Add SELinux support

Security-Enhanced Linux (SELinux) is a Linux kernel security module that provides a mechanism for supporting access control security policies, including mandatory access controls (MAC). This commit: - Adds extended attributes to the squashfs filesystem so that SELinux can be properly supported - Adds the needed SELinux packages so that SELinux can work in the squashfs Debian GNU/Linux system - Adds the proper kernel command line parametres to enable SELinux according to the chosen enforced or permissive mode. All of that combined let's you either: - Harden your live system ( `--selinux enforced` ) - Enables you to interact with other SELinux filesystems without hardening the live system ( `--selinux permissive` ). - enforced mode means that the system will not allow a program/process to interact with a file with which it does not have the proper filesystem permission (based on SELinux extended attributes). - permissive mode means that the system will allow program/process to interact with a file with which it does not have the proper filesystem permission (based on SELinux extended attributes). This SELinux policy infrigenment will be logged though so that it can be properly fixed if needed. Default mode is `disable`.
2024-07-13 12:24:50 +02:00 · 2024-07-13 12:24:50 +02:00 · 13e401a616
commit 13e401a616
parent c7bc5f311c
6 changed files with 149 additions and 1 deletions
--- a/functions/configuration.sh
+++ b/functions/configuration.sh
@ -403,6 +403,30 @@ Prepare_config ()
 			;;
 	esac

+	LB_SELINUX="${LB_SELINUX:-disable}"
+
+	case "${LB_SELINUX}" in
+		enforced)
+			SELINUX_ENFORCED_CMDLINE="selinux=1 security=selinux enforcing=1"
+			if ! echo "${LB_BOOTAPPEND_LIVE}" | grep -q "${SELINUX_ENFORCED_CMDLINE}"
+			then
+				LB_BOOTAPPEND_LIVE="${LB_BOOTAPPEND_LIVE} ${SELINUX_ENFORCED_CMDLINE}"
+			fi
+		;;
+
+		permissive)
+			SELINUX_PERMISSIVE_CMDLINE="selinux=1 security=selinux enforcing=0"
+			if ! echo "${LB_BOOTAPPEND_LIVE}" | grep -q "${SELINUX_PERMISSIVE_CMDLINE}"
+			then
+				LB_BOOTAPPEND_LIVE="${LB_BOOTAPPEND_LIVE} ${SELINUX_PERMISSIVE_CMDLINE}"
+			fi
+		;;
+
+		disable)
+		;;
+
+	esac
+
 	local _LB_BOOTAPPEND_PRESEED
 	if [ -n "${LB_DEBIAN_INSTALLER_PRESEEDFILE}" ]
 	then
@ -740,6 +764,11 @@ Validate_config_permitted_values ()
 		exit 1
 	fi

+	if ! In_list "${LB_SELINUX}" enforced permissive disable; then
+		Echo_error "You have specified an invalid value for LB_SELINUX (--selinux)."
+		exit 1
+	fi
+
 	if ! In_list "${LB_SOURCE_IMAGES}" iso netboot tar hdd; then
 		Echo_error "You have specified an invalid value for LB_SOURCE_IMAGES (--source-images)."
 		exit 1
@ -802,6 +831,17 @@ Validate_config_dependencies ()
 		fi
 	fi

+	if In_list "${LB_SELINUX}" permissive enforced; then
+		if [ "${LB_CHROOT_FILESYSTEM}" != "squashfs" ]; then
+			Echo_error "You have selected values of LB_SELINUX and LB_CHROOT_FILESYSTEM which are incompatible. SELinux only supports squashfs as the chroot filesystem."
+			exit 1
+		fi
+	fi
+
+	if [ "${LB_SELINUX}" = "enforced" ]; then
+		Echo_warning "A value of 'enforced' for option LB_SELINUX is known not to boot onto an usable Live CD."
+	fi
+
 	Validate_http_proxy
 }

--- a/manpages/en/lb_config.1
+++ b/manpages/en/lb_config.1
@ -205,6 +205,8 @@
 	[\fB\-\-quiet\fR]
 .br
 	[\fB\-\-security\fR true|false]
+.br
+	[\fB\-\-selinux\fR Ienforced|permissive|disable]
 .br
 	[\fB\-\-source\fR true|false]
 .br
@ -438,6 +440,8 @@ sets the location of the mirror that will be used to fetch the debian installer
 reduces the verbosity of messages output by \fBlb build\fR.
 .IP "\fB\-\-security\fR true|false" 4
 defines if the security repositories specified in the security mirror options should be used or not.
+.IP "\fB\-\-selinux\fR \fIenforced|permissive|disable\fR" 4
+enables with enforcing or not Secure Enhanced Linux (SELinux). By default, this is set to disabled.
 .IP "\fB\-\-source\fR true|false" 4
 defines if a corresponding source image to the binary image should be built. By default this is false because most people do not require this and it involves downloading quite a few source packages. However, if you distribute your live image to others, you should make sure you build it with a source image alongside to help enable you to comply with licensing terms.
 .IP "\fB\-s\fR|\fB\-\-source\-images\fR iso|netboot|tar|hdd" 4
--- a/scripts/build/binary_rootfs
+++ b/scripts/build/binary_rootfs
@ -263,6 +263,16 @@ case "${LB_CHROOT_FILESYSTEM}" in
 	squashfs)
 		# Checking depends
 		Check_package chroot /usr/share/doc/squashfs-tools squashfs-tools
+		case "${LB_SELINUX}" in
+			enforced|permissive)
+				Check_package host /sbin/setfiles policycoreutils
+				Check_package host /etc/selinux/default/contexts/files/file_contexts selinux-policy-default
+			;;
+
+			disable)
+			;;
+
+		esac

 		# Restoring cache
 		Restore_package_cache binary
@ -323,6 +333,16 @@ case "${LB_CHROOT_FILESYSTEM}" in
 			MKSQUASHFS_OPTIONS="-Xcompression-level ${LB_CHROOT_SQUASHFS_COMPRESSION_LEVEL} ${MKSQUASHFS_OPTIONS}"
 		fi

+		case "${LB_SELINUX}" in
+			enforced|permissive)
+				MKSQUASHFS_OPTIONS="-xattrs ${MKSQUASHFS_OPTIONS}"
+			;;
+
+			disable)
+			;;
+
+		esac
+
 		case "${LB_BUILD_WITH_CHROOT}" in
 			true)
 				if [ -e config/rootfs/excludes ]
@ -332,6 +352,17 @@ case "${LB_CHROOT_FILESYSTEM}" in
 					MKSQUASHFS_OPTIONS="-wildcards -ef /excludes ${MKSQUASHFS_OPTIONS}"
 				fi

+				case "${LB_SELINUX}" in
+					enforced|permissive)
+						# TODO: Since bookworm parallel relabelling with -T 0 is possible and faster
+						setfiles -F -r chroot/chroot /etc/selinux/default/contexts/files/file_contexts chroot/chroot
+					;;
+
+					disable)
+					;;
+
+				esac
+
 				# Create image
 				Chroot chroot "nice -n 17 mksquashfs chroot filesystem.squashfs ${MKSQUASHFS_OPTIONS}"

@ -368,6 +399,17 @@ case "${LB_CHROOT_FILESYSTEM}" in
 					MKSQUASHFS_OPTIONS="-wildcards -ef config/rootfs/excludes ${MKSQUASHFS_OPTIONS}"
 				fi

+				case "${LB_SELINUX}" in
+					enforced|permissive)
+						# TODO: Since bookworm parallel relabelling with -T 0 is possible and faster
+						setfiles -F -r chroot /etc/selinux/default/contexts/files/file_contexts chroot
+					;;
+
+					disable)
+					;;
+
+				esac
+
 				nice -n 19 mksquashfs chroot binary/${INITFS}/filesystem.squashfs ${MKSQUASHFS_OPTIONS}
 				;;
 		esac
--- a/scripts/build/chroot
+++ b/scripts/build/chroot
@ -37,6 +37,7 @@ lb chroot_prep install all mode-archives-chroot "${@}"
 lb chroot_linux-image "${@}"
 lb chroot_firmware "${@}"
 lb chroot_preseed "${@}"
+lb chroot_selinux "${@}"
 lb chroot_includes_before_packages "${@}"

 for _PASS in install live; do
--- a/scripts/build/chroot_selinux
+++ b/scripts/build/chroot_selinux
@ -0,0 +1,52 @@
+#!/bin/sh
+
+## live-build(7) - System Build Scripts
+## Copyright (C) 2016-2020 The Debian Live team
+## Copyright (C) 2006-2015 Daniel Baumann <mail@daniel-baumann.ch>
+##
+## This program comes with ABSOLUTELY NO WARRANTY; for details see COPYING.
+## This is free software, and you are welcome to redistribute it
+## under certain conditions; see COPYING for details.
+
+
+set -e
+
+# Including common functions
+[ -e "${LIVE_BUILD}/scripts/build.sh" ] && . "${LIVE_BUILD}/scripts/build.sh" || . /usr/lib/live/build.sh
+
+# Setting static variables
+DESCRIPTION="Schedule SELinux packages for installation"
+USAGE="${PROGRAM} [--force]"
+
+# Processing arguments and configuration files
+Init_config_data "${@}"
+
+# Requiring stage file
+Require_stagefiles config bootstrap
+
+case "${LB_SELINUX}" in
+	enforced|permissive)
+		Echo_message "Begin scheduling SELinux installation..."
+
+		# Checking stage file
+		Check_stagefile
+
+		# Acquire lock file
+		Acquire_lockfile
+
+		SELINUX_CHROOT_PACKAGES="selinux-basics selinux-policy-default auditd"
+
+		# Drop section and keep package names only
+		for _PACKAGE in ${SELINUX_CHROOT_PACKAGES}
+		do
+			echo $(echo ${_PACKAGE} | awk -F/ '{ print $NF }') >> chroot/root/packages.chroot
+		done
+	;;
+
+	disable)
+	;;
+
+esac
+
+# Creating stage file
+Create_stagefile
--- a/scripts/build/config
+++ b/scripts/build/config
@ -116,6 +116,7 @@ USAGE="${PROGRAM} [--apt apt|apt-get|aptitude]\n\
 \t    [--parent-mirror-debian-installer URL]\n\
 \t    [--quiet]\n\
 \t    [--security true|false]\n\
+\t    [--selinux enforced|permissive|disable]\n\
 \t    [--source true|false]\n\
 \t    [-s|--source-images iso|netboot|tar|hdd]\n\
 \t    [--swap-file-path PATH]\n\
@ -171,7 +172,7 @@ Local_arguments ()
 		parent-mirror-chroot:,parent-mirror-chroot-security:,
 		parent-mirror-debian-installer:,
 		quiet,
-		security:,source:,source-images:,swap-file-path:,swap-file-size:,system:,
+		security:,selinux:,source:,source-images:,swap-file-path:,swap-file-size:,system:,
 		tasksel:,
 		uefi-secure-boot:,updates:,utc-time:,usage,
 		validate,verbose,version,
@ -780,6 +781,11 @@ Local_arguments ()
 				shift 2
 				;;

+			--selinux)
+				LB_SELINUX="${2}"
+				shift 2
+				;;
+
 			--source)
 				LB_SOURCE="${2}"
 				shift 2
@ -1311,6 +1317,9 @@ LB_SWAP_FILE_SIZE="${LB_SWAP_FILE_SIZE}"

 # Enable/disable UEFI secure boot support
 LB_UEFI_SECURE_BOOT="${LB_UEFI_SECURE_BOOT}"
+
+# Enforce/disable SELinux
+LB_SELINUX="${LB_SELINUX}"
 EOF

 # Creating lb_source_* configuration