From a19f1b3ea11fb5b4a58b26f165da60178abc9944 Mon Sep 17 00:00:00 2001 From: aleskandro Date: Thu, 18 Jul 2024 22:36:44 +0100 Subject: [PATCH] Adds a systemd unit to load custom SELinux rules in SCOS This commit implements a systemd unit to apply custom SELinux modules in SCOS shipped as CILs in the read-only /usr/lib/okd/selinux/ folder. Refers #1555 --- overlay.d/50scos/usr/lib/okd/selinux/.keep | 0 .../usr/lib/systemd/system-presets/50-scos.preset | 1 + .../usr/lib/systemd/system/okd-selinux.service | 12 ++++++++++++ overrides-c9s.yaml | 3 +++ 4 files changed, 16 insertions(+) create mode 100644 overlay.d/50scos/usr/lib/okd/selinux/.keep create mode 100644 overlay.d/50scos/usr/lib/systemd/system-presets/50-scos.preset create mode 100644 overlay.d/50scos/usr/lib/systemd/system/okd-selinux.service diff --git a/overlay.d/50scos/usr/lib/okd/selinux/.keep b/overlay.d/50scos/usr/lib/okd/selinux/.keep new file mode 100644 index 00000000..e69de29b diff --git a/overlay.d/50scos/usr/lib/systemd/system-presets/50-scos.preset b/overlay.d/50scos/usr/lib/systemd/system-presets/50-scos.preset new file mode 100644 index 00000000..c718368b --- /dev/null +++ b/overlay.d/50scos/usr/lib/systemd/system-presets/50-scos.preset @@ -0,0 +1 @@ +enable okd-selinux.service diff --git a/overlay.d/50scos/usr/lib/systemd/system/okd-selinux.service b/overlay.d/50scos/usr/lib/systemd/system/okd-selinux.service new file mode 100644 index 00000000..18a9bf68 --- /dev/null +++ b/overlay.d/50scos/usr/lib/systemd/system/okd-selinux.service @@ -0,0 +1,12 @@ +[Unit] +Description=Apply custom SELinux policies in /usr/lib/okd/selinux/*.cil +Documentation= +Before=network-pre.target + +[Service] +Type=oneshot +ExecStart=/usr/bin/find /usr/lib/okd/selinux -type f -name '*.cil' -exec /usr/sbin/semodule -i {} \; +RemainAfterExit=yes + +[Install] +WantedBy=multi-user.target diff --git a/overrides-c9s.yaml b/overrides-c9s.yaml index d142ae4d..f600d709 100644 --- a/overrides-c9s.yaml +++ b/overrides-c9s.yaml @@ -8,3 +8,6 @@ # - c9s-appstream-mirror #packages: + +ostree-layers: + - overlay/50scos