From 8e66ce4a70d5c89c775bf6d857c51e3c3d1fc95e Mon Sep 17 00:00:00 2001 From: Niklas Sombert Date: Thu, 12 Dec 2024 14:30:23 +0100 Subject: [PATCH] Add support for SELinux systems --- lib/functions.sh | 26 ++++++++++++++++++++++++++ lib/install-bridgehead.sh | 1 + minimal/docker-compose.yml | 3 +++ minimal/modules/dnpm-compose.yml | 12 ++++-------- 4 files changed, 34 insertions(+), 8 deletions(-) diff --git a/lib/functions.sh b/lib/functions.sh index 3fcae384..34ab88a7 100644 --- a/lib/functions.sh +++ b/lib/functions.sh @@ -36,6 +36,32 @@ setupProxy() { export HTTPS_PROXY_HOST HTTPS_PROXY_PORT HTTPS_PROXY_FULL_URL } +checkAndSetSelinux() { + # This is needed for the systemd service to start on SELinux systems. + if ! command -v sestatus > /dev/null 2>&1; then + echo "SELinux not available; nothing to do" + return + fi + if ! sestatus | grep "SELinux status:" | grep enabled > /dev/null; then + echo "SELinux disabled; nothing to do" + return + fi + current_mode="$(sestatus | grep 'Current mode:' | tr -s ' ' | cut -d' ' -f 3)" + echo "SELinux is active and ${current_mode}, checking for labels..." + # TODO: perhaps split this into checkSelinux (without the need for root) and setSelinux (needing root) + # "stat /srv/docker/bridgehead/bridgehead --printf %C" could be used for a check that doesn't need root + exitIfNotRoot + labels_for_srv="$(semanage fcontext --list | grep -e ^/srv)" + echo "Found the following labels for /srv:" + echo "${labels_for_srv}" + if ! echo "${labels_for_srv}" | grep -e ^/srv/docker/bridgehead/bridgehead > /dev/null; then + echo "Adding a label for /srv/docker/bridgehead/bridgehead..." + semanage fcontext --add --type bin_t /srv/docker/bridgehead/bridgehead + fi + restorecon -v /srv/docker/bridgehead/bridgehead # this survives a reboot + # TODO: check if this survives updates +} + exitIfNotRoot() { if [ "$EUID" -ne 0 ]; then log "ERROR" "Please run as root" diff --git a/lib/install-bridgehead.sh b/lib/install-bridgehead.sh index 38c38749..135cb06f 100755 --- a/lib/install-bridgehead.sh +++ b/lib/install-bridgehead.sh @@ -3,6 +3,7 @@ source lib/functions.sh exitIfNotRoot +checkAndSetSelinux if [ $# -eq 0 ]; then log "ERROR" "Please provide a Project as argument" diff --git a/minimal/docker-compose.yml b/minimal/docker-compose.yml index 159276a8..c75e5de2 100644 --- a/minimal/docker-compose.yml +++ b/minimal/docker-compose.yml @@ -25,6 +25,9 @@ services: ports: - 80:80 - 443:443 + security_opt: + # allow access to the docker socket on systems with SELinux + - "label:type:container_runtime_t" volumes: - /etc/bridgehead/traefik-tls:/certs:ro - ../lib/traefik-configuration/:/configuration:ro diff --git a/minimal/modules/dnpm-compose.yml b/minimal/modules/dnpm-compose.yml index 1c9a36aa..962f19e4 100644 --- a/minimal/modules/dnpm-compose.yml +++ b/minimal/modules/dnpm-compose.yml @@ -12,13 +12,13 @@ services: ALL_PROXY: http://forward_proxy:3128 TLS_CA_CERTIFICATES_DIR: ./conf/trusted-ca-certs ROOTCERT_FILE: ./conf/root.crt.pem - secrets: - - proxy.pem depends_on: - "forward_proxy" volumes: - /etc/bridgehead/trusted-ca-certs:/conf/trusted-ca-certs:ro - - /srv/docker/bridgehead/ccp/root.crt.pem:/conf/root.crt.pem:ro + - /srv/docker/bridgehead/ccp/root.crt.pem:/conf/root.crt.pem:ro,Z + # secrets don't seem to allow us to specify Z + - /etc/bridgehead/pki/${SITE_ID}.priv.pem:/run/secrets/proxy.pem:ro,Z dnpm-beam-connect: depends_on: [ dnpm-beam-proxy ] @@ -41,7 +41,7 @@ services: volumes: - /etc/bridgehead/trusted-ca-certs:/conf/trusted-ca-certs:ro - /etc/bridgehead/dnpm/local_targets.json:/conf/connect_targets.json:ro - - /srv/docker/bridgehead/minimal/modules/dnpm-central-targets.json:/conf/central_targets.json:ro + - /srv/docker/bridgehead/minimal/modules/dnpm-central-targets.json:/conf/central_targets.json:ro,Z labels: - "traefik.enable=true" - "traefik.http.routers.dnpm-connect.rule=PathPrefix(`/dnpm-connect`)" @@ -53,7 +53,3 @@ services: dnpm-echo: image: docker.verbis.dkfz.de/cache/samply/bridgehead-echo:latest container_name: bridgehead-dnpm-echo - -secrets: - proxy.pem: - file: /etc/bridgehead/pki/${SITE_ID}.priv.pem