Adds a systemd unit to load custom SELinux rules in SCOS

This commit implements a systemd unit to apply custom SELinux modules in SCOS shipped as CILs in the read-only /usr/lib/okd/selinux/ folder. Refers openshift#1555
aleskandro · Jul 18, 2024 · a19f1b3 · a19f1b3
1 parent 0ef712a
commit a19f1b3
Show file tree

Hide file tree

Showing 4 changed files with 16 additions and 0 deletions.
diff --git a/overlay.d/50scos/usr/lib/okd/selinux/.keep b/overlay.d/50scos/usr/lib/okd/selinux/.keep
diff --git a/overlay.d/50scos/usr/lib/systemd/system-presets/50-scos.preset b/overlay.d/50scos/usr/lib/systemd/system-presets/50-scos.preset
@@ -0,0 +1 @@
+enable okd-selinux.service
diff --git a/overlay.d/50scos/usr/lib/systemd/system/okd-selinux.service b/overlay.d/50scos/usr/lib/systemd/system/okd-selinux.service
@@ -0,0 +1,12 @@
+[Unit]
+Description=Apply custom SELinux policies in /usr/lib/okd/selinux/*.cil
+Documentation=
+Before=network-pre.target
+
+[Service]
+Type=oneshot
+ExecStart=/usr/bin/find /usr/lib/okd/selinux -type f -name '*.cil' -exec /usr/sbin/semodule -i {} \;
+RemainAfterExit=yes
+
+[Install]
+WantedBy=multi-user.target
diff --git a/overrides-c9s.yaml b/overrides-c9s.yaml
@@ -8,3 +8,6 @@
 #  - c9s-appstream-mirror
 
 #packages:
+
+ostree-layers:
+  - overlay/50scos