Don't fail on relabeling if selinux is permissive

We continue kubevirt if we can't install our policies when selinux is permissive. As a consequence we also have to treat relabel attempts gracefully when selinux is permissive. Signed-off-by: Roman Mohr <[email protected]>
akalenyu · Sep 9, 2021 · e8ea8cc · e8ea8cc
1 parent c1eca48
commit e8ea8cc
Show file tree

Hide file tree

Showing 3 changed files with 26 additions and 35 deletions.
diff --git a/cmd/virt-handler/virt-handler.go b/cmd/virt-handler/virt-handler.go
@@ -26,7 +26,6 @@ import (
 	"io"
 	"net/http"
 	"os"
-	"os/exec"
 	"os/signal"
 	"path/filepath"
 	"runtime"
@@ -380,7 +379,7 @@ func (app *virtHandlerApp) Run() {
 
 		// relabel tun device
 		unprivilegedContainerSELinuxLabel := "system_u:object_r:container_file_t:s0"
-		err = relabelFiles(unprivilegedContainerSELinuxLabel, "/dev/net/tun", "/dev/null")
+		err = selinux.RelabelFiles(unprivilegedContainerSELinuxLabel, se.IsPermissive(), "/dev/net/tun", "/dev/null")
 		if err != nil {
 			panic(fmt.Errorf("error relabeling required files: %v", err))
 		}
@@ -610,16 +609,3 @@ func copy(sourceFile string, targetFile string) error {
 	}
 	return nil
 }
-
-func relabelFiles(newLabel string, files ...string) error {
-	relabelArgs := []string{"selinux", "relabel", newLabel}
-	for _, file := range files {
-		cmd := exec.Command("virt-chroot", append(relabelArgs, file)...)
-		err := cmd.Run()
-		if err != nil {
-			return fmt.Errorf("error relabeling file %s with label %s. Reason: %v", file, newLabel, err)
-		}
-	}
-
-	return nil
-}
diff --git a/pkg/virt-handler/non-root.go b/pkg/virt-handler/non-root.go
@@ -4,7 +4,6 @@ import (
 	"fmt"
 	"io/ioutil"
 	"os"
-	"os/exec"
 	"path/filepath"
 	"strconv"
 	"strings"
@@ -34,10 +33,10 @@ func changeOwnershipAndRelabel(path string) error {
 		return err
 	}
 
-	_, selinuxEnabled, err := selinux.NewSELinux()
+	seLinux, selinuxEnabled, err := selinux.NewSELinux()
 	if err == nil && selinuxEnabled {
 		unprivilegedContainerSELinuxLabel := "system_u:object_r:container_file_t:s0"
-		err = relabelFiles(unprivilegedContainerSELinuxLabel, filepath.Join(path))
+		err = selinux.RelabelFiles(unprivilegedContainerSELinuxLabel, seLinux.IsPermissive(), filepath.Join(path))
 		if err != nil {
 			return (fmt.Errorf("error relabeling %s: %v", path, err))
 		}
@@ -136,17 +135,3 @@ func (d *VirtualMachineController) nonRootSetup(origVMI, vmi *v1.VirtualMachineI
 	}
 	return nil
 }
-
-func relabelFiles(newLabel string, files ...string) error {
-	relabelArgs := []string{"selinux", "relabel", newLabel}
-	for _, file := range files {
-		cmd := exec.Command("virt-chroot", append(relabelArgs, file)...)
-		cmd.Stdout = os.Stdout
-		cmd.Stderr = os.Stderr
-		err := cmd.Run()
-		if err != nil {
-			return fmt.Errorf("error relabeling file %s with label %s. Reason: %v", file, newLabel, err)
-		}
-	}
-	return nil
-}
diff --git a/pkg/virt-handler/selinux/labels.go b/pkg/virt-handler/selinux/labels.go
@@ -85,7 +85,7 @@ func (se *SELinuxImpl) semodule(args ...string) (out []byte, err error) {
 	} else if !exists {
 		// on some environments some selinux related binaries are missing, e.g. when the cluster runs in containers (kind).
 		// In such a case, inform the admin, but continue.
-		if se.isPermissive() {
+		if se.IsPermissive() {
 			log.DefaultLogger().Warning("Permissive mode, ignoring missing 'semodule' binary. SELinux policies will not be installed.")
 			return []byte{}, nil
 		}
@@ -98,15 +98,15 @@ func (se *SELinuxImpl) semodule(args ...string) (out []byte, err error) {
 	}
 
 	out, err = se.execFunc(virt_chroot.GetChrootBinaryPath(), argsArray...)
-	if err != nil && se.isPermissive() {
+	if err != nil && se.IsPermissive() {
 		log.DefaultLogger().Warningf("Permissive mode, ignoring 'semodule' failure: out: %q, error: %v", string(out), err)
 		return []byte{}, nil
 	}
 
 	return out, err
 }
 
-func (se *SELinuxImpl) isPermissive() bool {
+func (se *SELinuxImpl) IsPermissive() bool {
 	return se.mode == "permissive"
 }
 
@@ -161,4 +161,24 @@ func (se *SELinuxImpl) InstallPolicy(dir string) (err error) {
 type SELinux interface {
 	InstallPolicy(dir string) (err error)
 	Mode() string
+	IsPermissive() bool
+}
+
+func RelabelFiles(newLabel string, continueOnError bool, files ...string) error {
+	relabelArgs := []string{"selinux", "relabel", newLabel}
+	for _, file := range files {
+		cmd := exec.Command("virt-chroot", append(relabelArgs, file)...)
+		cmd.Stdout = os.Stdout
+		cmd.Stderr = os.Stderr
+		err := cmd.Run()
+		if err != nil {
+			err := fmt.Errorf("error relabeling file %s with label %s. Reason: %v", file, newLabel, err)
+			if !continueOnError {
+				return err
+			} else {
+				log.DefaultLogger().Reason(err).Errorf("Relabeling a file faild, continuing since selinux is permissive.")
+			}
+		}
+	}
+	return nil
 }