I'm working in a company where we need to distribute our image running SE-Linux inside.
The product uses virtualization for additional security, thus we have got a setup with a linux host, running several qemu-kvm guests. The kvm guest's OS is Debian.
I could install selinux on the guest by hand, I was also able to activate SELinux (sestatus verified it was running and the files were correclty auto-labeled).
Next step would then be to make our own modules and roles, and set the correct contexts for each process and file in the guest image.
However, what I need is, to automate this installation + labeling + configuration process of selinux during the build. We cannot build a normal image without selinux, then install selinux by hand on every machine. We want to pre-configure a image which has everything up and running.
The build process runs inside a docker-image where the kvm-guest images will be created and configured.
When I try to install selinux in the docker-image, GitLab won't build that image due to errors. (I can install selinux manually on my local machine in the docker image however, yet, sestatus says SELinux is disabled, and thus, I am not able to let docker run fixfile relabel 100% successfully)
What I have found during my several-hour research so far, was only:
- How to label files using already up and running SELinux
- How to make own modules and use them
- How the whole SELinux-concept works
- How to install it by hand (always involving a reboot)
- How to use sVirt to increase safety BETWEEN the host and the guest VMs
What I could NOT find anywhere:
- How to install SE-Linux in a guest-vm image during the build of the image.
More Details:
I thought docker needed selinux-packages or an active selinux-installation running, in order to be able to correctly setup selinux inside the mounted filesystem, which contains all of the files of our software. I can try to visualize the setup like this:
Docker
-> run build scripts using a mnt-directory inside docker
-> Inside mnt-directory install selinux and label files and setup modules and contexts
The mnt-directory will in this case represent the image of a guest kvm and not of the host.
If anyone has detailed information of how to do this, I would be thankful!