opt out of SELinux module compilation

[tsabirgaliev]

We need a way to opt out of SELinux module additions, because recent versions of selinux-policy package come with relevant fixes and booleans and may eventually supersede all the selinux tweaks in the role. See [0].

The most robust way (that I know of) to detect for presence of relevant selinux permissions requires installing setools-console package and using sesearch:

> sesearch -A -s keepalived_t -t keepalived_t -c icmp_socket
allow keepalived_t keepalived_t:icmp_socket { append bind connect create getattr getopt ioctl lock read setattr setopt shutdown write };

A good though indirect way to detect is to check for a minimal selinux-policy package version:

> dnf info --installed selinux-policy
Installed Packages
Name         : selinux-policy
Version      : 3.14.3
Release      : 104.el8
...

[0] https://github.com/fedora-selinux/selinux-policy/commits/rawhide/policy/modules/contrib/keepalived.te

[evrardjp]

I would be okay to make this completely optional, but I am also curious about your opinion on whether this can be completely removed from the role (and maybe moved to a doc item?). WDYT @tsabirgaliev @major @noonedeadpunk ?

[evrardjp]

Side note, to not run this part of the role, you only need to define this in your variables:
keepalived_selinux_compile_rules: []

[tsabirgaliev]

@evrardjp yep, that works, found it yesterday, just didn't yet have time to mention it here.

[tsabirgaliev]

@evrardjp I think a good compromise would be having to enable each selinux tweak explicitly and documenting it in readme. In other words, making selinux explicily opt-in feature.

[tsabirgaliev]

Another argument for making selinux optional is that haproxy rules are already not compiled by default. I completely can relate to efforts to make selinux easier to end-users, but unfortunately this made it harder for ansible-unsavvy me to figure out how to opt out :) Also I recognize there is no 'right' place to put cross-package concerns like keepalived+haproxy, so I think this role is a good place to host them keeping them optional.

[evrardjp]

@tsabirgaliev , well, interestingly enough, other contributors are in need of this coordination for HA.
As integration between roles is done in collections (which allow the sharing of playbooks), it is one more reason to expose this role under a collection, and start to regroup roles. See also conversation in #219 .

I am okay to move from opt-out to opt-in.

@major if you have some time to spare, it would be great to know (if you remember) why we made this opt-out in the first place. I can't remember myself.

[noonedeadpunk]

Well, my first thought there was also, that we can drop selinux and it can be managed externaly. But then I realized, that I have no idea when mentioned selinux rules will be installed on any CentOS Stream or things like Rocky Linux.

As of today I don't see such changes for CentOS packaging [1]. Also, all rules are being installed in 100 folder, while we're using 400, so it's highly unlikely to overlap (being dropped with selinux-policy package update).

What we can do indeed, is to create variable, like keepalived_manage_selinux_rules and replace this condition [2] to keepalived_manage_selinux_rules | bool

[1] https://centos.pkgs.org/9-stream/centos-baseos-x86_64/selinux-policy-targeted-34.1.37-1.el9.noarch.rpm.html
[2]

ansible-keepalived/tasks/main.yml

Line 31 in ebbeac6

- keepalived_selinux_compile_rules | length > 0

[evrardjp]

For me, the way to override the variable doesn't matter much, what matters is that we define what's the good way forward: Should this part of the code be removed, opt-in, or opt-out?

That's why I would like the advice of @major :)

[major]

This was a long long time ago, but I remember adding the extra SELinux rules there because the upstream package was missing some rules that we needed. If those fixes are now available in the regular selinux-policy packages, then these extra rules in this role could likely be dropped or made opt-in.

Perhaps the logic could be something like this:

1. Check to see if the new SELinux policy booleans are available (if so, set them automatically to make keepalived work)
2. If the new booleans are not available, stick with the old method of compiling the custom SELinux rules

[evrardjp]

Thanks @major ! Not really sure what new SELinux policy booleans means though. At least we tried to use both our memories :)

I assume this means that I will eventually use https://docs.ansible.com/ansible/latest/collections/ansible/posix/seboolean_module.html , but outside that, it's not clear yet.

[major]

So SELinux booleans are basically switches for SELinux where you can turn a feature off or on, or allow something to happen on the system without SELinux getting in the way. For example:

❯ getsebool samba_enable_home_dirs   
samba_enable_home_dirs --> off

This allows you to toggle a boolean on and off that allows Samba to share content in users' home directories. Someone wrote the policy such that it can be turned on or off easily with a boolean. No knowledge of writing SELinux policy is required.

These booleans (and the associated SELinux policy) didn't exist before for keepalived. If they exist now, then we don't need the custom policies compiled any longer and you can just flip those booleans on or off. 😉

[evrardjp]

So you meant that some keepalived selinux booleans could exist now, and an investigation has to be made to leverage them.
I think I got it :)

Thanks @major !

[major]

From a quick glance, it doesn't look like there are any new booleans in there for keepalived right now: https://github.com/fedora-selinux/selinux-policy/blob/rawhide/policy/modules/contrib/keepalived.te#L8-L14

[evrardjp]

Wow thanks for that link.

I think it helps me take a decision.

From what I can see in that policy, the second part of the current opt-out list of policies to compile seems taken care of (See https://github.com/evrardjp/ansible-keepalived/blob/eb1bc4dbcd52602a3337cc7fd7aa1fb85d57495a/files/keepalived_setpgid.te vs https://github.com/fedora-selinux/selinux-policy/blob/f105dbd547a8f2f63d3695edbe4eb2062d4251c6/policy/modules/contrib/keepalived.te#L41 ).

The first one of that list is just a convenience.
So, I don't think those makes sense to opt-out anymore.

So unless I am really wrong (as I don't understand anything I am doing there!), let's make this opt-in and remove the setpgid one.

Thanks everyone involved.

[tsabirgaliev]

Wow thanks for that link.

@evrardjp Yep, that is the same link I attached to the original post :)

And the updated rules also allow keepalived to open ICMP sockets, I'm not sure if this transitively allows to execute ping, but anyway, keepalived is allowed to execute any script residing in /usr/libexec/keepalived/.

So IMO the best advice for RHEL-fork users would be to update selinux-policy package and follow RHEL best practices for keepalived

I think it helps me take a decision.

From what I can see in that policy, the second part of the current opt-out list of policies to compile seems taken care of (See https://github.com/evrardjp/ansible-keepalived/blob/eb1bc4dbcd52602a3337cc7fd7aa1fb85d57495a/files/keepalived_setpgid.te vs https://github.com/fedora-selinux/selinux-policy/blob/f105dbd547a8f2f63d3695edbe4eb2062d4251c6/policy/modules/contrib/keepalived.te#L41 ).

The first one of that list is just a convenience. So, I don't think those makes sense to opt-out anymore.

So unless I am really wrong (as I don't understand anything I am doing there!), let's make this opt-in and remove the setpgid one.

Thanks everyone involved.

[noonedeadpunk]

Just to repeat what I already said - these rules are part of Fedora only and they do not exist even for CentOS 9 Stream, so imo - you still should be careful with that.

Also isn't RHEL technically fork of Fedora? So if you're using bleeding edge, it doesn't really mean that systems designed for production usage should struggle because of that. But it's completely different topic:)

[tsabirgaliev]

@major @evrardjp the only seboolean related to keepalived is keepalived_connect_any and it is off by default, and it only guards against arbitrary connections from keepalived process. All the other permissions are on by default and don't depend on value of a boolean.

[tsabirgaliev]

Just to repeat what I already said - these rules are part of Fedora only and they do not exist even for CentOS 9 Stream, so imo - you still should be careful with that.

@noonedeadpunk what specific rule you don't have on CentOS? In the issue description I use sesearch on CentOS 8 Stream to demonstrate that the relevant rules are there. For example, setpgid is there:

[root@localhost ~]# sesearch -A -s keepalived_t -t keepalived_t -p setpgid
allow keepalived_t keepalived_t:process { fork getcap getpgid getsched setpgid setsched sigchld sigkill signal signull sigstop };

BTW, probably you are looking the wrong place for package updates. The package you need is this one: https://centos.pkgs.org/8-stream/centos-baseos-x86_64/selinux-policy-3.14.3-105.el8.noarch.rpm.html

And that package changelog includes the latest change to https://github.com/fedora-selinux/selinux-policy/commits/rawhide/policy/modules/contrib/keepalived.te:

[Allow keepalived read the contents of the sysfs filesystem](https://github.com/fedora-selinux/selinux-policy/commit/f8f11f18a9473614c47b0a35d27f5be11c954e5b)

Also isn't RHEL technically fork of Fedora? So if you're using bleeding edge, it doesn't really mean that systems designed for production usage should struggle because of that. But it's completely different topic:)

Rocky Linux 8, which actually lags behind RHEL8 also includes the latest changes from fedora-selinux/selinux-policy https://rockylinux.pkgs.org/8/rockylinux-baseos-x86_64/selinux-policy-3.14.3-95.el8_6.1.noarch.rpm.html

While I agree that this is not generally the rule, the selinux-policy package is somewhat an exception that it runs very close to the upstream package and the changes are quickly backported to RHEL and all the other forks

[tsabirgaliev]

Also isn't RHEL technically fork of Fedora? So if you're using bleeding edge, it doesn't really mean that systems designed for production usage should struggle because of that. But it's completely different topic:)

Rocky Linux 8, which actually lags behind RHEL8 also includes the latest changes from fedora-selinux/selinux-policy https://rockylinux.pkgs.org/8/rockylinux-baseos-x86_64/selinux-policy-3.14.3-95.el8_6.1.noarch.rpm.html

While I agree that this is not generally the rule, the selinux-policy package is somewhat an exception that it runs very close to the upstream package and the changes are quickly backported to RHEL and all the other forks

@noonedeadpunk I'm sorry, I was wrong about this one. The latest change included in RHEL is this one:

[Support new PING_CHECK health checker in keepalived](https://github.com/fedora-selinux/selinux-policy/commit/7227b5235753ba63c4f0d2aa023368da4349d6c9) …

[noonedeadpunk]

Ah, ok then, I haven't checked content today, so it's good that it has been backported and now available almost everywhere

[evrardjp]

It matches what I have seen on my side.