WIP: feat: split SELinux policy into core and scenario rpms, create test for core policy

.pipelines/templates/e2e-template.yml

@@ -421,6 +421,12 @@ stages:
           micVersion: ${{ parameters.micVersion }}
           testSecureBoot: ${{ parameters.testSecureBoot }}
 
+      # SELinux policy validation — tests update with public policy only
+      - template: stages/testing_selinux/selinux-update-testing.yml
+        parameters:
+          micBuildType: ${{ parameters.micBuildType }}
+          micVersion: ${{ parameters.micVersion }}
+
   # TESTING stages for AZL-VALIDATION
   - ${{ if eq(parameters.stageType, 'azl-validation') }}:
       # VM Testing (host, post_merge)

Makefile

@@ -185,7 +185,7 @@ target/azl3/release/trident target/azl3/release/trident-acl-agent: version-vars
 		cargo build --color always --target-dir target/azl3 --release --features dangerous-options,grpc-preview -p trident -p trident-acl-agent
 
 # This will do a proper build on azl3, exactly as the pipelines would, with the custom registry and all.
-bin/trident-rpms-azl3.tar.gz: packaging/docker/Dockerfile.full packaging/systemd/*.service packaging/rpm/trident.spec artifacts/osmodifier packaging/selinux-policy-trident/* version-vars
+bin/trident-rpms-azl3.tar.gz: packaging/docker/Dockerfile.full packaging/systemd/*.service packaging/rpm/trident.spec packaging/rpm/trident-test-selinux.spec artifacts/osmodifier packaging/selinux-policy-trident/* packaging/selinux-policy-trident-test/* version-vars
 	$(eval CARGO_REGISTRIES_BMP_PUBLICPACKAGES_TOKEN := $(shell az account get-access-token --query "join(' ', ['Bearer', accessToken])" --output tsv))
 
 	@mkdir -p bin/
@@ -207,7 +207,7 @@ bin/trident-rpms-azl3.tar.gz: packaging/docker/Dockerfile.full packaging/systemd
 	@tar xf $@ -C bin/
 
 # This one does a fast trick-build where we build locally and inject the binary into the container to add it to the RPM.
-bin/trident-rpms.tar.gz: packaging/docker/Dockerfile.azl3 packaging/systemd/*.service packaging/rpm/trident.spec artifacts/osmodifier target/release/trident packaging/selinux-policy-trident/*
+bin/trident-rpms.tar.gz: packaging/docker/Dockerfile.azl3 packaging/systemd/*.service packaging/rpm/trident.spec packaging/rpm/trident-test-selinux.spec artifacts/osmodifier target/release/trident packaging/selinux-policy-trident/* packaging/selinux-policy-trident-test/*
 	@mkdir -p bin/
 	@if [ ! -f bin/trident ] || ! cmp -s target/release/trident bin/trident; then \
 		cp target/release/trident bin/trident; \
@@ -844,6 +844,7 @@ bin/trident-mos.iso: \
 	tests/images/trident-mos/files/* \
 	tests/images/trident-mos/post-install.sh \
 	packaging/selinux-policy-trident/* \
+	packaging/selinux-policy-trident-test/* \
 	tools/cmd/rcp-agent/rcp-agent.service \
 	bin/rcp-agent
 	@echo "Rebuilding Trident MOS ISO: $@ from $< because of: $?"

packaging/docker/Dockerfile.azl3

@@ -7,6 +7,7 @@ RUN tdnf install -y rpmdevtools openssl-devel clang-devel protobuf-devel rust se
 WORKDIR /work
 
 COPY packaging/rpm/trident.spec .
+COPY packaging/rpm/trident-test-selinux.spec .
 COPY packaging ./packaging
 COPY bin/trident ./target/release/trident
 COPY artifacts/osmodifier /usr/src/azl/SOURCES/osmodifier
@@ -23,4 +24,5 @@ RUN \
     --define="trident_version $TRIDENT_VERSION" \
     --define="rpm_ver $RPM_VER" \
     --define="rpm_rel $RPM_REL" && \
+    rpmbuild -bb --build-in-place trident-test-selinux.spec && \
     tar -czvf trident-rpms.tar.gz -C /usr/src/azl ./RPMS

packaging/docker/Dockerfile.full

@@ -7,6 +7,7 @@ RUN tdnf install -y rpmdevtools openssl-devel clang-devel protobuf-devel rust-1.
 WORKDIR /work
 
 COPY packaging/rpm/trident.spec .
+COPY packaging/rpm/trident-test-selinux.spec .
 COPY packaging ./packaging
 COPY artifacts/osmodifier /usr/src/azl/SOURCES/osmodifier
 
@@ -35,6 +36,7 @@ RUN --mount=type=secret,id=registry_token \
     --define="trident_version $TRIDENT_VERSION" \
     --define="rpm_ver $RPM_VER" \
     --define="rpm_rel $RPM_REL" && \
+    rpmbuild -bb --build-in-place trident-test-selinux.spec && \
     tar -czvf trident-rpms.tar.gz -C /usr/src/azl ./RPMS
 
 FROM scratch AS artifact

packaging/rpm/trident-test-selinux.spec

@@ -0,0 +1,65 @@
+# Test-only SELinux policy module for Trident
+#
+# This RPM provides additional SELinux permissions needed only in test/CI
+# environments. It layers on top of the base trident-selinux module and
+# must NOT be installed in production images.
+#
+# Permissions included:
+#   - Steamboat/CI exec transition (ci_unconfined_t -> trident_t)
+#   - Interactive unconfined transition (for manual debugging)
+
+%global selinuxtype targeted
+%global modulename trident-test
+
+Summary:        Trident test-only SELinux policy
+Name:           trident-test-selinux
+Version:        1.0.0
+Release:        1%{?dist}
+License:        MIT
+Vendor:         Microsoft Corporation
+Group:          Applications/System
+Distribution:   Azure Linux
+BuildArch:      noarch
+
+Requires:       trident-selinux
+Requires:       selinux-policy-%{selinuxtype}
+Requires(post): selinux-policy-%{selinuxtype}
+BuildRequires:  selinux-policy-devel
+%{?selinux_requires}
+
+%description
+Test-only SELinux policy module for Trident. Provides CI/interactive
+transitions that are not included in the production trident-selinux package.
+This package must NOT be installed in production images.
+
+%build
+mkdir -p selinux
+cp -p packaging/selinux-policy-trident-test/%{modulename}.fc selinux/
+cp -p packaging/selinux-policy-trident-test/%{modulename}.if selinux/
+cp -p packaging/selinux-policy-trident-test/%{modulename}.te selinux/
+
+make -f %{_datadir}/selinux/devel/Makefile %{modulename}.pp
+bzip2 -9 %{modulename}.pp
+
+%install
+install -D -m 0644 %{modulename}.pp.bz2 %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}.pp.bz2
+install -D -p -m 0644 selinux/%{modulename}.if %{buildroot}%{_datadir}/selinux/devel/include/distributed/%{modulename}.if
+
+%files
+%{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}.pp.bz2
+%{_datadir}/selinux/devel/include/distributed/%{modulename}.if
+%ghost %verify(not md5 size mode mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{modulename}
+
+%pre
+%selinux_relabel_pre -s %{selinuxtype}
+
+%post
+%selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}.pp.bz2
+
+%postun
+if [ $1 -eq 0 ]; then
+    %selinux_modules_uninstall -s %{selinuxtype} %{modulename}
+fi
+
+%posttrans
+%selinux_relabel_post -s %{selinuxtype}

packaging/rpm/trident.spec

@@ -200,6 +200,147 @@ fi
 
 # ------------------------------------------------------------------------------
 
+%package selinux-raid
+Summary:             Trident RAID SELinux policy
+BuildArch:           noarch
+Requires:            %{name}-selinux
+Requires:            selinux-policy-%{selinuxtype}
+Requires(post):      selinux-policy-%{selinuxtype}
+BuildRequires:       selinux-policy-devel
+%{?selinux_requires}
+
+%description selinux-raid
+RAID SELinux policy module for Trident. Provides mdadm and bootloader
+permissions needed for RAID storage configurations. Only install on
+systems that use RAID.
+
+%files selinux-raid
+%{_datadir}/selinux/packages/%{selinuxtype}/%{name}-raid.pp.bz2
+%{_datadir}/selinux/devel/include/distributed/%{name}-raid.if
+%ghost %verify(not md5 size mode mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{name}-raid
+
+%pre selinux-raid
+%selinux_relabel_pre -s %{selinuxtype}
+
+%post selinux-raid
+%selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{selinuxtype}/%{name}-raid.pp.bz2
+
+%postun selinux-raid
+if [ $1 -eq 0 ]; then
+    %selinux_modules_uninstall -s %{selinuxtype} %{name}-raid
+fi
+
+%posttrans selinux-raid
+%selinux_relabel_post -s %{selinuxtype}
+
+# ------------------------------------------------------------------------------
+
+%package selinux-encryption
+Summary:             Trident encryption & PCRlock SELinux policy
+BuildArch:           noarch
+Requires:            %{name}-selinux
+Requires:            selinux-policy-%{selinuxtype}
+Requires(post):      selinux-policy-%{selinuxtype}
+BuildRequires:       selinux-policy-devel
+%{?selinux_requires}
+
+%description selinux-encryption
+Encryption and PCRlock SELinux policy module for Trident. Provides TPM,
+cryptsetup/LUKS, and systemd-pcrphase permissions. Only install on
+systems that use encryption or pcrlock features.
+
+%files selinux-encryption
+%{_datadir}/selinux/packages/%{selinuxtype}/%{name}-encryption.pp.bz2
+%{_datadir}/selinux/devel/include/distributed/%{name}-encryption.if
+%ghost %verify(not md5 size mode mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{name}-encryption
+
+%pre selinux-encryption
+%selinux_relabel_pre -s %{selinuxtype}
+
+%post selinux-encryption
+%selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{selinuxtype}/%{name}-encryption.pp.bz2
+
+%postun selinux-encryption
+if [ $1 -eq 0 ]; then
+    %selinux_modules_uninstall -s %{selinuxtype} %{name}-encryption
+fi
+
+%posttrans selinux-encryption
+%selinux_relabel_post -s %{selinuxtype}
+
+# ------------------------------------------------------------------------------
+
+%package selinux-grub
+Summary:             Trident GRUB & dracut SELinux policy
+BuildArch:           noarch
+Requires:            %{name}-selinux
+Requires:            selinux-policy-%{selinuxtype}
+Requires(post):      selinux-policy-%{selinuxtype}
+BuildRequires:       selinux-policy-devel
+%{?selinux_requires}
+
+%description selinux-grub
+GRUB and dracut SELinux policy module for Trident. Provides bootloader
+execution, /boot management, and loadkeys permissions needed for
+GRUB-based boot. Not needed on UKI/systemd-boot systems.
+
+%files selinux-grub
+%{_datadir}/selinux/packages/%{selinuxtype}/%{name}-grub.pp.bz2
+%{_datadir}/selinux/devel/include/distributed/%{name}-grub.if
+%ghost %verify(not md5 size mode mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{name}-grub
+
+%pre selinux-grub
+%selinux_relabel_pre -s %{selinuxtype}
+
+%post selinux-grub
+%selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{selinuxtype}/%{name}-grub.pp.bz2
+
+%postun selinux-grub
+if [ $1 -eq 0 ]; then
+    %selinux_modules_uninstall -s %{selinuxtype} %{name}-grub
+fi
+
+%posttrans selinux-grub
+%selinux_relabel_post -s %{selinuxtype}
+
+# ------------------------------------------------------------------------------
+
+%package selinux-cloud-init
+Summary:             Trident cloud-init SELinux policy
+BuildArch:           noarch
+Requires:            %{name}-selinux
+Requires:            selinux-policy-%{selinuxtype}
+Requires(post):      selinux-policy-%{selinuxtype}
+BuildRequires:       selinux-policy-devel
+%{?selinux_requires}
+
+%description selinux-cloud-init
+Cloud-init SELinux policy module for Trident. Provides permissions for
+trident to interact with cloud-init during provisioning, and for
+cloud-init to manage files trident creates. Install on any system
+that uses cloud-init.
+
+%files selinux-cloud-init
+%{_datadir}/selinux/packages/%{selinuxtype}/%{name}-cloud-init.pp.bz2
+%{_datadir}/selinux/devel/include/distributed/%{name}-cloud-init.if
+%ghost %verify(not md5 size mode mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{name}-cloud-init
+
+%pre selinux-cloud-init
+%selinux_relabel_pre -s %{selinuxtype}
+
+%post selinux-cloud-init
+%selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{selinuxtype}/%{name}-cloud-init.pp.bz2
+
+%postun selinux-cloud-init
+if [ $1 -eq 0 ]; then
+    %selinux_modules_uninstall -s %{selinuxtype} %{name}-cloud-init
+fi
+
+%posttrans selinux-cloud-init
+%selinux_relabel_post -s %{selinuxtype}
+
+# ------------------------------------------------------------------------------
+
 %package static-pcrlock-files
 Summary:        Statically defined .pcrlock files
 Requires:       %{name}
@@ -244,14 +385,50 @@ export TRIDENT_VERSION="%{trident_version}"
 %endif
 cargo build --release
 
-mkdir selinux
+mkdir -p selinux
 cp -p packaging/selinux-policy-trident/trident.fc selinux/
 cp -p packaging/selinux-policy-trident/trident.if selinux/
 cp -p packaging/selinux-policy-trident/trident.te selinux/
 
 make -f %{_datadir}/selinux/devel/Makefile %{name}.pp
 bzip2 -9 %{name}.pp
 
+# Build RAID SELinux policy module
+rm -f selinux/*
+cp -p packaging/selinux-policy-trident-raid/trident-raid.fc selinux/
+cp -p packaging/selinux-policy-trident-raid/trident-raid.if selinux/
+cp -p packaging/selinux-policy-trident-raid/trident-raid.te selinux/
+
+make -f %{_datadir}/selinux/devel/Makefile %{name}-raid.pp
+bzip2 -9 %{name}-raid.pp
+
+# Build encryption SELinux policy module
+rm -f selinux/*
+cp -p packaging/selinux-policy-trident-encryption/trident-encryption.fc selinux/
+cp -p packaging/selinux-policy-trident-encryption/trident-encryption.if selinux/
+cp -p packaging/selinux-policy-trident-encryption/trident-encryption.te selinux/
+
+make -f %{_datadir}/selinux/devel/Makefile %{name}-encryption.pp
+bzip2 -9 %{name}-encryption.pp
+
+# Build GRUB SELinux policy module
+rm -f selinux/*
+cp -p packaging/selinux-policy-trident-grub/trident-grub.fc selinux/
+cp -p packaging/selinux-policy-trident-grub/trident-grub.if selinux/
+cp -p packaging/selinux-policy-trident-grub/trident-grub.te selinux/
+
+make -f %{_datadir}/selinux/devel/Makefile %{name}-grub.pp
+bzip2 -9 %{name}-grub.pp
+
+# Build cloud-init SELinux policy module
+rm -f selinux/*
+cp -p packaging/selinux-policy-trident-cloud-init/trident-cloud-init.fc selinux/
+cp -p packaging/selinux-policy-trident-cloud-init/trident-cloud-init.if selinux/
+cp -p packaging/selinux-policy-trident-cloud-init/trident-cloud-init.te selinux/
+
+make -f %{_datadir}/selinux/devel/Makefile %{name}-cloud-init.pp
+bzip2 -9 %{name}-cloud-init.pp
+
 %check
 # Test the trident variable for the appropriate version
 %if %{undefined rpm_ver}
@@ -280,7 +457,23 @@ install -D -m 755 target/release/%{name} %{buildroot}/%{_bindir}/%{name}
 
 # Copy Trident SELinux policy module to /usr/share/selinux/packages
 install -D -m 0644 %{name}.pp.bz2 %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype}/%{name}.pp.bz2
-install -D -p -m 0644 selinux/%{name}.if %{buildroot}%{_datadir}/selinux/devel/include/distributed/%{name}.if
+install -D -p -m 0644 packaging/selinux-policy-trident/%{name}.if %{buildroot}%{_datadir}/selinux/devel/include/distributed/%{name}.if
+
+# Copy Trident RAID SELinux policy module
+install -D -m 0644 %{name}-raid.pp.bz2 %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype}/%{name}-raid.pp.bz2
+install -D -p -m 0644 packaging/selinux-policy-trident-raid/%{name}-raid.if %{buildroot}%{_datadir}/selinux/devel/include/distributed/%{name}-raid.if
+
+# Copy Trident encryption SELinux policy module
+install -D -m 0644 %{name}-encryption.pp.bz2 %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype}/%{name}-encryption.pp.bz2
+install -D -p -m 0644 packaging/selinux-policy-trident-encryption/%{name}-encryption.if %{buildroot}%{_datadir}/selinux/devel/include/distributed/%{name}-encryption.if
+
+# Copy Trident GRUB SELinux policy module
+install -D -m 0644 %{name}-grub.pp.bz2 %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype}/%{name}-grub.pp.bz2
+install -D -p -m 0644 packaging/selinux-policy-trident-grub/%{name}-grub.if %{buildroot}%{_datadir}/selinux/devel/include/distributed/%{name}-grub.if
+
+# Copy Trident cloud-init SELinux policy module
+install -D -m 0644 %{name}-cloud-init.pp.bz2 %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype}/%{name}-cloud-init.pp.bz2
+install -D -p -m 0644 packaging/selinux-policy-trident-cloud-init/%{name}-cloud-init.if %{buildroot}%{_datadir}/selinux/devel/include/distributed/%{name}-cloud-init.if
 
 mkdir -p %{buildroot}%{_unitdir}
 install -D -m 644 packaging/systemd/%{name}.service %{buildroot}%{_unitdir}/%{name}.service

packaging/selinux-policy-trident-cloud-init/trident-cloud-init.fc

@@ -0,0 +1,2 @@
+# trident-cloud-init SELinux file contexts
+# No additional file contexts needed.

packaging/selinux-policy-trident-cloud-init/trident-cloud-init.if

@@ -0,0 +1,8 @@
+## <summary>Cloud-init SELinux interfaces for Trident</summary>
+## <desc>
+##   <p>
+##     This module provides no public interfaces.
+##     It exists only to satisfy the SELinux build toolchain requirement
+##     for a .if file alongside the .te and .fc files.
+##   </p>
+## </desc>