server icon indicating copy to clipboard operation
server copied to clipboard
verified publisher icon bitwarden

Volume labeling for SELinux

Open apinter opened this issue 3 years ago • 4 comments

Type of change

  • [ ] Bug fix
  • [ ] New feature development
  • [X] Tech debt (refactoring, code cleanup, dependency upgrades, etc)
  • [ ] Build/deploy pipeline (DevOps)
  • [ ] Other

Objective

Adding SELinux labels for volume mounts making sure that the install can work on distributions with SELinux enabled.

Code changes

  • run.sh: Adding labels to the volume mounts so after docker-compose up SELinux will not blocking it as an AVC. Example: From this
docker run -it --rm --name certbot -p 80:80 -v $OUTPUT_DIR/letsencrypt:/etc/letsencrypt/ certbot/certbot \
                certonly --standalone --noninteractive  --agree-tos --preferred-challenges http \
                --email $EMAIL -d $DOMAIN --logs-dir /etc/letsencrypt/logs

To this

            docker run -it --rm --name certbot -p 80:80 -v $OUTPUT_DIR/letsencrypt:/etc/letsencrypt/:z certbot/certbot \
                certonly --standalone --noninteractive  --agree-tos --preferred-challenges http \
                --email $EMAIL -d $DOMAIN --logs-dir /etc/letsencrypt/logs

Testing requirements

Should not cause any issues on any running deployment.

Before you submit

  • [ ] I have checked for formatting errors (dotnet tool run dotnet-format --check) (required)
  • [ ] If making database changes - I have also updated Entity Framework queries and/or migrations
  • [ ] I have added unit tests where it makes sense to do so (encouraged but not required)
  • [ ] This change requires a documentation update (notify the documentation team)
  • [X] This change has particular deployment requirements (notify the DevOps team)

apinter avatar Jan 18 '22 08:01 apinter

CLA assistant check
All committers have signed the CLA.

CLAassistant avatar Jan 18 '22 08:01 CLAassistant

@joseph-flinn Do you know if this has any potential negative impact for non SELinux users?

Hinton avatar Jan 21 '22 13:01 Hinton

@Hinton I'm not sure. We'll have to run some tests to verify

joseph-flinn avatar Jan 26 '22 18:01 joseph-flinn

@Hinton I'm not sure. We'll have to run some tests to verify

Would be more than happy to provide with test results. If you have any please do provide some criteria/requirements for the test. This is how it works for us on a Fedora CoreOS server with SELinux enabled, but can spin it up also on Ubuntu or on an openSUSE VM that uses AppArmor to make sure. With that said the label tag is only understood by SELinux so it shouldn't cause issues. I will be the first to admit that this is not the nicest or most secure solution, but if you're already bind mounting from the host to the container the :z label will solve most of the issues for users who are not using AppArmor out-of-the-box.

apinter avatar Feb 11 '22 18:02 apinter