Add support for SELinux systems

samply · Jan 21, 2025 · 50ee540 · 50ee540
1 parent 0eff362
commit 50ee540
Show file tree

Hide file tree

Showing 4 changed files with 34 additions and 8 deletions.
diff --git a/lib/functions.sh b/lib/functions.sh
@@ -36,6 +36,32 @@ setupProxy() {
 	export HTTPS_PROXY_HOST HTTPS_PROXY_PORT HTTPS_PROXY_FULL_URL
 }
 
+checkAndSetSelinux() {
+	# This is needed for the systemd service to start on SELinux systems.
+	if ! command -v sestatus > /dev/null 2>&1; then
+	 	echo "SELinux not available; nothing to do"
+	 	return
+	fi
+	if ! sestatus | grep "SELinux status:" | grep enabled > /dev/null; then
+		echo "SELinux disabled; nothing to do"
+		return
+	fi
+	current_mode="$(sestatus | grep 'Current mode:' | tr -s ' ' | cut -d' ' -f 3)"
+	echo "SELinux is active and ${current_mode}, checking for labels..."
+	# TODO: perhaps split this into checkSelinux (without the need for root) and setSelinux (needing root)
+	# "stat /srv/docker/bridgehead/bridgehead --printf %C" could be used for a check that doesn't need root
+	exitIfNotRoot
+	labels_for_srv="$(semanage fcontext --list | grep -e ^/srv)"
+	echo "Found the following labels for /srv:"
+	echo "${labels_for_srv}"
+	if ! echo "${labels_for_srv}" | grep -e ^/srv/docker/bridgehead/bridgehead > /dev/null; then
+		echo "Adding a label for /srv/docker/bridgehead/bridgehead..."
+		semanage fcontext --add --type bin_t /srv/docker/bridgehead/bridgehead
+	fi
+	restorecon -v /srv/docker/bridgehead/bridgehead  # this survives a reboot
+	# TODO: check if this survives updates
+}
+
 exitIfNotRoot() {
   if [ "$EUID" -ne 0 ]; then
     log "ERROR" "Please run as root"

diff --git a/lib/install-bridgehead.sh b/lib/install-bridgehead.sh
@@ -3,6 +3,7 @@
 source lib/functions.sh
 
 exitIfNotRoot
+checkAndSetSelinux
 
 if [ $# -eq 0 ]; then
     log "ERROR" "Please provide a Project as argument"

diff --git a/minimal/docker-compose.yml b/minimal/docker-compose.yml
@@ -25,6 +25,9 @@ services:
     ports:
       - 80:80
       - 443:443
+    security_opt:
+      # allow access to the docker socket on systems with SELinux
+      - "label:type:container_runtime_t"
     volumes:
       - /etc/bridgehead/traefik-tls:/certs:ro
       - ../lib/traefik-configuration/:/configuration:ro

diff --git a/minimal/modules/dnpm-compose.yml b/minimal/modules/dnpm-compose.yml
@@ -12,13 +12,13 @@ services:
       ALL_PROXY: http://forward_proxy:3128
       TLS_CA_CERTIFICATES_DIR: ./conf/trusted-ca-certs
       ROOTCERT_FILE: ./conf/root.crt.pem
-    secrets:
-      - proxy.pem
     depends_on:
       - "forward_proxy"
     volumes:
       - /etc/bridgehead/trusted-ca-certs:/conf/trusted-ca-certs:ro
-      - /srv/docker/bridgehead/ccp/root.crt.pem:/conf/root.crt.pem:ro
+      - /srv/docker/bridgehead/ccp/root.crt.pem:/conf/root.crt.pem:ro,Z
+      # secrets don't seem to allow us to specify Z
+      - /etc/bridgehead/pki/${SITE_ID}.priv.pem:/run/secrets/proxy.pem:ro
 
   dnpm-beam-connect:
     depends_on: [ dnpm-beam-proxy ]
@@ -41,7 +41,7 @@ services:
     volumes:
       - /etc/bridgehead/trusted-ca-certs:/conf/trusted-ca-certs:ro
       - /etc/bridgehead/dnpm/local_targets.json:/conf/connect_targets.json:ro
-      - /srv/docker/bridgehead/minimal/modules/dnpm-central-targets.json:/conf/central_targets.json:ro
+      - /srv/docker/bridgehead/minimal/modules/dnpm-central-targets.json:/conf/central_targets.json:ro,Z
     labels:
       - "traefik.enable=true"
       - "traefik.http.routers.dnpm-connect.rule=PathPrefix(`/dnpm-connect`)"
@@ -53,7 +53,3 @@ services:
   dnpm-echo:
     image: docker.verbis.dkfz.de/cache/samply/bridgehead-echo:latest
     container_name: bridgehead-dnpm-echo
-
-secrets:
-  proxy.pem:
-    file: /etc/bridgehead/pki/${SITE_ID}.priv.pem