kola: Enable SELinux as early as possible

pothos · pothos · commit 9dee4e652c52 · 2023-12-20T13:09:12.000+01:00
We never really tested SELinux because we enabled it after boot while
normally it would be permanently enabled even during (re)boot.
We need to enable it via Ignition. Since this won't work with old
releases due to policy problems, introduce a flag that the old scripts
branches can pass.
Note: If tests differ between early and non-early enabling I would
rather disable SELinux for those cases and add a comment if and under
what future conditions it can be reenabled. The alternative would be to
only make them run with the new early mode but this means we reduce test
coverage for Stable which is not a good idea.
diff --git a/cmd/kola/options.go b/cmd/kola/options.go
@@ -81,6 +81,7 @@ func init() {
 	root.PersistentFlags().StringVarP(&kolaOffering, "offering", "", "basic", "Offering: "+strings.Join(kolaOfferings, ", "))
 	root.PersistentFlags().StringVarP(&kola.Options.Distribution, "distro", "b", "cl", "Distribution: "+strings.Join(kolaDistros, ", "))
 	root.PersistentFlags().IntVarP(&kola.TestParallelism, "parallel", "j", 1, "number of tests to run in parallel")
+	bv(&kola.LateSelinux, "late-selinux", false, "Enable SELinux only after bootup")
 	sv(&kola.TAPFile, "tapfile", "", "file to write TAP results to")
 	sv(&kola.Options.BaseName, "basename", "kola", "Cluster name prefix")
 	ss("debug-systemd-unit", []string{}, "full-unit-name.service to enable SYSTEMD_LOG_LEVEL=debug on. Specify multiple times for multiple units.")
diff --git a/kola/harness.go b/kola/harness.go
@@ -79,6 +79,7 @@ var (
 	TestParallelism        int    //glue var to set test parallelism from main
 	TAPFile                string // if not "", write TAP results here
 	TorcxManifestFile      string // torcx manifest to expose to tests, if set
+	LateSelinux            bool   // delay the switching of SELinux to enforce mode
 	DevcontainerURL        string // dev container to expose to tests, if set
 	DevcontainerBinhostURL string // dev container binhost URL to use in the devcontainer test
 	DevcontainerFile       string // dev container path to expose to tests, if set
@@ -574,6 +575,7 @@ func runTest(h *harness.H, t *register.Test, pltfrm string, flight platform.Flig
 		SSHRetries:         Options.SSHRetries,
 		SSHTimeout:         Options.SSHTimeout,
 		DefaultUser:        t.DefaultUser,
+		LateSelinux:        LateSelinux,
 	}
 	c, err := flight.NewCluster(rconf)
 	if err != nil {
diff --git a/kola/register/register.go b/kola/register/register.go
@@ -30,7 +30,7 @@ const (
 	NoSSHKeyInUserData      Flag = iota // don't inject SSH key into Ignition/cloud-config
 	NoSSHKeyInMetadata                  // don't add SSH key to platform metadata
 	NoEmergencyShellCheck               // don't check console output for emergency shell invocation
-	NoEnableSelinux                     // don't enable selinux when starting or rebooting a machine
+	NoEnableSelinux                     // don't enable selinux
 	NoKernelPanicCheck                  // don't check console output for kernel panic
 	NoVerityCorruptionCheck             // don't check console output for verity corruption
 	NoDisableUpdates                    // don't disable usage of the public update server
diff --git a/platform/cluster.go b/platform/cluster.go
@@ -191,6 +191,15 @@ func (bc *BaseCluster) RenderUserData(userdata *conf.UserData, ignitionVars map[
 		conf.CopyKeys(keys)
 	}
 
+	if !bc.rconf.NoEnableSelinux && !bc.rconf.LateSelinux {
+		conf.AddFile("/etc/flatcar/update.conf", "root", `SELINUX=enforcing
+SELINUXTYPE=mcs
+`, 0644)
+		// These files used to be deleted but empty files should work, too
+		conf.AddFile("/etc/audit/rules.d/80-selinux.rules", "root", ``, 0644)
+		conf.AddFile("/etc/audit/rules.d/99-default.rules", "root", ``, 0644)
+	}
+
 	// disable the public update server by default
 	if !bc.rconf.NoDisableUpdates {
 		conf.AddFile("/etc/flatcar/update.conf", "root", `SERVER=disabled
diff --git a/platform/platform.go b/platform/platform.go
@@ -182,6 +182,7 @@ type RuntimeConfig struct {
 	AllowFailedUnits   bool          // don't fail CheckMachine if a systemd unit has failed
 	SSHRetries         int           // see SSHRetries field in Options
 	SSHTimeout         time.Duration // see SSHTimeout field in Options
+	LateSelinux        bool          // see LateSelinux field in Options
 
 	// DefaultUser is the user used for SSH connection, it will be created via Ignition when possible.
 	DefaultUser string
diff --git a/platform/util.go b/platform/util.go
@@ -129,7 +129,7 @@ func StartMachine(m Machine, j *Journal) error {
 	if err := CheckMachine(context.TODO(), m); err != nil {
 		return fmt.Errorf("machine %q failed basic checks: %v", m.ID(), err)
 	}
-	if !m.RuntimeConf().NoEnableSelinux {
+	if !m.RuntimeConf().NoEnableSelinux && m.RuntimeConf().LateSelinux {
 		if err := EnableSelinux(m); err != nil {
 			return fmt.Errorf("machine %q failed to enable selinux: %v", m.ID(), err)
 		}

Original file line number	Diff line number	Diff line change
`@@ -129,7 +129,7 @@ func StartMachine(m Machine, j *Journal) error {`
`129`	`129`	`if err := CheckMachine(context.TODO(), m); err != nil {`
`130`	`130`	`return fmt.Errorf("machine %q failed basic checks: %v", m.ID(), err)`
`131`	`131`	`}`
`132`		`- if !m.RuntimeConf().NoEnableSelinux {`
	`132`	`+ if !m.RuntimeConf().NoEnableSelinux && m.RuntimeConf().LateSelinux {`
`133`	`133`	`if err := EnableSelinux(m); err != nil {`
`134`	`134`	`return fmt.Errorf("machine %q failed to enable selinux: %v", m.ID(), err)`
`135`	`135`	`}`