fix various SELinux policy issues

packages/release/prepare-local.service

@@ -10,7 +10,6 @@ After=dev-disk-by\x2dpartlabel-BOTTLEROCKET\x2dDATA.device
 Type=oneshot
 Environment=BOTTLEROCKET_DATA=/dev/disk/by-partlabel/BOTTLEROCKET-DATA
 Environment=LOCAL_DIR=/local
-Environment=CONTEXT="system_u:object_r:local_t:s0"
 
 # To "grow" the partition, we delete it and recreate it at the larger size, then
 # write it back to the device. udevd observes the write via inotify, and tells
@@ -28,7 +27,7 @@ ExecStart=/usr/sbin/growpart ${BOTTLEROCKET_DATA}
 # depend on the link, and would immediately transition to the failed state when the
 # link is removed. systemd will create local.mount for us as a side effect.
 ExecStart=/usr/bin/mount \
-    -o defaults,noatime,nosuid,nodev,fscontext="${CONTEXT}",defcontext="${CONTEXT}",rootcontext="${CONTEXT}" \
+    -o defaults,noatime,nosuid,nodev \
     ${BOTTLEROCKET_DATA} ${LOCAL_DIR}
 
 # After the mount is active, we grow the filesystem to fill the resized partition,

packages/release/usr-src-kernels.mount.in

@@ -8,7 +8,7 @@ Before=local-fs.target umount.target
 What=overlay
 Where=PREFIX/src/kernels
 Type=overlay
-Options=noatime,nosuid,nodev,lowerdir=/var/lib/kernel-devel/lower,upperdir=/var/lib/kernel-devel/upper,workdir=/var/lib/kernel-devel/work,context=system_u:object_r:local_t:s0
+Options=noatime,nosuid,nodev,lowerdir=/var/lib/kernel-devel/lower,upperdir=/var/lib/kernel-devel/upper,workdir=/var/lib/kernel-devel/work,context=system_u:object_r:state_t:s0
 
 [Install]
 WantedBy=preconfigured.target

packages/selinux-policy/base.cil

@@ -28,6 +28,13 @@
 (userlevel system_u s0-s0)
 (userrange system_u s0-s0)
 
+; Take the context from the target file rather than the source
+; process when computing the level for new file objects. We can
+; expect the directory where files are created to have the right
+; range of categories applied, but the process creating the file
+; may be privileged and have the full range or no range at all.
+(defaultrange files target low-high)
+
 ; Enable policy to use consolidated network peer controls. This
 ; avoids a function call to the compatibility mode helper, and
 ; will be faster when no network labeling rules are defined.

packages/selinux-policy/fs.cil

@@ -26,7 +26,7 @@
 (genfscon debugfs / any)
 (genfscon kvmfs / any)
 (genfscon nsfs / any)
-(genfscon proc / any)
+(genfscon proc / proc)
 (genfscon pstore / any)
 (genfscon ramfs / any)
 (genfscon rootfs / any)
@@ -81,7 +81,7 @@
 (filecon "/var/lib/netdog/.*" any lease)
 
 ; Label kernel filesystem mounts.
-(filecon "/proc" any any)
+(filecon "/proc" any proc)
 (filecon "/proc/.*" any ())
 (filecon "/sys" any any)
 (filecon "/sys/.*" any ())
@@ -97,7 +97,8 @@
 (filecon "/run/.*" any ())
 
 ; Label external filesystem mounts.
-(filecon "/mnt" any external)
+(filecon "/mnt" any local)
 (filecon "/mnt/.*" any ())
-(filecon "/media" any external)
+(filecon "/media" any local)
+(filecon "/media/cdrom" any local)
 (filecon "/media/.*" any ())

packages/selinux-policy/lxc_contexts

@@ -6,7 +6,7 @@ process = "system_u:system_r:container_t:s0"
 
 # The 'file' label should always be applied to the container's root
 # filesystem, regardless of privileged status or automatic labeling.
-file = "system_u:object_r:local_t:s0"
+file = "system_u:object_r:data_t:s0"
 
 # The 'ro_file' label is not currently used by the above runtimes.
 ro_file = "system_u:object_r:cache_t:s0"

packages/selinux-policy/object.cil

@@ -39,8 +39,13 @@
 (roletype object_r runtime_exec_t)
 (context runtime_exec (system_u object_r runtime_exec_t s0))
 
+; Files under /proc.
+(type proc_t)
+(roletype object_r proc_t)
+(context proc (system_u object_r proc_t s0))
+
 ; Files where we have no specific policy objectives, such as
-; those on kernel filesystems like /proc and /dev.
+; tmpfs mounts and various kernel filesystems.
 (type any_t)
 (roletype object_r any_t)
 (context any (system_u object_r any_t s0))
@@ -50,18 +55,26 @@
 (roletype object_r etc_t)
 (context etc (system_u object_r etc_t s0))
 
-; Files that have no label, or perhaps an invalid label.
-(type unlabeled_t)
-(roletype object_r unlabeled_t)
-(context unlabeled (system_u object_r unlabeled_t s0))
-
 ; Files created on local storage.
 (type local_t)
 (roletype object_r local_t)
 (context local (system_u object_r local_t s0))
 
-; Alias "container_file_t" to "local_t" for compatibility with
-; the container-selinux policy.
+; The "external_t" and "unlabeled_t" types were removed to simplify
+; the policy. Add aliases for backwards compatibility.
+(typealias external_t)
+(typealias unlabeled_t)
+(typealiasactual external_t local_t)
+(typealiasactual unlabeled_t local_t)
+
+; Files created by containers, or on their behalf.
+(type data_t)
+(roletype object_r data_t)
+(context data (system_u object_r data_t s0))
+
+; Alias "container_file_t" to "local_t" for compatibility with the
+; container-selinux policy. Ideally it would be aliased to `data_t`
+; but then kubelet applies the wrong label to plugin directories.
 (typealias container_file_t)
 (typealiasactual container_file_t local_t)
 
@@ -105,15 +118,14 @@
 (roletype object_r secret_t)
 (context secret (system_u object_r secret_t s0))
 
-; Files that are mount points for external filesystems.
-(type external_t)
-(roletype object_r external_t)
-(context external (system_u object_r external_t s0))
-
 ; Dynamic objects are files on temporary storage with special rules.
 (typeattribute dynamic_o)
 (typeattributeset dynamic_o (etc_t))
 
+; Shared objects are files on local storage for containers.
+(typeattribute shared_o)
+(typeattributeset shared_o (local_t data_t))
+
 ; Protected objects are files on local storage with special rules.
 (typeattribute protected_o)
 (typeattributeset protected_o (
@@ -129,18 +141,16 @@
   os_t init_exec_t api_exec_t clock_exec_t
   network_exec_t bus_exec_t runtime_exec_t))
 
-; Ephemeral objects reside on storage with a different lifecycle
-; from the rest of the OS, such as tmpfs filesystems, EBS volumes,
-; and EFS filesystems.
+; Ephemeral objects reside on tmpfs filesystems.
 (typeattribute ephemeral_o)
-(typeattributeset ephemeral_o (any_t external_t unlabeled_t))
+(typeattributeset ephemeral_o (any_t proc_t))
 
 ; The set of all objects.
 (typeattribute all_o)
 (typeattributeset all_o (
   os_t init_exec_t api_exec_t clock_exec_t
   network_exec_t bus_exec_t runtime_exec_t
-  any_t etc_t unlabeled_t external_t
-  local_t private_t secret_t cache_t
+  any_t etc_t proc_t
+  local_t data_t private_t secret_t cache_t
   lease_t measure_t state_t
   api_socket_t))

packages/selinux-policy/rules.cil

@@ -57,8 +57,6 @@
 (allow bus_t bus_exec_t (file (entrypoint)))
 
 ; PID 1 starts container runtimes as "runtime_t".
-; The level range is adjusted to span all categories at the same time,
-; to support Docker's use of MCS labels.
 (typetransition init_t runtime_exec_t process runtime_t)
 (allow init_t runtime_t (processes (transform)))
 (allow runtime_t runtime_exec_t (file (entrypoint)))
@@ -70,26 +68,27 @@
 ; Runtimes that use the Go SELinux library will override this label
 ; with the "process" label from the `lxc_contexts` when launching
 ; unprivileged containers, unless automatic labeling is disabled.
-(typetransition runtime_t local_t process control_t)
+(typetransition runtime_t data_t process control_t)
 (typetransition runtime_t cache_t process control_t)
 (typetransition runtime_t secret_t process control_t)
 (allow runtime_t container_s (processes (transform)))
-(allow container_s local_t (file (entrypoint)))
+(allow container_s data_t (file (entrypoint)))
 (allow container_s cache_t (file (entrypoint)))
 (allow container_s secret_t (file (entrypoint)))
 
+; Adjust the level range to span all categories, since privileged
+; containers won't get an MCS pair assigned.
+(rangetransition runtime_t data_t process s0-s0)
+(rangetransition runtime_t cache_t process s0-s0)
+(rangetransition runtime_t secret_t process s0-s0)
+
 ; Also allow entry to container domains through `docker-init`, which
 ; is mounted from the root filesystem and used as the init process.
 (allow container_s runtime_exec_t (file (entrypoint)))
 
 ; Allow containers to communicate with runtimes via pipes.
 (allow container_s runtime_t (files (mutate)))
 
-; If a trusted process creates a file or directory when the parent
-; directory has no label, it receives the "local_t" label.
-(typetransition trusted_s unlabeled_t file local_t)
-(typetransition trusted_s unlabeled_t dir local_t)
-
 ; If a runtime process creates a directory for cached container archives
 ; or snapshot layers on local storage, it receives the "cache_t" label.
 ; ... containerd's pristine archives
@@ -140,8 +139,8 @@
 (neverallow other_s dynamic_o (files (mutate mount)))
 
 ; Most subjects are allowed to write to and manage mounts for
-; "local" files and directories on /local.
-(allow unconfined_s local_t (files (mutate mount)))
+; most of the files and directories on /local.
+(allow unconfined_s shared_o (files (mutate mount)))
 
 ; Subjects that control the OS, including helpers spawned by apiserver, can
 ; write to and manage mounts for "secret" files and directories on /local.
@@ -159,8 +158,8 @@
 (neverallow unprivileged_s state_t (files (mutate mount)))
 (neverallow unprivileged_s secret_t (files (mutate mount)))
 
-; Confined subjects cannot modify "state", "secret", or "local" files.
-(neverallow confined_s local_t (files (mutate mount)))
+; Confined subjects cannot modify "state", "secret", or "shared" files.
+(neverallow confined_s shared_o (files (mutate mount)))
 (neverallow confined_s state_t (files (mutate mount)))
 (neverallow confined_s secret_t (files (mutate mount)))
 
@@ -200,14 +199,21 @@
 ; be useful for containers, and we don't use it in the host.
 (neverallow all_s global (files (block)))
 
+; All subject labels can be used for files on /proc.
+(allow all_s proc_t (filesystem (associate)))
+
 ; All object labels can be used for files on filesystems that have
 ; the same label, and for files on ephemeral storage.
 (allow all_o self (filesystem (associate)))
 (allow all_o ephemeral_o (filesystem (associate)))
 
-; Protected object labels can also be used on local storage.
+; Protected object labels can be used on local storage.
 (allow protected_o local_t (filesystem (associate)))
 
+; The data object label can also be used, so that volume types like
+; emptyDir can be relabeled on behalf of containers.
+(allow data_t local_t (filesystem (associate)))
+
 ; Containers are allowed to relax security constraints, since we
 ; don't control what code they run or how it's built.
 (allow container_s self (processes (relax)))

packages/selinux-policy/sid.cil

@@ -42,10 +42,10 @@
 (sidcontext security kernel)
 (sidcontext devnull kernel)
 
-; Apply the "unlabeled" context for entities with an invalid context,
-; and for files with no context at all, which are treated the same.
-(sidcontext unlabeled unlabeled)
-(sidcontext file unlabeled)
+; Apply the "local" context for entities with an invalid context, and
+; for files with no context at all, which are treated the same.
+(sidcontext unlabeled local)
+(sidcontext file local)
 
 ; Apply the "any" context for entities like sockets, ports, and
 ; network interfaces if they are otherwise unlabeled.

sources/host-ctr/cmd/host-ctr/main.go

@@ -622,7 +622,7 @@ func withSuperpowered() oci.SpecOpts {
 		oci.WithParentCgroupDevices,
 		oci.WithPrivileged,
 		oci.WithNewPrivileges,
-		oci.WithSelinuxLabel("system_u:system_r:super_t:s0"),
+		oci.WithSelinuxLabel("system_u:system_r:super_t:s0-s0:c0.c1023"),
 		oci.WithAllDevicesAllowed,
 	)
 }
@@ -634,7 +634,7 @@ func withBootstrap() oci.SpecOpts {
 	return oci.Compose(
 		withPrivilegedMounts(),
 		withRootFsShared(),
-		oci.WithSelinuxLabel("system_u:system_r:control_t:s0"),
+		oci.WithSelinuxLabel("system_u:system_r:control_t:s0-s0:c0.c1023"),
 		// Bootstrap containers don't require all "privileges", we only add the
 		// `CAP_SYS_ADMIN` capability. `WithDefaultProfile` will create the proper
 		// seccomp profile based on the container's capabilities.
@@ -647,7 +647,7 @@ func withBootstrap() oci.SpecOpts {
 // withDefault adds container options for non-privileged containers
 func withDefault() oci.SpecOpts {
 	return oci.Compose(
-		oci.WithSelinuxLabel("system_u:system_r:control_t:s0"),
+		oci.WithSelinuxLabel("system_u:system_r:control_t:s0-s0:c0.c1023"),
 		// Non-privileged containers only have access to a subset of the devices
 		oci.WithDefaultUnixDevices,
 		// No additional capabilities required for non-privileged containers