Adjusting SELinux to change SSH port in Fedora CoreOS

README.md

See coreos/fedora-coreos-tracker#396 (comment) for a bit of explanation.

Warning: The script will trigger warning messages in the systemd journal log that look like this:

systemd[1]: sshd.service: Found left-over process 4270 (conmon) in control group while starting unit. Ignoring.
systemd[1]: This usually indicates unclean termination of a previous run, or service implementation deficiencies.

This is probably a side effect of the script booting up podman containers to run semanage - I don't know how to get rid of this properly if it's possible at all but I think this can be ignored for now.

SSH daemon can take quite a long while to start for the first time due to the one-time image build.

ignition.yml

variant: fcos
version: 1.0.0

# …

storage:
  files:
    # SELinux fix script
    - path: /usr/local/bin/sshd_fix_selinux
      mode: 0744
      contents:
        inline: |
          #!/bin/bash -e

          # This script runs right before SSH server boots up via Systemd.
          # It is required to be run when on Fedora CoreOS and changing the port SSH is listening on.
          #
          # The script builds a Fedora image with semanage installed (if already built it will not build again).
          # After that it will run semanage to update which ports SSH is allowed to listen on.
          #
          # Suggested path of this script: /usr/local/bin/sshd_fix_selinux
          #
          # Author:  Carl Kittelberger <icedream@icedream.pw>

          # Just used to get a guaranteed empty Docker context dir
          empty_dir="$(mktemp -d)"

          dockerfile="$(mktemp)"

          cleanup() {
            if [ -d "$empty_dir" ]
            then
              rm -rf "$empty_dir"
            fi
            if [ -f "$dockerfile" ]
            then
              rm -f "$dockerfile"
            fi
          }
          trap cleanup EXIT

          # NOTE - not sure if policycoreutils-devel is necessary here, didn't test it with it removed
          cat >"$dockerfile" <<DEOF
          FROM fedora
          RUN yum install -y policycoreutils-python-utils policycoreutils-devel && yum clean all
          DEOF

          image_name="$(podman build -f "$dockerfile" "$empty_dir" | tail -n1)"

          secontainer() {
            podman run --privileged --rm \
              -v /var/run:/var/run \
              -v /etc/selinux:/etc/selinux \
              -v /proc:/proc \
              -v /sys:/sys \
              "$image_name" "$@"
          }

          # Delete any old custom SSH port rules
          secontainer semanage port -D -t ssh_port_t -p tcp || true

          # Read SSH port straight from the sshd_config, default to 22.
          ssh_port="$(grep -Po '^\s*Port\s+\K\d+' /etc/ssh/sshd_config || printf '%s' 22)"
          secontainer semanage port -a -t ssh_port_t -p tcp "$ssh_port"

systemd:
  units:
    - name: sshd.service
      enabled: true
      dropins:
        # Run SELinux fix script before SSH daemon starts up
        - name: 00-sshd-fix-selinux.conf
          contents: |
            [Service]
            ExecStartPre=/usr/local/bin/sshd_fix_selinux

sshd-dropin.conf

[Service]
ExecStartPre=/usr/local/bin/sshd_fix_selinux

sshd_fix_selinux.sh

#!/bin/bash -e

# This script runs right before SSH server boots up via Systemd.
# It is required to be run when on Fedora CoreOS and changing the port SSH is listening on.
#
# The script builds a Fedora image with semanage installed (if already built it will not build again).
# After that it will run semanage to update which ports SSH is allowed to listen on.
#
# Suggested path of this script: /usr/local/bin/sshd_fix_selinux
#
# Author:  Carl Kittelberger <icedream@icedream.pw>

# Just used to get a guaranteed empty Docker context dir
empty_dir="$(mktemp -d)"

dockerfile="$(mktemp)"

cleanup() {
  if [ -d "$empty_dir" ]
  then
    rm -rf "$empty_dir"
  fi
  if [ -f "$dockerfile" ]
  then
    rm -f "$dockerfile"
  fi
}
trap cleanup EXIT

# NOTE - not sure if policycoreutils-devel is necessary here, didn't test it with it removed
cat >"$dockerfile" <<DEOF
FROM fedora
RUN yum install -y policycoreutils-python-utils policycoreutils-devel && yum clean all
DEOF

image_name="$(podman build -f "$dockerfile" "$empty_dir" -t secontainer | tail -n1)"

secontainer() {
  podman run --privileged --rm \
    -v /var/run:/var/run \
    -v /etc/selinux:/etc/selinux \
    -v /sys:/sys \
    "$image_name" "$@"
}

# Delete any old custom SSH port rules
secontainer semanage port -D -t ssh_port_t -p tcp || true

# Read SSH port straight from the sshd_config, default to 22.
ssh_port="$(grep -Po '^\s*Port\s+\K\d+' /etc/ssh/sshd_config || printf '%s' 22)"
secontainer semanage port -a -t ssh_port_t -p tcp "$ssh_port"

/proc did not want to mount into the container, yielding the error:

set process label: open /proc/self/task/1/attr/exec: no such file or directory

testing revealed /proc is not necessary for successfully executing the semanage commands