Soft reboot: Detect SELinux policy deltas #1768
Conversation
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request adds a check to prevent soft reboots when there's a change in SELinux policy between the booted and target deployments. This is a valuable safety measure. The implementation introduces a new function check_selinux_policy_for_soft_reboot and integrates it into the soft reboot logic for both staged updates and rollbacks.
My main feedback is on the logic within check_selinux_policy_for_soft_reboot, which I found to be too permissive. It incorrectly allows a soft reboot when one deployment has an SELinux policy and the other does not. This could lead to a system running in an insecure state. I've provided a critical-severity comment with a suggested code change to address this.
gursewak1997
force-pushed
the
fix-1760-detect-selinux-policy-deltas-soft-reboot
branch
2 times, most recently
from
7001036 to
770289f
Compare
cgwalters
left a comment
cgwalters
left a comment
There was a problem hiding this comment.
I know this raises the bar for landing this, but we really need to have tests when landing changes as a general rule.
We could definitely handle this in a better way but because right now of the two primary test frameworks (GHA and TF) neither offer an elegant way to have a registry by default (though we could of course) we end up just building images locally and booting those.
Simplest way to test this is to inject a local selinux policy module, there's various docs online for this.
crates/lib/src/cli.rs
Outdated
| let target_policy = crate::lsm::new_sepolicy_at(&target_fd)?; | ||
|
|
||
| // If either deployment doesn't have a policy, we can't compare | ||
| // In this case, we'll allow soft reboot (policy will be loaded on boot) |
There was a problem hiding this comment.
I don't think that's true, we should not allow soft reboot in the degenerate case that selinux is enabled in one but not the other.
crates/lib/src/cli.rs
Outdated
| /// Check if SELinux policy differs between booted and target deployments. | ||
| /// Returns an error if SELinux is enabled and the policies differ. | ||
| #[context("Checking SELinux policy compatibility with soft reboot")] | ||
| fn check_selinux_policy_for_soft_reboot( |
There was a problem hiding this comment.
This helps, but I think what we really want is to change has_soft_reboot_capability.
But then that raises the next thing in that in theory this change should go in libostree which has a deployment_can_soft_reboot API which already does checks like this.
OTOH, I don't mind filling it in here either, we can just have a // TODO lower into ostree to start.
The other thing of course related to this is that when we get around to soft reboots + composefs, we'll need similar logic there.
There was a problem hiding this comment.
Made some changes pertaining to this.
gursewak1997
force-pushed
the
fix-1760-detect-selinux-policy-deltas-soft-reboot
branch
5 times, most recently
from
e9e899e to
3fdbb49
Compare
Add check to prevent soft reboot when SELinux policies differ between booted and target deployments, since policy is not reloaded across soft reboots. Assisted-by: Cursor (Auto) Signed-off-by: gursewak1997 <[email protected]>
gursewak1997
force-pushed
the
fix-1760-detect-selinux-policy-deltas-soft-reboot
branch
from
3fdbb49 to
dcbe65e
Compare
2 participants
Add check to prevent soft reboot when SELinux policies differ between booted and target deployments, since policy is not reloaded across soft reboots.
Fixes: #1760