a2eb into containers:main Jan 16, 2025
12 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Yarboa Yarboa Yarboa left review comments

@rhatdan rhatdan Awaiting requested review from rhatdan rhatdan is a code owner

@lsm5 lsm5 Awaiting requested review from lsm5 lsm5 is a code owner

@dougsland dougsland Awaiting requested review from dougsland dougsland is a code owner

@sandrobonazzola sandrobonazzola Awaiting requested review from sandrobonazzola sandrobonazzola is a code owner

@nsednev nsednev Awaiting requested review from nsednev nsednev is a code owner

@aesteve-rh aesteve-rh Awaiting requested review from aesteve-rh aesteve-rh is a code owner

@pengshanyu pengshanyu Awaiting requested review from pengshanyu pengshanyu is a code owner

@kleinffm kleinffm Awaiting requested review from kleinffm kleinffm is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

SELinux policy for QM + BlueChi
4 participants
@engelmi @dougsland @Yarboa @alexlarsson