Modify SELinux context of MPS pipe directory

[elezar]

No description provided.

[elezar]

/cc @empovit

[empovit]

It's a one-time initialization step, isn't it? I'm wondering if it's possible that a user sets SELinux to permissive (e.g. for debugging), installs the driver, and then changes SELinux back to enforcing. Won't it be safer to rely on selinux.GetEnabled() or selinux.DefaultEnforceMode()?

[empovit]

I've just tested chcon on a system with SELinux disabled, and it works. I guess it won't have any effect, but won't fail either.

[elezar]

I'm happy to switch to GetEnabled() if we think that's cleaner.

It's a one-time initialization step, isn't it?

This step is only run as the MPS daemon container is started -- or if the configuration changes. What is the expected behaviour if a user changes the SELinux mode?

[elezar]

Just to clarify, EnforceMode contains the logic to extract the CURRENT mode.

// enforceMode returns the current SELinux mode Enforcing, Permissive, Disabled
func enforceMode() int {
	var enforce int

	enforceB, err := os.ReadFile(selinuxEnforcePath())
	if err != nil {
		return -1
	}
	enforce, err = strconv.Atoi(string(enforceB))
	if err != nil {
		return -1
	}
	return enforce
}

Whereas GetEnabled() checks whether SELinux is available at all -- regardless of the enforcing mode.

[empovit]

Right, so in the enforcing mode the new type will do the tick, in the permissive mode everything is permitted anyway, so changing the type won't have any effect. Unless the mode is switched back to enforcing, in which case the type will already be set to the right one.

The only reason we may need GetEnable() is to avoid errors when trying to change the type on a system that doesn't run SELinux, IMO.

[empovit]

Actually, it looks like enabling/disabling SELinux or changing the mode (enforcing/permissive) requires rebooting the node anyway. So the type will be applied whenever needed in any case.

[empovit]

LGTM