Set secontext for bind volumes in selinux enabled distros

hasan4791 · hasan4791 · commit 83ca1f3dc9af · 2023-10-24T19:00:05.000+05:30
Fixes #1882 Signed-off-by: T K Chandra Hasan <t.k.chandra.hasan@ibm.com>
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -405,6 +405,12 @@ jobs:
     name: "vz"
     runs-on: macos-13
     timeout-minutes: 120
+    strategy:
+      fail-fast: false
+      matrix:
+        template:
+        - templates/experimental/vz.yaml
+        - hack/test-templates/test-vz-fedora.yaml
     steps:
     - uses: actions/checkout@v4
       with:
@@ -425,4 +431,4 @@ jobs:
     - name: Install test dependencies
       run: brew install qemu bash coreutils
     - name: Test
-      run: ./hack/test-templates.sh templates/experimental/vz.yaml
+      run: ./hack/test-templates.sh ${{ matrix.template }}
diff --git a/hack/test-mount-home.sh b/hack/test-mount-home.sh
@@ -24,3 +24,42 @@ if [ "$got" != "$expected" ]; then
 	ERROR "Home directory is not shared?"
 	exit 1
 fi
+
+if [ "${NAME}" == "test-vz-fedora" ]; then
+	INFO "Testing secontext is set for rosetta mounts"
+	expected="context=system_u:object_r:container_file_t:s0"
+	got=$(limactl shell "$NAME" mount | grep "rosetta" | awk '{print $6}')
+	INFO "secontext rosetta: expected=${expected}, got=${got}"
+	if [[ $got != *$expected* ]]; then
+		ERROR "Secontext for rosetta mount is not set or Invalid"
+		exit 1
+	fi
+	INFO "Testing secontext is set for bind mounts"
+	INFO "Checking in mounts"
+	got=$(limactl shell "$NAME" mount | grep "$HOME" | awk '{print $6}')
+	INFO "secontext ${HOME}: expected=${expected}, got=${got}"
+	if [[ $got != *$expected* ]]; then
+		ERROR "Secontext for \"$HOME\" dir is not set or Invalid"
+		exit 1
+	fi
+	got=$(limactl shell "$NAME" mount | grep "/tmp/lima" | awk '{print $6}')
+	INFO "secontext /tmp/lima: expected=${expected}, got=${got}"
+	if [[ $got != *$expected* ]]; then
+		ERROR 'Secontext for "/tmp/lima" dir is not set or Invalid'
+		exit 1
+	fi
+	INFO "Checking in fstab file"
+	expected='context="system_u:object_r:container_file_t:s0"'
+	got=$(limactl shell "$NAME" cat /etc/fstab | grep "$HOME" | awk '{print $4}')
+	INFO "secontext ${HOME}: expected=${expected}, got=${got}"
+	if [[ $got != *$expected* ]]; then
+		ERROR "Secontext for \"$HOME\" dir is not set or Invalid"
+		exit 1
+	fi
+	got=$(limactl shell "$NAME" cat /etc/fstab | grep "/tmp/lima" | awk '{print $4}')
+	INFO "secontext /tmp/lima: expected=${expected}, got=${got}"
+	if [[ $got != *$expected* ]]; then
+		ERROR 'Secontext for "/tmp/lima" dir is not set or Invalid'
+		exit 1
+	fi
+fi
diff --git a/hack/test-templates.sh b/hack/test-templates.sh
@@ -67,6 +67,10 @@ case "$NAME" in
 "docker")
 	CONTAINER_ENGINE="docker"
 	;;
+"test-vz-fedora")
+	WARNING "Relaxing systemd tests for fedora (For avoiding CI failure)"
+	CHECKS["systemd-strict"]=
+	;;
 esac
 
 if limactl ls -q | grep -q "$NAME"; then
diff --git a/hack/test-templates/test-vz-fedora.yaml b/hack/test-templates/test-vz-fedora.yaml
@@ -0,0 +1,29 @@
+# A template to run ubuntu using vmType: vz instead of qemu (Default)
+# This template requires Lima v0.14.0 or later and macOS 13.
+vmType: "vz"
+rosetta:
+  # Enable Rosetta for Linux.
+  # Hint: try `softwareupdate --install-rosetta` if Lima gets stuck at `Installing rosetta...`
+  enabled: true
+  # Register rosetta to /proc/sys/fs/binfmt_misc
+  binfmt: true
+
+# Note: On Intel Mac, macOS >= 13.5 is required to boot kernel v6.2 (used by Ubuntu 23.04, Fedora 38, etc.) with vz.
+# https://github.com/lima-vm/lima/issues/1577
+images:
+- location: "https://download.fedoraproject.org/pub/fedora/linux/releases/38/Cloud/x86_64/images/Fedora-Cloud-Base-38-1.6.x86_64.qcow2"
+  arch: "x86_64"
+  digest: "sha256:d334670401ff3d5b4129fcc662cf64f5a6e568228af59076cc449a4945318482"
+- location: "https://download.fedoraproject.org/pub/fedora/linux/releases/38/Cloud/aarch64/images/Fedora-Cloud-Base-38-1.6.aarch64.qcow2"
+  arch: "aarch64"
+  digest: "sha256:ad71d22104a16e4f9efa93e61e8c7bce28de693f59c802586abbe85e9db55a65"
+
+mounts:
+- location: "~"
+- location: "/tmp/lima"
+  writable: true
+mountType: "virtiofs"
+
+networks:
+# The "vzNAT" IP address is accessible from the host, but not from other guests.
+- vzNAT: true
diff --git a/pkg/cidata/cidata.TEMPLATE.d/boot/05-lima-mounts.sh b/pkg/cidata/cidata.TEMPLATE.d/boot/05-lima-mounts.sh
@@ -0,0 +1,25 @@
+#!/bin/bash
+
+set -eux -o pipefail
+
+# Check if mount type is virtiofs and vm type as vz
+if ! [[ ${LIMA_CIDATA_VMTYPE} == "vz" && ${LIMA_CIDATA_MOUNTTYPE} == "virtiofs" ]]; then
+	exit 0
+fi
+
+# Update fstab entries and unmount/remount the volumes with secontext options
+# when selinux is enabled in kernel
+if [ -d /sys/fs/selinux ]; then
+	# shellcheck disable=SC2013
+	for line in $(grep -n virtiofs </etc/fstab | cut -d':' -f1); do
+		OPTIONS=$(awk -v line="$line" 'NR==line {print $4}' /etc/fstab)
+		if [[ ${OPTIONS} != *"context"* ]]; then
+			sed -i -e "$line""s/comment=cloudconfig/comment=cloudconfig,context=\"system_u:object_r:container_file_t:s0\"/g" /etc/fstab
+			TAG=$(awk -v line="$line" 'NR==line {print $1}' /etc/fstab)
+			MOUNT_POINT=$(awk -v line="$line" 'NR==line {print $2}' /etc/fstab)
+			OPTIONS=$(awk -v line="$line" 'NR==line {print $4}' /etc/fstab)
+			umount "${TAG}"
+			mount -t virtiofs "${TAG}" "${MOUNT_POINT}" -o "${OPTIONS}"
+		fi
+	done
+fi
