diff --git a/.pipelines/templates/e2e-template.yml b/.pipelines/templates/e2e-template.yml index 52248b10c..34786380f 100644 --- a/.pipelines/templates/e2e-template.yml +++ b/.pipelines/templates/e2e-template.yml @@ -421,6 +421,12 @@ stages: micVersion: ${{ parameters.micVersion }} testSecureBoot: ${{ parameters.testSecureBoot }} + # SELinux policy validation — tests update with public policy only + - template: stages/testing_selinux/selinux-update-testing.yml + parameters: + micBuildType: ${{ parameters.micBuildType }} + micVersion: ${{ parameters.micVersion }} + # TESTING stages for AZL-VALIDATION - ${{ if eq(parameters.stageType, 'azl-validation') }}: # VM Testing (host, post_merge) diff --git a/.pipelines/templates/stages/testing_selinux/selinux-update-testing.yml b/.pipelines/templates/stages/testing_selinux/selinux-update-testing.yml new file mode 100644 index 000000000..982efd799 --- /dev/null +++ b/.pipelines/templates/stages/testing_selinux/selinux-update-testing.yml @@ -0,0 +1,435 @@ +# SELinux Policy Validation Stage +# +# Validates that the public trident-selinux policy (without trident-test-selinux) +# is sufficient for the production systemd-activated update path. +# +# This stage: +# 1. Builds a SELinux-enforcing UKI image with only the public policy +# 2. Installs the image on a QEMU VM via netlaunch +# 3. Runs a single A/B update cycle via trident-update@.service (systemd) +# 4. Verifies the VM rebooted and came back up after the update +# +# The trident-update@.service runs as trident_t via systemd domain transition +# (init_t -> trident_t), which is the production SELinux path. + +parameters: + - name: micBuildType + displayName: MIC Build Type + type: string + values: + - dev + - preview + - release + default: release + + - name: micVersion + displayName: MIC Version + type: string + default: "*.*.*" + +stages: + - template: ../build_image/build-image.yml + parameters: + imageName: trident-selinux-testimage + micBuildType: ${{ parameters.micBuildType }} + micVersion: ${{ parameters.micVersion }} + clones: 2 + + - stage: SELinuxUpdateValidation + displayName: SELinux Policy Update Validation + dependsOn: + - TridentTestImg_trident_selinux_testimage + - BuildingTools + - TridentTestImg_trident_installer + + jobs: + # Run the SELinux update validation test + - job: SELinuxUpdateTest + displayName: SELinux Update Test + timeoutInMinutes: 30 + pool: + type: linux + name: trident-ubuntu-1es-pool-eastus2 + hostArchitecture: amd64 + + variables: + - name: ob_outputDirectory + value: /tmp/selinux_test_logs + - name: ob_artifactBaseName + value: selinux_update_test_$(System.JobAttempt) + + steps: + - template: ../common_tasks/checkout_trident.yml + + - task: DownloadPipelineArtifact@2 + displayName: "Download Go tools" + inputs: + buildType: current + artifactName: go-tools + patterns: | + netlaunch + netlisten + storm-trident + virtdeploy + targetPath: "$(TRIDENT_SOURCE_DIR)/bin" + - bash: chmod +x $(TRIDENT_SOURCE_DIR)/bin/* + displayName: "Make tools executable" + + - task: DownloadPipelineArtifact@2 + displayName: "Download installer ISO" + inputs: + buildType: current + artifactName: trident-installer + targetPath: "$(TRIDENT_SOURCE_DIR)/artifacts/iso" + + - task: DownloadPipelineArtifact@2 + displayName: "Download SELinux test images" + inputs: + buildType: current + artifactName: trident-selinux-testimage + targetPath: "$(TRIDENT_SOURCE_DIR)/artifacts/test-image" + + - bash: | + set -eux + cd artifacts/test-image + + # Rename COSIs to match what usr-verity trident-config.yaml expects + ls -lh + mv *_0.cosi usrverity.cosi + mv *_1.cosi usrverity_v2.cosi + ls -lh + workingDirectory: $(TRIDENT_SOURCE_DIR) + displayName: "Rename COSIs for usr-verity config" + + - template: ../testing_vm/netlaunch-prep.yml + + - template: ../testing_common/trident-prep.yml + parameters: + tridentSourceDirectory: $(TRIDENT_SOURCE_DIR) + tridentConfigPath: $(TRIDENT_SOURCE_DIR)/tests/e2e_tests/trident_configurations/usr-verity + runtimeEnv: host + config: usr-verity + + - bash: | + set -eux + + # Disable virtlogd rollover + echo "max_size = 0" | sudo tee -a /etc/libvirt/virtlogd.conf + sudo systemctl restart virtlogd.socket + + ./tools/virt-deploy create --mem 12 --disks 32,32 + workingDirectory: $(TRIDENT_SOURCE_DIR) + displayName: "Create QEMU VM" + + - bash: | + set -eux + + TRIDENT_CONFIG="$(TRIDENT_SOURCE_DIR)/tests/e2e_tests/trident_configurations/usr-verity/trident-config.yaml" + SIGNING_CERT="" + CA_CERT_PATH="$(TRIDENT_SOURCE_DIR)/artifacts/test-image/ca_cert.pem" + if [ -f "$CA_CERT_PATH" ]; then + SIGNING_CERT="--signing-cert $CA_CERT_PATH" + fi + + ./bin/netlaunch \ + --iso ./artifacts/iso/trident-installer.iso \ + --config $(TRIDENT_SOURCE_DIR)/tools/vm-netlaunch.yaml \ + --trident "$TRIDENT_CONFIG" \ + --servefolder ./artifacts/test-image \ + --logstream \ + --trace-file $(TRIDENT_SOURCE_DIR)/trident-selinux-metrics.jsonl \ + --force-color \ + --full-logstream logstream-full.log \ + --wait-for-provisioned-state \ + $SIGNING_CERT \ + --port 4000 2>&1 | tee ./selinux-clean-install.log + workingDirectory: $(TRIDENT_SOURCE_DIR) + displayName: "🚀 Install base image via netlaunch" + timeoutInMinutes: 20 + + - bash: | + set -eux + sudo ./bin/storm-trident helper wait-for-login -a \ + --vm-name "$(jq -r '.virtualmachines[0].name' $(TRIDENT_SOURCE_DIR)/tools/virt-deploy-metadata.json)" \ + --artifacts-folder "$(ob_outputDirectory)" + timeoutInMinutes: 5 + condition: succeededOrFailed() + workingDirectory: $(TRIDENT_SOURCE_DIR) + displayName: "📄 Verify VM booted" + + - bash: | + set -eux + HOST_IP=$(jq -r '.virtualmachines[0].ip' $(TRIDENT_SOURCE_DIR)/tools/virt-deploy-metadata.json) + SSH_KEY="$(TRIDENT_SOURCE_DIR)/tests/e2e_tests/helpers/key" + + echo "=== Check SELinux is enforcing ===" + ssh -o StrictHostKeyChecking=no -i "$SSH_KEY" testing-user@$HOST_IP \ + 'sudo getenforce' + + echo "=== Verify trident-test-selinux is NOT installed ===" + ssh -o StrictHostKeyChecking=no -i "$SSH_KEY" testing-user@$HOST_IP \ + 'sudo semodule -l | grep trident' + + echo "=== Check trident-update@.service exists ===" + ssh -o StrictHostKeyChecking=no -i "$SSH_KEY" testing-user@$HOST_IP \ + 'systemctl cat trident-update@stage.service' + workingDirectory: $(TRIDENT_SOURCE_DIR) + displayName: "🔒 Verify SELinux state" + + - bash: | + set -eux + HOST_IP=$(jq -r '.virtualmachines[0].ip' $(TRIDENT_SOURCE_DIR)/tools/virt-deploy-metadata.json) + SSH_KEY="$(TRIDENT_SOURCE_DIR)/tests/e2e_tests/helpers/key" + GATEWAY_IP=$(ssh -o StrictHostKeyChecking=no -i "$SSH_KEY" testing-user@$HOST_IP \ + "ip route | grep default | awk '{print \$3}'") + + echo "=== Start netlisten to serve COSI files ===" + ls -lh artifacts/test-image/ + ./bin/netlisten --force-color \ + -s artifacts/test-image \ + -p 4000 \ + --full-logstream ./netlisten-logstream.log \ + -m ./netlisten-metrics.jsonl > ./netlisten.log 2>&1 & + NETLISTEN_PID=$! + echo "netlisten PID: $NETLISTEN_PID" + + # Wait for netlisten to start listening + NETLISTEN_READY=false + for i in $(seq 1 10); do + if ! kill -0 $NETLISTEN_PID 2>/dev/null; then + echo "##[error]netlisten (PID $NETLISTEN_PID) exited prematurely" + wait $NETLISTEN_PID || true + break + fi + if curl -sf http://localhost:4000/files/ > /dev/null 2>&1; then + echo "netlisten is serving on port 4000" + NETLISTEN_READY=true + break + fi + echo "Waiting for netlisten to start (attempt $i)..." + sleep 2 + done + if [ "$NETLISTEN_READY" != "true" ]; then + echo "##[error]netlisten failed to start after 20 seconds" + cat ./netlisten.log || true + ps aux | grep netlisten || true + ss -tlnp | grep 4000 || true + exit 1 + fi + + echo "=== Create update config from install config ===" + TRIDENT_CONFIG="$(TRIDENT_SOURCE_DIR)/tests/e2e_tests/trident_configurations/usr-verity/trident-config.yaml" + + # Start with the install config, replace the image URL for the update COSI + cp "$TRIDENT_CONFIG" /tmp/update-config.yaml + sudo yq -i ".image.url = \"http://${GATEWAY_IP}:4000/files/usrverity_v2.cosi\"" /tmp/update-config.yaml + sudo yq -i '.internalParams.allowUnusedFilesystems = true' /tmp/update-config.yaml + sudo yq -i '.internalParams.uki = true' /tmp/update-config.yaml + sudo yq -i '.internalParams.disableGrubNoprefixCheck = true' /tmp/update-config.yaml + + echo "=== Update config ===" + cat /tmp/update-config.yaml + + echo "=== Copy update config to VM ===" + scp -o StrictHostKeyChecking=no -i "$SSH_KEY" /tmp/update-config.yaml testing-user@$HOST_IP:/tmp/update-config.yaml + ssh -o StrictHostKeyChecking=no -i "$SSH_KEY" testing-user@$HOST_IP \ + 'sudo cp /tmp/update-config.yaml /var/lib/trident/update-config.yaml' + + echo "=== Write update environment file ===" + ssh -o StrictHostKeyChecking=no -i "$SSH_KEY" testing-user@$HOST_IP \ + "printf 'UPDATE_CONFIG=/var/lib/trident/update-config.yaml\n' | sudo tee /var/lib/trident/update-env" + + echo "=== Start trident-update@stage.service ===" + STAGE_RESULT=0 + ssh -o StrictHostKeyChecking=no -i "$SSH_KEY" testing-user@$HOST_IP \ + 'sudo systemctl start trident-update@stage.service' || STAGE_RESULT=$? + + echo "=== Service journal output ===" + ssh -o StrictHostKeyChecking=no -i "$SSH_KEY" testing-user@$HOST_IP \ + 'sudo journalctl -u trident-update@stage.service --no-pager' || true + + echo "=== SELinux audit log ===" + timeout 30 ssh -o StrictHostKeyChecking=no -o ConnectTimeout=10 -o ServerAliveInterval=5 -o ServerAliveCountMax=3 \ + -i "$SSH_KEY" testing-user@$HOST_IP \ + 'sudo ausearch -m avc --start recent 2>&1 || echo "No AVC denials found"' || echo "ausearch timed out" + + if [ "$STAGE_RESULT" -ne 0 ]; then + echo "##[error]trident-update@stage.service failed with exit code $STAGE_RESULT" + exit 1 + fi + workingDirectory: $(TRIDENT_SOURCE_DIR) + displayName: "🔄 Run update stage via systemd" + timeoutInMinutes: 10 + + - bash: | + set -eux + HOST_IP=$(jq -r '.virtualmachines[0].ip' $(TRIDENT_SOURCE_DIR)/tools/virt-deploy-metadata.json) + VM_NAME=$(jq -r '.virtualmachines[0].name' $(TRIDENT_SOURCE_DIR)/tools/virt-deploy-metadata.json) + SSH_KEY="$(TRIDENT_SOURCE_DIR)/tests/e2e_tests/helpers/key" + + echo "=== Truncate serial log before finalize reboot ===" + SERIAL_LOG=$(sudo virsh dumpxml $VM_NAME | grep -oP "(?<=/dev/null || true + fi + + echo "=== Start netlisten for finalize ===" + # Kill any leftover netlisten from previous step + if pgrep netlisten > /dev/null; then pkill netlisten; fi + ./bin/netlisten --force-color \ + -s artifacts/test-image \ + -p 4000 \ + --full-logstream ./netlisten-finalize-logstream.log \ + -m ./netlisten-finalize-metrics.jsonl > ./netlisten-finalize.log 2>&1 & + for i in $(seq 1 10); do + if curl -sf http://localhost:4000/files/ > /dev/null 2>&1; then break; fi + sleep 2 + done + + echo "=== Start trident-update@finalize.service ===" + # Finalize triggers a reboot, so the SSH connection will drop. + ssh -o StrictHostKeyChecking=no -o ServerAliveInterval=5 -o ServerAliveCountMax=1 \ + -i "$SSH_KEY" testing-user@$HOST_IP \ + 'sudo systemctl start trident-update@finalize.service' || true + + echo "=== Waiting for VM to reboot ===" + sleep 10 + + sudo ./bin/storm-trident helper wait-for-login -a \ + --vm-name "$(jq -r '.virtualmachines[0].name' $(TRIDENT_SOURCE_DIR)/tools/virt-deploy-metadata.json)" \ + --artifacts-folder "$(ob_outputDirectory)" + + echo "=== Wait for VM network to come up ===" + VM_IP=$(sudo virsh domifaddr $VM_NAME 2>/dev/null | grep -oP '\d+\.\d+\.\d+\.\d+' | head -1) + echo "VM IP: $VM_IP" + for i in $(seq 1 30); do + if ping -c 1 -W 2 $VM_IP > /dev/null 2>&1; then + echo "VM responding to ping (attempt $i)" + break + fi + echo "Waiting for VM network (attempt $i/30)..." + sleep 3 + done + workingDirectory: $(TRIDENT_SOURCE_DIR) + displayName: "🔄 Run update finalize via systemd" + timeoutInMinutes: 10 + + - bash: | + set -eux + VM_NAME=$(jq -r '.virtualmachines[0].name' $(TRIDENT_SOURCE_DIR)/tools/virt-deploy-metadata.json) + SSH_KEY="$(TRIDENT_SOURCE_DIR)/tests/e2e_tests/helpers/key" + + echo "=== Host-side diagnostics ===" + echo "--- VM domain state ---" + sudo virsh domstate $VM_NAME || true + echo "--- VM domain interfaces ---" + sudo virsh domifaddr $VM_NAME || true + echo "--- Host bridge/network ---" + ip addr show | grep -A2 'virbr\|192.168' || true + echo "--- Host ARP table ---" + arp -an 2>/dev/null || ip neigh show || true + + echo "=== Resolve VM IP after reboot ===" + HOST_IP="" + for i in $(seq 1 30); do + HOST_IP=$(sudo virsh domifaddr $VM_NAME 2>/dev/null | grep -oP '\d+\.\d+\.\d+\.\d+' | head -1) + if [ -n "$HOST_IP" ]; then + echo "VM IP resolved: $HOST_IP (attempt $i)" + break + fi + echo "Waiting for VM IP (attempt $i/30)..." + sleep 5 + done + if [ -z "$HOST_IP" ]; then + echo "##[error]Could not resolve VM IP after reboot" + echo "--- virsh domiflist ---" + sudo virsh domiflist $VM_NAME || true + echo "--- virsh net-dhcp-leases ---" + sudo virsh net-dhcp-leases default || true + echo "--- Last 50 lines of serial log ---" + SERIAL_LOG=$(sudo virsh dumpxml $VM_NAME | grep -oP "(?<=/dev/null || true + exit 1 + fi + + echo "=== Verify connectivity ===" + ping -c 2 -W 3 $HOST_IP || echo "WARNING: ping failed" + + SSH_CMD="ssh -o StrictHostKeyChecking=no -o ConnectTimeout=10 -i $SSH_KEY testing-user@$HOST_IP" + + echo "=== Wait for SSH to become available ===" + for i in $(seq 1 30); do + if $SSH_CMD 'echo ssh_ready' 2>/dev/null; then + echo "SSH available after $i attempts" + break + fi + echo "Waiting for SSH (attempt $i/30)..." + sleep 5 + done + + echo "=== Verify VM is up after update ===" + $SSH_CMD 'hostname && uptime' + + echo "=== VM network info ===" + $SSH_CMD 'ip addr show; ip route show' || true + + echo "=== Check SELinux is still enforcing ===" + $SSH_CMD 'sudo getenforce' + + echo "=== SELinux loaded modules ===" + $SSH_CMD 'sudo semodule -l | grep trident' || true + + echo "=== Check for SELinux denials ===" + timeout 30 $SSH_CMD \ + 'sudo ausearch -m avc --start recent 2>&1 || echo "No recent AVC denials"' || echo "ausearch timed out" + + echo "=== Check active volume ===" + $SSH_CMD 'sudo trident get 2>&1 || echo "trident get completed"' + + echo "=== Trident service status ===" + $SSH_CMD 'sudo systemctl status trident.service tridentd.socket trident-update@stage.service trident-update@finalize.service 2>&1' || true + + echo "=== Recent journal (last 50 lines) ===" + $SSH_CMD 'sudo journalctl --no-pager -n 50' || true + + echo "=== SELinux update validation PASSED ===" + workingDirectory: $(TRIDENT_SOURCE_DIR) + displayName: "✅ Validate update succeeded" + timeoutInMinutes: 5 + + - bash: | + set -x + HOST_IP=$(jq -r '.virtualmachines[0].ip' $(TRIDENT_SOURCE_DIR)/tools/virt-deploy-metadata.json) + SSH_KEY="$(TRIDENT_SOURCE_DIR)/tests/e2e_tests/helpers/key" + SSH_OPTS="-o StrictHostKeyChecking=no -o ConnectTimeout=10 -o ServerAliveInterval=5 -o ServerAliveCountMax=3" + + mkdir -p $(ob_outputDirectory) + cp ./netlisten.log $(ob_outputDirectory)/netlisten.log || true + cp ./netlisten-finalize.log $(ob_outputDirectory)/netlisten-finalize.log || true + ssh $SSH_OPTS -i "$SSH_KEY" testing-user@$HOST_IP \ + 'sudo ausearch -m avc 2>&1' > $(ob_outputDirectory)/audit-avc.log || true + ssh $SSH_OPTS -i "$SSH_KEY" testing-user@$HOST_IP \ + 'sudo journalctl --no-pager 2>&1' > $(ob_outputDirectory)/journal.log || true + workingDirectory: $(TRIDENT_SOURCE_DIR) + condition: succeededOrFailed() + timeoutInMinutes: 3 + displayName: "📄 Collect logs" + + - bash: | + set -eux + sudo virsh shutdown virtdeploy-vm-0 + mkdir -p $(ob_outputDirectory) + sudo cp /var/lib/libvirt/images/virtdeploy-pool/virtdeploy-vm-0-0-volume.qcow2 $(ob_outputDirectory)/ + sudo zstd -T0 $(ob_outputDirectory)/virtdeploy-vm-0-0-volume.qcow2 + workingDirectory: $(TRIDENT_SOURCE_DIR) + condition: failed() + displayName: "Publish OS disk on failure" + + - template: ../testing_common/fix-output-directory-for-one-branch-step.yml + parameters: + outputDir: $(ob_outputDirectory) + condition: always() diff --git a/Makefile b/Makefile index 36d87dc0d..a7d72c274 100644 --- a/Makefile +++ b/Makefile @@ -185,7 +185,7 @@ target/azl3/release/trident target/azl3/release/trident-acl-agent: version-vars cargo build --color always --target-dir target/azl3 --release --features dangerous-options,grpc-preview -p trident -p trident-acl-agent # This will do a proper build on azl3, exactly as the pipelines would, with the custom registry and all. -bin/trident-rpms-azl3.tar.gz: packaging/docker/Dockerfile.full packaging/systemd/*.service packaging/rpm/trident.spec artifacts/osmodifier packaging/selinux-policy-trident/* version-vars +bin/trident-rpms-azl3.tar.gz: packaging/docker/Dockerfile.full packaging/systemd/*.service packaging/rpm/trident.spec packaging/rpm/trident-test-selinux.spec artifacts/osmodifier packaging/selinux-policy-trident/* packaging/selinux-policy-trident-test/* version-vars $(eval CARGO_REGISTRIES_BMP_PUBLICPACKAGES_TOKEN := $(shell az account get-access-token --query "join(' ', ['Bearer', accessToken])" --output tsv)) @mkdir -p bin/ @@ -207,7 +207,7 @@ bin/trident-rpms-azl3.tar.gz: packaging/docker/Dockerfile.full packaging/systemd @tar xf $@ -C bin/ # This one does a fast trick-build where we build locally and inject the binary into the container to add it to the RPM. -bin/trident-rpms.tar.gz: packaging/docker/Dockerfile.azl3 packaging/systemd/*.service packaging/rpm/trident.spec artifacts/osmodifier target/release/trident packaging/selinux-policy-trident/* +bin/trident-rpms.tar.gz: packaging/docker/Dockerfile.azl3 packaging/systemd/*.service packaging/rpm/trident.spec packaging/rpm/trident-test-selinux.spec artifacts/osmodifier target/release/trident packaging/selinux-policy-trident/* packaging/selinux-policy-trident-test/* @mkdir -p bin/ @if [ ! -f bin/trident ] || ! cmp -s target/release/trident bin/trident; then \ cp target/release/trident bin/trident; \ @@ -844,6 +844,7 @@ bin/trident-mos.iso: \ tests/images/trident-mos/files/* \ tests/images/trident-mos/post-install.sh \ packaging/selinux-policy-trident/* \ + packaging/selinux-policy-trident-test/* \ tools/cmd/rcp-agent/rcp-agent.service \ bin/rcp-agent @echo "Rebuilding Trident MOS ISO: $@ from $< because of: $?" diff --git a/packaging/docker/Dockerfile.azl3 b/packaging/docker/Dockerfile.azl3 index 0365ffae7..aa90cfa85 100644 --- a/packaging/docker/Dockerfile.azl3 +++ b/packaging/docker/Dockerfile.azl3 @@ -7,6 +7,7 @@ RUN tdnf install -y rpmdevtools openssl-devel clang-devel protobuf-devel rust se WORKDIR /work COPY packaging/rpm/trident.spec . +COPY packaging/rpm/trident-test-selinux.spec . COPY packaging ./packaging COPY bin/trident ./target/release/trident COPY artifacts/osmodifier /usr/src/azl/SOURCES/osmodifier @@ -23,4 +24,5 @@ RUN \ --define="trident_version $TRIDENT_VERSION" \ --define="rpm_ver $RPM_VER" \ --define="rpm_rel $RPM_REL" && \ + rpmbuild -bb --build-in-place trident-test-selinux.spec && \ tar -czvf trident-rpms.tar.gz -C /usr/src/azl ./RPMS \ No newline at end of file diff --git a/packaging/docker/Dockerfile.full b/packaging/docker/Dockerfile.full index 078ed812d..b389e646c 100644 --- a/packaging/docker/Dockerfile.full +++ b/packaging/docker/Dockerfile.full @@ -7,6 +7,7 @@ RUN tdnf install -y rpmdevtools openssl-devel clang-devel protobuf-devel rust-1. WORKDIR /work COPY packaging/rpm/trident.spec . +COPY packaging/rpm/trident-test-selinux.spec . COPY packaging ./packaging COPY artifacts/osmodifier /usr/src/azl/SOURCES/osmodifier @@ -35,6 +36,7 @@ RUN --mount=type=secret,id=registry_token \ --define="trident_version $TRIDENT_VERSION" \ --define="rpm_ver $RPM_VER" \ --define="rpm_rel $RPM_REL" && \ + rpmbuild -bb --build-in-place trident-test-selinux.spec && \ tar -czvf trident-rpms.tar.gz -C /usr/src/azl ./RPMS FROM scratch AS artifact diff --git a/packaging/rpm/trident-test-selinux.spec b/packaging/rpm/trident-test-selinux.spec new file mode 100644 index 000000000..4b81f3598 --- /dev/null +++ b/packaging/rpm/trident-test-selinux.spec @@ -0,0 +1,65 @@ +# Test-only SELinux policy module for Trident +# +# This RPM provides additional SELinux permissions needed only in test/CI +# environments. It layers on top of the base trident-selinux module and +# must NOT be installed in production images. +# +# Permissions included: +# - Steamboat/CI exec transition (ci_unconfined_t -> trident_t) +# - Interactive unconfined transition (for manual debugging) + +%global selinuxtype targeted +%global modulename trident-test + +Summary: Trident test-only SELinux policy +Name: trident-test-selinux +Version: 1.0.0 +Release: 1%{?dist} +License: MIT +Vendor: Microsoft Corporation +Group: Applications/System +Distribution: Azure Linux +BuildArch: noarch + +Requires: trident-selinux +Requires: selinux-policy-%{selinuxtype} +Requires(post): selinux-policy-%{selinuxtype} +BuildRequires: selinux-policy-devel +%{?selinux_requires} + +%description +Test-only SELinux policy module for Trident. Provides CI/interactive +transitions that are not included in the production trident-selinux package. +This package must NOT be installed in production images. + +%build +mkdir -p selinux +cp -p packaging/selinux-policy-trident-test/%{modulename}.fc selinux/ +cp -p packaging/selinux-policy-trident-test/%{modulename}.if selinux/ +cp -p packaging/selinux-policy-trident-test/%{modulename}.te selinux/ + +make -f %{_datadir}/selinux/devel/Makefile %{modulename}.pp +bzip2 -9 %{modulename}.pp + +%install +install -D -m 0644 %{modulename}.pp.bz2 %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}.pp.bz2 +install -D -p -m 0644 selinux/%{modulename}.if %{buildroot}%{_datadir}/selinux/devel/include/distributed/%{modulename}.if + +%files +%{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}.pp.bz2 +%{_datadir}/selinux/devel/include/distributed/%{modulename}.if +%ghost %verify(not md5 size mode mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{modulename} + +%pre +%selinux_relabel_pre -s %{selinuxtype} + +%post +%selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}.pp.bz2 + +%postun +if [ $1 -eq 0 ]; then + %selinux_modules_uninstall -s %{selinuxtype} %{modulename} +fi + +%posttrans +%selinux_relabel_post -s %{selinuxtype} diff --git a/packaging/rpm/trident.spec b/packaging/rpm/trident.spec index b5cbd1ee4..60542ee82 100644 --- a/packaging/rpm/trident.spec +++ b/packaging/rpm/trident.spec @@ -200,6 +200,147 @@ fi # ------------------------------------------------------------------------------ +%package selinux-raid +Summary: Trident RAID SELinux policy +BuildArch: noarch +Requires: %{name}-selinux +Requires: selinux-policy-%{selinuxtype} +Requires(post): selinux-policy-%{selinuxtype} +BuildRequires: selinux-policy-devel +%{?selinux_requires} + +%description selinux-raid +RAID SELinux policy module for Trident. Provides mdadm and bootloader +permissions needed for RAID storage configurations. Only install on +systems that use RAID. + +%files selinux-raid +%{_datadir}/selinux/packages/%{selinuxtype}/%{name}-raid.pp.bz2 +%{_datadir}/selinux/devel/include/distributed/%{name}-raid.if +%ghost %verify(not md5 size mode mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{name}-raid + +%pre selinux-raid +%selinux_relabel_pre -s %{selinuxtype} + +%post selinux-raid +%selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{selinuxtype}/%{name}-raid.pp.bz2 + +%postun selinux-raid +if [ $1 -eq 0 ]; then + %selinux_modules_uninstall -s %{selinuxtype} %{name}-raid +fi + +%posttrans selinux-raid +%selinux_relabel_post -s %{selinuxtype} + +# ------------------------------------------------------------------------------ + +%package selinux-encryption +Summary: Trident encryption & PCRlock SELinux policy +BuildArch: noarch +Requires: %{name}-selinux +Requires: selinux-policy-%{selinuxtype} +Requires(post): selinux-policy-%{selinuxtype} +BuildRequires: selinux-policy-devel +%{?selinux_requires} + +%description selinux-encryption +Encryption and PCRlock SELinux policy module for Trident. Provides TPM, +cryptsetup/LUKS, and systemd-pcrphase permissions. Only install on +systems that use encryption or pcrlock features. + +%files selinux-encryption +%{_datadir}/selinux/packages/%{selinuxtype}/%{name}-encryption.pp.bz2 +%{_datadir}/selinux/devel/include/distributed/%{name}-encryption.if +%ghost %verify(not md5 size mode mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{name}-encryption + +%pre selinux-encryption +%selinux_relabel_pre -s %{selinuxtype} + +%post selinux-encryption +%selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{selinuxtype}/%{name}-encryption.pp.bz2 + +%postun selinux-encryption +if [ $1 -eq 0 ]; then + %selinux_modules_uninstall -s %{selinuxtype} %{name}-encryption +fi + +%posttrans selinux-encryption +%selinux_relabel_post -s %{selinuxtype} + +# ------------------------------------------------------------------------------ + +%package selinux-grub +Summary: Trident GRUB & dracut SELinux policy +BuildArch: noarch +Requires: %{name}-selinux +Requires: selinux-policy-%{selinuxtype} +Requires(post): selinux-policy-%{selinuxtype} +BuildRequires: selinux-policy-devel +%{?selinux_requires} + +%description selinux-grub +GRUB and dracut SELinux policy module for Trident. Provides bootloader +execution, /boot management, and loadkeys permissions needed for +GRUB-based boot. Not needed on UKI/systemd-boot systems. + +%files selinux-grub +%{_datadir}/selinux/packages/%{selinuxtype}/%{name}-grub.pp.bz2 +%{_datadir}/selinux/devel/include/distributed/%{name}-grub.if +%ghost %verify(not md5 size mode mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{name}-grub + +%pre selinux-grub +%selinux_relabel_pre -s %{selinuxtype} + +%post selinux-grub +%selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{selinuxtype}/%{name}-grub.pp.bz2 + +%postun selinux-grub +if [ $1 -eq 0 ]; then + %selinux_modules_uninstall -s %{selinuxtype} %{name}-grub +fi + +%posttrans selinux-grub +%selinux_relabel_post -s %{selinuxtype} + +# ------------------------------------------------------------------------------ + +%package selinux-cloud-init +Summary: Trident cloud-init SELinux policy +BuildArch: noarch +Requires: %{name}-selinux +Requires: selinux-policy-%{selinuxtype} +Requires(post): selinux-policy-%{selinuxtype} +BuildRequires: selinux-policy-devel +%{?selinux_requires} + +%description selinux-cloud-init +Cloud-init SELinux policy module for Trident. Provides permissions for +trident to interact with cloud-init during provisioning, and for +cloud-init to manage files trident creates. Install on any system +that uses cloud-init. + +%files selinux-cloud-init +%{_datadir}/selinux/packages/%{selinuxtype}/%{name}-cloud-init.pp.bz2 +%{_datadir}/selinux/devel/include/distributed/%{name}-cloud-init.if +%ghost %verify(not md5 size mode mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{name}-cloud-init + +%pre selinux-cloud-init +%selinux_relabel_pre -s %{selinuxtype} + +%post selinux-cloud-init +%selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{selinuxtype}/%{name}-cloud-init.pp.bz2 + +%postun selinux-cloud-init +if [ $1 -eq 0 ]; then + %selinux_modules_uninstall -s %{selinuxtype} %{name}-cloud-init +fi + +%posttrans selinux-cloud-init +%selinux_relabel_post -s %{selinuxtype} + +# ------------------------------------------------------------------------------ + %package static-pcrlock-files Summary: Statically defined .pcrlock files Requires: %{name} @@ -244,7 +385,7 @@ export TRIDENT_VERSION="%{trident_version}" %endif cargo build --release -mkdir selinux +mkdir -p selinux cp -p packaging/selinux-policy-trident/trident.fc selinux/ cp -p packaging/selinux-policy-trident/trident.if selinux/ cp -p packaging/selinux-policy-trident/trident.te selinux/ @@ -252,6 +393,42 @@ cp -p packaging/selinux-policy-trident/trident.te selinux/ make -f %{_datadir}/selinux/devel/Makefile %{name}.pp bzip2 -9 %{name}.pp +# Build RAID SELinux policy module +rm -f selinux/* +cp -p packaging/selinux-policy-trident-raid/trident-raid.fc selinux/ +cp -p packaging/selinux-policy-trident-raid/trident-raid.if selinux/ +cp -p packaging/selinux-policy-trident-raid/trident-raid.te selinux/ + +make -f %{_datadir}/selinux/devel/Makefile %{name}-raid.pp +bzip2 -9 %{name}-raid.pp + +# Build encryption SELinux policy module +rm -f selinux/* +cp -p packaging/selinux-policy-trident-encryption/trident-encryption.fc selinux/ +cp -p packaging/selinux-policy-trident-encryption/trident-encryption.if selinux/ +cp -p packaging/selinux-policy-trident-encryption/trident-encryption.te selinux/ + +make -f %{_datadir}/selinux/devel/Makefile %{name}-encryption.pp +bzip2 -9 %{name}-encryption.pp + +# Build GRUB SELinux policy module +rm -f selinux/* +cp -p packaging/selinux-policy-trident-grub/trident-grub.fc selinux/ +cp -p packaging/selinux-policy-trident-grub/trident-grub.if selinux/ +cp -p packaging/selinux-policy-trident-grub/trident-grub.te selinux/ + +make -f %{_datadir}/selinux/devel/Makefile %{name}-grub.pp +bzip2 -9 %{name}-grub.pp + +# Build cloud-init SELinux policy module +rm -f selinux/* +cp -p packaging/selinux-policy-trident-cloud-init/trident-cloud-init.fc selinux/ +cp -p packaging/selinux-policy-trident-cloud-init/trident-cloud-init.if selinux/ +cp -p packaging/selinux-policy-trident-cloud-init/trident-cloud-init.te selinux/ + +make -f %{_datadir}/selinux/devel/Makefile %{name}-cloud-init.pp +bzip2 -9 %{name}-cloud-init.pp + %check # Test the trident variable for the appropriate version %if %{undefined rpm_ver} @@ -280,7 +457,23 @@ install -D -m 755 target/release/%{name} %{buildroot}/%{_bindir}/%{name} # Copy Trident SELinux policy module to /usr/share/selinux/packages install -D -m 0644 %{name}.pp.bz2 %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype}/%{name}.pp.bz2 -install -D -p -m 0644 selinux/%{name}.if %{buildroot}%{_datadir}/selinux/devel/include/distributed/%{name}.if +install -D -p -m 0644 packaging/selinux-policy-trident/%{name}.if %{buildroot}%{_datadir}/selinux/devel/include/distributed/%{name}.if + +# Copy Trident RAID SELinux policy module +install -D -m 0644 %{name}-raid.pp.bz2 %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype}/%{name}-raid.pp.bz2 +install -D -p -m 0644 packaging/selinux-policy-trident-raid/%{name}-raid.if %{buildroot}%{_datadir}/selinux/devel/include/distributed/%{name}-raid.if + +# Copy Trident encryption SELinux policy module +install -D -m 0644 %{name}-encryption.pp.bz2 %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype}/%{name}-encryption.pp.bz2 +install -D -p -m 0644 packaging/selinux-policy-trident-encryption/%{name}-encryption.if %{buildroot}%{_datadir}/selinux/devel/include/distributed/%{name}-encryption.if + +# Copy Trident GRUB SELinux policy module +install -D -m 0644 %{name}-grub.pp.bz2 %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype}/%{name}-grub.pp.bz2 +install -D -p -m 0644 packaging/selinux-policy-trident-grub/%{name}-grub.if %{buildroot}%{_datadir}/selinux/devel/include/distributed/%{name}-grub.if + +# Copy Trident cloud-init SELinux policy module +install -D -m 0644 %{name}-cloud-init.pp.bz2 %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype}/%{name}-cloud-init.pp.bz2 +install -D -p -m 0644 packaging/selinux-policy-trident-cloud-init/%{name}-cloud-init.if %{buildroot}%{_datadir}/selinux/devel/include/distributed/%{name}-cloud-init.if mkdir -p %{buildroot}%{_unitdir} install -D -m 644 packaging/systemd/%{name}.service %{buildroot}%{_unitdir}/%{name}.service diff --git a/packaging/selinux-policy-trident-cloud-init/trident-cloud-init.fc b/packaging/selinux-policy-trident-cloud-init/trident-cloud-init.fc new file mode 100644 index 000000000..24e2e33b8 --- /dev/null +++ b/packaging/selinux-policy-trident-cloud-init/trident-cloud-init.fc @@ -0,0 +1,2 @@ +# trident-cloud-init SELinux file contexts +# No additional file contexts needed. diff --git a/packaging/selinux-policy-trident-cloud-init/trident-cloud-init.if b/packaging/selinux-policy-trident-cloud-init/trident-cloud-init.if new file mode 100644 index 000000000..4ea106f78 --- /dev/null +++ b/packaging/selinux-policy-trident-cloud-init/trident-cloud-init.if @@ -0,0 +1,8 @@ +## Cloud-init SELinux interfaces for Trident +## +##

+## This module provides no public interfaces. +## It exists only to satisfy the SELinux build toolchain requirement +## for a .if file alongside the .te and .fc files. +##

+## diff --git a/packaging/selinux-policy-trident-cloud-init/trident-cloud-init.te b/packaging/selinux-policy-trident-cloud-init/trident-cloud-init.te new file mode 100644 index 000000000..c42772289 --- /dev/null +++ b/packaging/selinux-policy-trident-cloud-init/trident-cloud-init.te @@ -0,0 +1,46 @@ +policy_module(trident-cloud-init, 1.0.0) + +######################################## +# +# Cloud-init SELinux policy for Trident +# +# This module provides permissions for trident to interact with cloud-init +# during first-boot provisioning, and for cloud-init to manage files that +# trident creates. Install on any Azure Linux system that uses cloud-init. +# + +require { + type trident_t; + type cloud_init_t; + type cloud_init_exec_t; + type cloud_init_state_t; + type unlabeled_t; + type usr_t; + type udev_t; +} + +#============= trident_t ============== +# Inspect cloud-init binary and state during provisioning and relabeling. +allow trident_t cloud_init_exec_t:file getattr; +allow trident_t cloud_init_state_t:dir { list_dir_perms relabelto }; +allow trident_t cloud_init_state_t:lnk_file read_lnk_file_perms; +allow trident_t cloud_init_state_t:file getattr; + +# Read cloud-init process state to coordinate provisioning sequence. +ps_process_pattern(trident_t, cloud_init_t) + +#============= cloud_init_t ============== +# Let cloud-init finish first-boot setup on files Trident creates under /usr +# and unlabeled paths (before relabeling completes). +allow cloud_init_t unlabeled_t:dir { add_name getattr remove_name search write }; +allow cloud_init_t unlabeled_t:file { create getattr ioctl open read rename write }; +allow cloud_init_t usr_t:dir { add_name create remove_name write }; + +files_exec_usr_files(cloud_init_t) +files_manage_usr_files(cloud_init_t) + +#============= udev_t ============== +# Allow udev to use cloud-init file descriptors and FIFOs during device +# events triggered by Trident storage changes. +allow udev_t cloud_init_t:fd use; +allow udev_t cloud_init_t:fifo_file { append write getattr }; diff --git a/packaging/selinux-policy-trident-encryption/trident-encryption.fc b/packaging/selinux-policy-trident-encryption/trident-encryption.fc new file mode 100644 index 000000000..1541c9ccb --- /dev/null +++ b/packaging/selinux-policy-trident-encryption/trident-encryption.fc @@ -0,0 +1,2 @@ +# trident-encryption SELinux file contexts +# No additional file contexts needed — the base trident module defines all file labels. diff --git a/packaging/selinux-policy-trident-encryption/trident-encryption.if b/packaging/selinux-policy-trident-encryption/trident-encryption.if new file mode 100644 index 000000000..fa9702c8e --- /dev/null +++ b/packaging/selinux-policy-trident-encryption/trident-encryption.if @@ -0,0 +1,8 @@ +## Encryption & PCRlock SELinux interfaces for Trident +## +##

+## This module provides no public interfaces. +## It exists only to satisfy the SELinux build toolchain requirement +## for a .if file alongside the .te and .fc files. +##

+## diff --git a/packaging/selinux-policy-trident-encryption/trident-encryption.te b/packaging/selinux-policy-trident-encryption/trident-encryption.te new file mode 100644 index 000000000..c6d0cf247 --- /dev/null +++ b/packaging/selinux-policy-trident-encryption/trident-encryption.te @@ -0,0 +1,56 @@ +policy_module(trident-encryption, 1.0.0) + +######################################## +# +# Encryption & PCRlock SELinux policy for Trident +# +# This module provides additional permissions needed for encrypted volume +# support (cryptsetup/LUKS) and TPM-based PCR locking. It layers on top +# of the base trident policy module (trident.pp) and should only be +# installed on systems that use encryption or pcrlock features. +# + +require { + type trident_t; + type lvm_t; + type initrc_t; + type init_t; + type tpm_device_t; + type tmp_t; + type systemd_pcrphase_t; + type systemd_pcrphase_exec_t; + type tmpfs_t; +} + +#============= trident_t ============== +# Execute systemd-pcrphase for PCR lock measurements +allow trident_t systemd_pcrphase_exec_t:file { execute execute_no_trans getattr map open read }; + +# TPM device access for encryption key operations +dev_rw_tpm(trident_t) + +#============= lvm_t ============== +# Necessary for Trident to create encrypted volumes +allow lvm_t trident_t:sem { associate read unix_read unix_write write }; +allow lvm_t initrc_t:sem { associate read unix_read unix_write write }; + +# Necessary for cryptsetup luksOpen to succeed +allow lvm_t init_t:key search; +allow lvm_t tpm_device_t:chr_file write; + +# Necessary for veritysetup to be able to read a key file in /tmp +allow lvm_t tmp_t:file { getattr ioctl open read }; + +#============= systemd_pcrphase_t ============== +# Record PCR phase state in tmpfs while measuring encrypted boot progress. +allow systemd_pcrphase_t tmpfs_t:dir { getattr open read search }; +allow systemd_pcrphase_t tmpfs_t:file { getattr lock open setattr write }; + +#============= tcsd (TPM daemon) ============== +# Manage TPM daemon state directories during provisioning. +optional_policy(` + require { + type tcsd_var_lib_t; + } + allow trident_t tcsd_var_lib_t:dir { manage_dir_perms relabelto }; +') diff --git a/packaging/selinux-policy-trident-grub/trident-grub.fc b/packaging/selinux-policy-trident-grub/trident-grub.fc new file mode 100644 index 000000000..012a74899 --- /dev/null +++ b/packaging/selinux-policy-trident-grub/trident-grub.fc @@ -0,0 +1,2 @@ +# trident-grub SELinux file contexts +# No additional file contexts needed — the base trident module defines all file labels. diff --git a/packaging/selinux-policy-trident-grub/trident-grub.if b/packaging/selinux-policy-trident-grub/trident-grub.if new file mode 100644 index 000000000..192d14882 --- /dev/null +++ b/packaging/selinux-policy-trident-grub/trident-grub.if @@ -0,0 +1,8 @@ +## GRUB & dracut SELinux interfaces for Trident +## +##

+## This module provides no public interfaces. +## It exists only to satisfy the SELinux build toolchain requirement +## for a .if file alongside the .te and .fc files. +##

+## diff --git a/packaging/selinux-policy-trident-grub/trident-grub.te b/packaging/selinux-policy-trident-grub/trident-grub.te new file mode 100644 index 000000000..75f3e7f6f --- /dev/null +++ b/packaging/selinux-policy-trident-grub/trident-grub.te @@ -0,0 +1,46 @@ +policy_module(trident-grub, 1.0.0) + +######################################## +# +# GRUB & dracut SELinux policy for Trident +# +# This module provides additional permissions needed for GRUB-based boot +# management and dracut initrd regeneration. It layers on top of the base +# trident policy module (trident.pp) and should only be installed on +# systems that use GRUB as their bootloader (not UKI/systemd-boot). +# + +require { + type trident_t; + type boot_t; +} + +#============= trident_t ============== +# Execute bootloader tools (grub-install, grub-mkconfig, etc.) +bootloader_exec(trident_t) + +# Manage /boot directory (kernel, initrd, grub configs) +allow trident_t boot_t:dir { mounton create relabelto }; +allow trident_t boot_t:file relabelto; + +# Create and manage boot directories and files +files_create_boot_dirs(trident_t) +files_manage_boot_files(trident_t) + +#============= loadkeys_t ============== +# loadkeys is used during dracut initrd generation for console keyboard config. +optional_policy(` + require { + type trident_t; + type loadkeys_exec_t; + } + allow trident_t loadkeys_exec_t:file { execute getattr map open read relabelto setattr unlink write }; +') +optional_policy(` + require { + type trident_t; + type loadkeys_t; + } + files_read_default_symlinks(loadkeys_t) + fs_search_tmpfs(loadkeys_t) +') diff --git a/packaging/selinux-policy-trident-raid/trident-raid.fc b/packaging/selinux-policy-trident-raid/trident-raid.fc new file mode 100644 index 000000000..1a8d6d49e --- /dev/null +++ b/packaging/selinux-policy-trident-raid/trident-raid.fc @@ -0,0 +1,2 @@ +# trident-raid SELinux file contexts +# No additional file contexts needed — the base trident module defines all file labels. diff --git a/packaging/selinux-policy-trident-raid/trident-raid.if b/packaging/selinux-policy-trident-raid/trident-raid.if new file mode 100644 index 000000000..d97bcdc1c --- /dev/null +++ b/packaging/selinux-policy-trident-raid/trident-raid.if @@ -0,0 +1,8 @@ +## RAID SELinux interfaces for Trident +## +##

+## This module provides no public interfaces. +## It exists only to satisfy the SELinux build toolchain requirement +## for a .if file alongside the .te and .fc files. +##

+## diff --git a/packaging/selinux-policy-trident-raid/trident-raid.te b/packaging/selinux-policy-trident-raid/trident-raid.te new file mode 100644 index 000000000..546d4b5a1 --- /dev/null +++ b/packaging/selinux-policy-trident-raid/trident-raid.te @@ -0,0 +1,32 @@ +policy_module(trident-raid, 1.0.0) + +######################################## +# +# RAID SELinux policy for Trident +# +# This module provides additional permissions needed for RAID support. +# It layers on top of the base trident policy module (trident.pp) +# and should only be installed on systems that use RAID storage. +# + +require { + type trident_t; + type bootloader_t; +} + +# Allow trident to execute mdadm, manage its unit files, and write to +# its runtime directory. +optional_policy(` + require { + type mdadm_exec_t; + type mdadm_unit_t; + type mdadm_runtime_t; + } + allow trident_t mdadm_exec_t:file { open read getattr map relabelto setattr unlink write execute execute_no_trans }; + allow trident_t mdadm_unit_t:file { getattr open read relabelto setattr unlink }; + allow trident_t mdadm_runtime_t:dir { add_name remove_name search write }; + raid_manage_mdadm_runtime_files(trident_t) +') + +# List the contents of generic tmpfs directories; required for RAID +fs_list_tmpfs(bootloader_t) diff --git a/packaging/selinux-policy-trident-test/trident-test.fc b/packaging/selinux-policy-trident-test/trident-test.fc new file mode 100644 index 000000000..641837cd4 --- /dev/null +++ b/packaging/selinux-policy-trident-test/trident-test.fc @@ -0,0 +1,2 @@ +# trident-test SELinux file contexts +# No additional file contexts needed — the base trident module defines all file labels. diff --git a/packaging/selinux-policy-trident-test/trident-test.if b/packaging/selinux-policy-trident-test/trident-test.if new file mode 100644 index 000000000..5cf60757e --- /dev/null +++ b/packaging/selinux-policy-trident-test/trident-test.if @@ -0,0 +1,8 @@ +## Test-only SELinux interfaces for Trident +## +##

+## This module provides no public interfaces. +## It exists only to satisfy the SELinux build toolchain requirement +## for a .if file alongside the .te and .fc files. +##

+## diff --git a/packaging/selinux-policy-trident-test/trident-test.te b/packaging/selinux-policy-trident-test/trident-test.te new file mode 100644 index 000000000..e6c094a06 --- /dev/null +++ b/packaging/selinux-policy-trident-test/trident-test.te @@ -0,0 +1,40 @@ +policy_module(trident-test, 1.0.0) + +######################################## +# +# Test-only SELinux policy for Trident +# +# This module provides additional permissions needed only in test/CI +# environments. It layers on top of the base trident policy module +# (trident.pp) and must NOT be installed in production images. +# +# Permissions included: +# - Steamboat/CI exec transition (ci_unconfined_t -> trident_t) +# - Interactive unconfined transition (for manual debugging) +# + +require { + type trident_t; + type trident_exec_t; +} + +# Defines transition from ci_unconfined_t to trident_t when Steamboat executes Trident, as well as +# specific permissions necessary for Steamboat testing +optional_policy(` + require { + type ci_unconfined_t; + role ci_unconfined_r; + } + type_transition ci_unconfined_t trident_exec_t:process trident_t; + allow ci_unconfined_t trident_exec_t:file { getattr open read execute }; + allow trident_t trident_exec_t:file entrypoint; + role ci_unconfined_r types trident_t; + + allow trident_t ci_unconfined_t:fd use; + seutil_run_setfiles(trident_t, ci_unconfined_r); +') + +# Allow transition between unconfined_t and trident_t domains; necessary for an interactive run +optional_policy(` + unconfined_run_to(trident_t, trident_exec_t) +') diff --git a/packaging/selinux-policy-trident/trident.te b/packaging/selinux-policy-trident/trident.te index 0467330cb..2496d485c 100644 --- a/packaging/selinux-policy-trident/trident.te +++ b/packaging/selinux-policy-trident/trident.te @@ -27,9 +27,7 @@ require { type auditctl_exec_t; type auditd_exec_t; type auditd_unit_t; - type boot_t; type bpf_t; - type bootloader_t; type chfn_exec_t; type chkpwd_exec_t; @@ -148,8 +146,6 @@ require { type systemd_networkd_runtime_t; type systemd_notify_exec_t; type systemd_passwd_agent_exec_t; - type systemd_pcrphase_t; - type systemd_pcrphase_exec_t; type systemd_pstore_exec_t; type systemd_resolved_exec_t; type systemd_rfkill_exec_t; @@ -207,34 +203,18 @@ typeattribute trident_t can_change_object_identity; # Defines transition from trident_t to fsadm_t domain when Trident executes fsadm tool (i.e. mkfs) type_transition trident_t fsadm_exec_t:process fsadm_t; -# Defines transition from ci_unconfined_t to trident_t when Steamboat executes Trident, as well as -# specific permissions necessary for Steamboat testing -optional_policy(` - require { - type ci_unconfined_t; - role ci_unconfined_r; - } - type_transition ci_unconfined_t trident_exec_t:process trident_t; - allow ci_unconfined_t trident_exec_t:file { getattr open read execute }; - allow trident_t trident_exec_t:file entrypoint; - role ci_unconfined_r types trident_t; +# NOTE: Test-only transitions (Steamboat CI and interactive unconfined) have been +# moved to the trident-test SELinux module (packaging/selinux-policy-trident-test/). +# They are NOT included in the production trident-selinux RPM. - allow trident_t ci_unconfined_t:fd use; - seutil_run_setfiles(trident_t, ci_unconfined_r); -') - -# Allow transition between unconfined_t and trident_t domains; necessary for an interactive run -optional_policy(` - unconfined_run_to(trident_t, trident_exec_t) -') #============= trident_t ============== # Gives trident_t the following elevated privileges: # dac_override and dac_read_search - allow access files and directories without necessary DAC permissions # sys_ptrace - allow trident_t to trace or debug other processes # sys_rawio - allow trident_t to perform I/O operations directly on hardware devices +# Core runtime permissions for provisioning, storage orchestration, network reconfiguration, and host updates. allow trident_t self:capability { dac_override dac_read_search sys_ptrace sys_rawio }; - allow trident_t self:alg_socket { accept bind create read write }; allow trident_t self:capability { audit_write chown mknod net_admin sys_chroot sys_resource sys_admin fowner fsetid sys_boot ipc_lock sys_nice linux_immutable sys_module setgid setuid }; allow trident_t self:fifo_file manage_fifo_file_perms; @@ -259,6 +239,7 @@ allow trident_t trident_var_lib_t:file { getattr setattr create open read write # Allow Trident to relabel its executable allow trident_t trident_exec_t:file relabelto; +# Inspect service metadata and package state Trident encounters while reconciling a host image. allow trident_t audit_spool_t:dir { getattr open read relabelto }; allow trident_t auditctl_exec_t:file getattr; allow trident_t auditd_exec_t:file getattr; @@ -267,8 +248,8 @@ allow trident_t auditd_unit_t:file getattr; allow trident_t admin_passwd_exec_t:file getattr; allow trident_t anacron_exec_t:file getattr; allow trident_t audisp_remote_exec_t:file getattr; -allow trident_t boot_t:dir { mounton create relabelto }; -allow trident_t boot_t:file relabelto; +# NOTE: boot_t permissions have been moved to the trident-grub SELinux module +# (packaging/selinux-policy-trident-grub/). allow trident_t bpf_t:dir search; optional_policy(` require { @@ -298,6 +279,7 @@ allow trident_t crack_db_t:dir { getattr open search read }; allow trident_t crack_db_t:file getattr; allow trident_t crack_db_t:lnk_file getattr; allow trident_t crack_exec_t:file getattr; +# Traverse mixed filesystem labels and home roots while relabeling provisioned files. allow trident_t cron_spool_t:dir { read relabelto }; allow trident_t crond_unit_t:file { getattr read open ioctl }; allow trident_t dbusd_unit_t:file getattr; @@ -338,6 +320,7 @@ optional_policy(` allow trident_t groupadd_exec_t:file getattr; allow trident_t home_root_t:dir { mounton read relabelto add_name create relabelfrom setattr write }; allow trident_t home_root_t:file { create getattr ioctl open relabelfrom setattr read write }; +# Reach init, kernel, storage, and proxy helpers while applying OS updates and customizations. allow trident_t http_cache_port_t:tcp_socket name_connect; # Allow Trident to initiate connection to HTTP proxy port allow trident_t http_port_t:tcp_socket name_connect; allow trident_t init_exec_t:file { execute getattr map open read relabelto setattr unlink write }; @@ -414,6 +397,7 @@ optional_policy(` } allow trident_t oddjob_mkhomedir_exec_t:file getattr; ') +# Update procfs state, accounts, and SSH assets during provisioning and repair flows. allow trident_t power_unit_t:file { getattr open read relabelto setattr unlink }; allow trident_t proc_t:dir read; allow trident_t proc_t:file { getattr open read ioctl }; @@ -460,6 +444,7 @@ allow trident_t sshd_key_t:file { getattr manage_file_perms }; # Allow Trident t allow trident_t sshd_keygen_unit_t:file getattr; allow trident_t sshd_unit_t:file getattr; allow trident_t sulogin_exec_t:file { execute getattr map open read relabelto setattr unlink write }; +# Run sysctl and systemd helpers while regenerating host configuration after an update. allow trident_t sysctl_fs_t:dir search; allow trident_t sysctl_fs_t:file { getattr ioctl open read }; allow trident_t sysctl_kernel_t:dir search; @@ -505,7 +490,8 @@ allow trident_t systemd_networkd_runtime_t:dir { add_name getattr open read remo allow trident_t systemd_networkd_runtime_t:file { create getattr open read rename setattr unlink write }; allow trident_t systemd_notify_exec_t:file getattr; allow trident_t systemd_passwd_agent_exec_t:file { execute getattr map open read relabelto setattr unlink write }; -allow trident_t systemd_pcrphase_exec_t:file { execute execute_no_trans getattr map open read }; +# NOTE: systemd_pcrphase_exec_t permissions have been moved to the +# trident-encryption SELinux module (packaging/selinux-policy-trident-encryption/). allow trident_t pstore_t:dir search; allow trident_t systemd_pstore_exec_t:file { execute getattr }; allow trident_t systemd_resolved_exec_t:file { execute getattr }; @@ -517,6 +503,7 @@ allow trident_t systemd_stdio_bridge_exec_t:file getattr; allow trident_t systemd_sysctl_exec_t:file { execute getattr map open read relabelto setattr unlink write }; allow trident_t systemd_sysusers_exec_t:file { execute getattr map open read relabelto setattr unlink write }; allow trident_t systemd_tmpfiles_exec_t:file { execute getattr map open read relabelto setattr unlink write }; +# Manage transient, unlabeled, and /usr-/var-backed content Trident creates during upgrades. allow trident_t systemd_unit_t:dir { read add_name create write reparent rename setattr relabelfrom }; allow trident_t systemd_unit_t:file { getattr ioctl link open read relabelto relabelfrom rename setattr unlink write create }; allow trident_t systemd_unit_t:lnk_file { getattr read create relabelfrom }; @@ -569,19 +556,14 @@ allow trident_t var_run_t:sock_file write; allow trident_t var_spool_t:dir relabelto; allow trident_t wtmp_t:file relabelto; -# Optional policies for modifying cloud-init settings -optional_policy(` - require { - type cloud_init_exec_t; - type cloud_init_state_t; - } - allow trident_t cloud_init_exec_t:file getattr; - allow trident_t cloud_init_state_t:dir { list_dir_perms relabelto }; - allow trident_t cloud_init_state_t:lnk_file read_lnk_file_perms; - allow trident_t cloud_init_state_t:file getattr; -') +# NOTE: cloud-init policies have been moved to the trident-cloud-init SELinux +# module (packaging/selinux-policy-trident-cloud-init/). -# Policies below must be optional for Steamboat +# Optional policies for types that may not exist on all images. +# Trident encounters these files/dirs during OS provisioning and relabeling. +# These types are defined by packages that may or may not be installed +# (e.g., bluetooth, colord, dhcpd). The policies are optional so SELinux +# ignores them when the referenced types don't exist on the target system. optional_policy(` require { type trident_t; @@ -603,41 +585,30 @@ optional_policy(` } allow trident_t dhcpd_unit_t:file getattr; ') -optional_policy(` - require { - type trident_t; - type loadkeys_exec_t; - } - allow trident_t loadkeys_exec_t:file { execute getattr map open read relabelto setattr unlink write }; -') -optional_policy(` - require { - type trident_t; - type mdadm_exec_t; - type mdadm_unit_t; - type mdadm_runtime_t; - } - allow trident_t mdadm_exec_t:file { open read getattr map relabelto setattr unlink write execute execute_no_trans }; - allow trident_t mdadm_unit_t:file { getattr open read relabelto setattr unlink }; - allow trident_t mdadm_runtime_t:dir { add_name remove_name search write }; - raid_manage_mdadm_runtime_files(trident_t) -') +# NOTE: loadkeys_exec_t permissions have been moved to the trident-grub +# SELinux module (packaging/selinux-policy-trident-grub/). + +# NOTE: RAID policies (mdadm) have been moved to the trident-raid SELinux +# module (packaging/selinux-policy-trident-raid/). Install the +# trident-selinux-raid package on systems that use RAID storage. #============= interfaces ============== ########################################### # Authentication and User Management ########################################### +# Manage users, passwords, and home directories during OS provisioning. auth_create_faillog_files(trident_t) auth_exec_pam(trident_t) auth_login_entry_type(trident_t) auth_read_lastlog(trident_t) auth_read_login_records(trident_t) +# Inspect GPG agent binary and secrets during filesystem relabeling. optional_policy(` require { type gpg_agent_exec_t; type gpg_secret_t; } - allow trident_t gpg_agent_exec_t:file { getattr open read execute entrypoint map }; + allow trident_t gpg_agent_exec_t:file { getattr open read map }; allow trident_t gpg_secret_t:dir list_dir_perms; allow trident_t gpg_secret_t:file read_file_perms; allow trident_t gpg_secret_t:lnk_file read_lnk_file_perms; @@ -653,14 +624,16 @@ userdom_relabelto_user_home_dirs(trident_t) ########################################### # System Services and Daemons ########################################### -bootloader_exec(trident_t) +# Start helpers and inspect daemon state while Trident configures host services. +# NOTE: bootloader_exec moved to trident-grub SELinux module. +# Inspect chronyd binary and config during filesystem relabeling. optional_policy(` require { type chronyd_exec_t; type chronyd_etc_t; type chronyd_keys_t; } - allow trident_t chronyd_exec_t:file { getattr open read execute execute_no_trans map }; + allow trident_t chronyd_exec_t:file { getattr open read map }; allow trident_t chronyd_etc_t:dir list_dir_perms; allow trident_t chronyd_etc_t:file read_file_perms; allow trident_t chronyd_keys_t:file read_file_perms; @@ -685,11 +658,12 @@ domain_read_all_domains_state(trident_t) hostname_exec(trident_t) init_domtrans(trident_t) init_rw_stream_sockets(trident_t) +# Inspect logrotate binary during filesystem relabeling. optional_policy(` require { type logrotate_exec_t; } - allow trident_t logrotate_exec_t:file { getattr open read execute execute_no_trans map }; + allow trident_t logrotate_exec_t:file { getattr open read map }; ') ssh_domtrans(trident_t) ssh_domtrans_keygen(trident_t) @@ -700,22 +674,17 @@ systemd_read_user_runtime_units_files(trident_t) systemd_dbus_chat_logind(trident_t) systemd_read_user_unit_files(trident_t) -# Optional read access to cloud init state -optional_policy(` - require { - type cloud_init_t; - } - ps_process_pattern(trident_t, cloud_init_t) # equivalent to cloud_init_read_state(trident_t) -') +# NOTE: cloud-init process state reading moved to trident-cloud-init SELinux module. ########################################### # File System Operations ########################################### -files_create_boot_dirs(trident_t) +# Read, mount, and relabel filesystems while staging A/B updates and extensions. +# NOTE: files_create_boot_dirs and files_manage_boot_files moved to trident-grub SELinux module. files_list_kernel_modules(trident_t) files_list_spool(trident_t) files_list_var(trident_t) -files_manage_boot_files(trident_t) +# NOTE: files_manage_boot_files moved to trident-grub SELinux module. files_manage_etc_dirs(trident_t) files_manage_etc_symlinks(trident_t) files_mounton_runtime_dirs(trident_t) @@ -759,6 +728,7 @@ mount_list_runtime(trident_t) ########################################### # Network Management ########################################### +# Reconfigure host networking, DHCP data, and firewall rules during provisioning. iptables_exec(trident_t) iptables_read_config(trident_t) iptables_status(trident_t) @@ -771,6 +741,7 @@ sysnet_write_config(trident_t) ########################################### # Storage Management ########################################### +# Manage loop, LVM, and filesystem helpers while laying down root and extension volumes. dev_rw_loop_control(trident_t) dev_rw_lvm_control(trident_t) lvm_exec(trident_t) @@ -787,6 +758,7 @@ storage_raw_write_fixed_disk(trident_t) ########################################### # SELinux Management ########################################### +# Relabel updated filesystem content and reload policy after provisioning or upgrade steps. corecmd_relabel_bin_files(trident_t) files_relabel_etc_files(trident_t) files_relabel_kernel_modules(trident_t) @@ -816,6 +788,7 @@ udev_relabel_rules_files(trident_t) ########################################### # Package Management ########################################### +# Read and update RPM metadata while installing or validating host packages. optional_policy(` require { type rpm_exec_t; @@ -834,6 +807,7 @@ optional_policy(` ########################################### # Device Management ########################################### +# Discover hardware and adjust device state as Trident prepares storage and boot media. corenet_getattr_ppp_dev(trident_t) corenet_read_tun_tap_dev(trident_t) dev_getattr_acpi_bios_dev(trident_t) @@ -860,7 +834,7 @@ dev_read_urand(trident_t) dev_relabelfrom_generic_chr_files(trident_t) dev_relabelfrom_vfio_dev(trident_t) dev_rw_nvram(trident_t) -dev_rw_tpm(trident_t) +# NOTE: dev_rw_tpm moved to trident-encryption SELinux module. dev_rw_vhost(trident_t) dev_search_sysfs(trident_t) dev_write_sysfs(trident_t) @@ -875,23 +849,26 @@ udev_read_state(trident_t) ########################################### # System Command Execution ########################################### +# Execute core host utilities in place during provisioning and customization workflows. +# Inspect sudo binary during filesystem relabeling. optional_policy(` require { type sudo_exec_t; } - allow trident_t sudo_exec_t:file { getattr open read execute execute_no_trans map }; + allow trident_t sudo_exec_t:file { getattr open read map }; ') corecmd_manage_bin_files(trident_t) corecmd_bin_entry_type(trident_t) corecmd_shell_entry_type(trident_t) corecmd_search_bin(trident_t) corecmd_exec_bin(trident_t) +# Inspect kerberos binary and config during filesystem relabeling. optional_policy(` require { type kadmind_exec_t; type krb5_conf_t; } - allow trident_t kadmind_exec_t:file { getattr open read execute execute_no_trans map }; + allow trident_t kadmind_exec_t:file { getattr open read map }; allow trident_t krb5_conf_t:dir list_dir_perms; allow trident_t krb5_conf_t:file read_file_perms; ') @@ -904,16 +881,12 @@ optional_policy(` } allow trident_t uuidd_var_lib_t:dir manage_dir_perms; ') -optional_policy(` - require { - type tcsd_var_lib_t; - } - allow trident_t tcsd_var_lib_t:dir { manage_dir_perms relabelto }; -') +# NOTE: tcsd_var_lib_t moved to trident-encryption SELinux module (TPM-related). ########################################### # Logging and Monitoring ########################################### +# Read existing logs and emit diagnostics for servicing operations. logging_read_audit_config(trident_t) logging_read_audit_log(trident_t) logging_relabelto_devlog_sock_files(trident_t) @@ -925,49 +898,34 @@ logging_manage_generic_logs(trident_t) ########################################### # Miscellaneous ########################################### +# Read optional platform assets that may appear on different image variants. optional_policy(` miscfiles_read_generic_tls_privkey(trident_t) ') -optional_policy(` - miscfiles_read_man_pages(trident_t) -') +# NOTE: miscfiles_read_man_pages removed — audit2allow artifact, trident +# does not read man pages. optional_policy(` miscfiles_read_localization(trident_t) ') optional_policy(` miscfiles_read_generic_certs(trident_t) ') -optional_policy(` - require { - type xkb_var_lib_t; - } - allow trident_t xkb_var_lib_t:dir list_dir_perms; - allow trident_t xkb_var_lib_t:file read_file_perms; - allow trident_t xkb_var_lib_t:lnk_file read_lnk_file_perms; -') +# NOTE: xkb_var_lib_t removed — audit2allow artifact, trident does not +# configure keyboard layouts. #################### # # Additional permissions given to external domains # #============= bootloader_t ============== -# List the contents of generic tmpfs directories; required for RAID -fs_list_tmpfs(bootloader_t) +# NOTE: bootloader_t tmpfs access for RAID has been moved to the trident-raid +# SELinux module (packaging/selinux-policy-trident-raid/). #============= cloud_init_t ============== -optional_policy(` - require { - type cloud_init_t; - } - allow cloud_init_t unlabeled_t:dir { add_name getattr remove_name search write }; - allow cloud_init_t unlabeled_t:file { create getattr ioctl open read rename write }; - allow cloud_init_t usr_t:dir { add_name create remove_name write }; - - files_exec_usr_files(cloud_init_t) - files_manage_usr_files(cloud_init_t) -') +# NOTE: cloud_init_t policies moved to trident-cloud-init SELinux module. #============= fsadm_t ============== +# Allow mkfs/fsadm helpers spawned by Trident to manage EFI variables and loop-backed extension images. role unconfined_r types fsadm_t; # Get the attributes of efivarfs filesystems @@ -985,33 +943,21 @@ fs_manage_tmpfs_dirs(fsadm_t) fs_manage_tmpfs_files(fsadm_t) #============= loadkeys_t ============== -optional_policy(` - require { - type trident_t; - type loadkeys_t; - } - files_read_default_symlinks(loadkeys_t) - fs_search_tmpfs(loadkeys_t) -') +# NOTE: loadkeys_t permissions have been moved to the trident-grub +# SELinux module (packaging/selinux-policy-trident-grub/). #============= lvm_t ============== -# This is necessary for Trident to create encrypted volumes -allow lvm_t trident_t:sem { associate read unix_read unix_write write }; -allow lvm_t initrc_t:sem { associate read unix_read unix_write write }; - -# These permissions are necessary for cryptsetup luksOpen to succeed. -allow lvm_t init_t:key search; # Allows LVM to write to search the kernel keyring. -allow lvm_t tpm_device_t:chr_file write; # Allows LVM to write to the TPM device. - -# This is necessary for veritysetup to be able to read a key file in /tmp. -allow lvm_t tmp_t:file { getattr ioctl open read }; +# NOTE: Encryption-related lvm_t permissions (sem, key, tpm, tmp) have been +# moved to the trident-encryption SELinux module +# (packaging/selinux-policy-trident-encryption/). #============= mount_t ============= +# Let the mount helper mount Trident-managed images and volumes. allow mount_t trident_var_lib_t:dir mounton; #============= systemd_pcrphase_t ============== -allow systemd_pcrphase_t tmpfs_t:dir { getattr open read search }; -allow systemd_pcrphase_t tmpfs_t:file { getattr lock open setattr write }; +# NOTE: systemd_pcrphase_t permissions have been moved to the +# trident-encryption SELinux module (packaging/selinux-policy-trident-encryption/). #============= rpm_t ============== optional_policy(` @@ -1041,21 +987,18 @@ libs_manage_lib_dirs(semanage_t) libs_manage_lib_files(semanage_t) #============= setfiles_t ============== +# Let setfiles relabel special files Trident lays down during updates. allow setfiles_t proc_t:filesystem getattr; allow setfiles_t unlabeled_t:file { map open read }; allow setfiles_t container_var_lib_t:blk_file relabelto; #============= systemd_generator_t ============== +# Let systemd generators read home-root state after Trident provisions users and units. allow systemd_generator_t home_root_t:dir read; #============= udev_t ============== -optional_policy(` - require { - type cloud_init_t; - } - allow udev_t cloud_init_t:fd use; - allow udev_t cloud_init_t:fifo_file { append write getattr }; -') +# Allow udev helpers triggered by Trident storage changes to inspect provisioning state and extension images. +# NOTE: cloud_init_t udev permissions moved to trident-cloud-init SELinux module. allow udev_t lvm_t:process { noatsecure rlimitinh siginh }; allow udev_t unlabeled_t:file getattr; @@ -1065,6 +1008,7 @@ allow udev_t trident_var_lib_t:file getattr; files_read_generic_tmp_files(udev_t) #============= udevadm_t ============== +# Allow udevadm runs initiated by Trident to rescan devices and rebuild runtime metadata. optional_policy(` require { type cgroup_t; @@ -1103,4 +1047,5 @@ optional_policy(` dev_search_sysfs(udevadm_t) #============= unlabeled_t ============== +# Associate tmpfs-backed content with unlabeled_t while Trident is relabeling fresh filesystems. fs_associate_tmpfs(unlabeled_t) \ No newline at end of file diff --git a/packaging/systemd/trident-update@.service b/packaging/systemd/trident-update@.service new file mode 100644 index 000000000..c895cbc12 --- /dev/null +++ b/packaging/systemd/trident-update@.service @@ -0,0 +1,12 @@ +[Unit] +Description=Trident Update (%i) +After=network.target network-online.target tridentd.socket + +[Service] +Type=oneshot +EnvironmentFile=/var/lib/trident/update-env +ExecStart=trident update -v trace ${UPDATE_CONFIG} --allowed-operations %i +TimeoutStartSec=600 + +[Install] +WantedBy=multi-user.target diff --git a/tests/images/azurelinux-direct-streaming-testimage/base/baseimg.yaml b/tests/images/azurelinux-direct-streaming-testimage/base/baseimg.yaml index 88a8d7b97..865a84c51 100644 --- a/tests/images/azurelinux-direct-streaming-testimage/base/baseimg.yaml +++ b/tests/images/azurelinux-direct-streaming-testimage/base/baseimg.yaml @@ -74,6 +74,7 @@ os: - ntfsprogs # selinux - selinux-policy + - trident-test-selinux services: enable: diff --git a/tests/images/trident-installer/base/baseimg-direct-streaming.yaml b/tests/images/trident-installer/base/baseimg-direct-streaming.yaml index 3ace14fbd..9912cad45 100644 --- a/tests/images/trident-installer/base/baseimg-direct-streaming.yaml +++ b/tests/images/trident-installer/base/baseimg-direct-streaming.yaml @@ -62,6 +62,7 @@ os: - trident # Add trident selinux policy files - trident-selinux + - trident-test-selinux # Add trident-install.service - trident-install-service diff --git a/tests/images/trident-mos/iso.yaml b/tests/images/trident-mos/iso.yaml index 00b235a02..f8e119130 100644 --- a/tests/images/trident-mos/iso.yaml +++ b/tests/images/trident-mos/iso.yaml @@ -81,6 +81,12 @@ os: destination: /usr/share/selinux/packages/trident/trident.fc - source: ../../../packaging/selinux-policy-trident/trident.te destination: /usr/share/selinux/packages/trident/trident.te + - source: ../../../packaging/selinux-policy-trident-test/trident-test.if + destination: /usr/share/selinux/packages/trident-test/trident-test.if + - source: ../../../packaging/selinux-policy-trident-test/trident-test.fc + destination: /usr/share/selinux/packages/trident-test/trident-test.fc + - source: ../../../packaging/selinux-policy-trident-test/trident-test.te + destination: /usr/share/selinux/packages/trident-test/trident-test.te # Trident daemon service files - source: ../../../packaging/systemd/tridentd.socket diff --git a/tests/images/trident-vm-testimage/base/baseimg-grub-verity-azure.yaml b/tests/images/trident-vm-testimage/base/baseimg-grub-verity-azure.yaml index 7da14975f..7023b9c7f 100644 --- a/tests/images/trident-vm-testimage/base/baseimg-grub-verity-azure.yaml +++ b/tests/images/trident-vm-testimage/base/baseimg-grub-verity-azure.yaml @@ -127,6 +127,7 @@ os: - selinux-policy - systemd-udev - trident + - trident-test-selinux - veritysetup - vim - WALinuxAgent